Analysis on a digital evidence must never be conducted on the original evidence if possible as alterations to the data may occur. This being said, write blockers are used to prevent contamination to the original evidence during a capture, analysis, and control (CRU, n.d.). Write blockers are software or hardware that enable read-only access to data within a storage drives while keeping the integrity of the data (Cybrary, 2016). As the name says, write blockers prevents writes to a storage device. Using this tool, analysts are able to access the data within a storage device without altering the data.
Upon receiving the evidence from the detective, a computer forensic examiner would first review the chain of custody log and ensure all information are correct. Then, all appropriate information will be filled out on the log to update the chain of custody and ensure its validity in court. Next, a hash of the original evidence will be taken for later comparison. Following the hash, the acquisition process is started where data from the digital evidence is acquired without altering the data within the original evidence (InfoSec, n.d.). This can either be done with a physical acquisition where an image is captured from a physical storage device or through logical acquisition where a sparse or logical image is captured from a storage device (InfoSec, n.d). A write blocker is used during this process to prevent alteration to the original evidence.
Following the acquisition process, the analysis phase starts. During this process, the examiner conducts analysis on a copy or image of the original evidence, analysis should not be conducted on the original evidence (InfoSec, n.d.). Various actions can be conducted during this phase to find evidence and help reconstruct actions or events that occurred relating to a case (InfoSec, n.d.). After the analysis phase, reporting must be conducted on the results and process. The reports will include a detailed step by step list of the process and information regarding the acquisition phase such as who conducted it, when it was conducted, and what software/hardware tools were used (InfoSec, n.d.). In addition, the report will include a comparison of a hash of the original evidence and a hash of the image/copy where the analysis was conducted on and ensure the hashes match (InfoSec, n.d.). This comparison will show alterations were not made to the copied/imaged device. Finally, the original evidence and the imaged/copied evidence will be securely stored with access control policies in place within a climate-controlled area free from magnetic fields (Forensic Magazine, 2010).