As soon as an incident or crime is discovered, the search for evidence can commence, but blindly searching and gathering "stuff" can leave you with a big pile of "stuff" which, although it looks useful, cannot be considered evidence at all. The reason for this is simple - anything which might be evidence only has value if it can be considered in context. Where was it found ? When was it found ? Who found it ? What did they do with it ? What else was near it ?
Without answers to these questions, we cannot assess how significant any item of potential evidence might be, nor even if it genuinely is evidence which was present at the time of the incident or something which has been inserted into the scene (aka "planted") at some time after the events which we are trying to investigate.
In order to avoid this problem, experience and competent investigators know that the first thing they should do is start to take notes, producing a contemporaneous record of actions and findings (i.e. a record produced at the time of the actions being recorded, or as quickly as possible after those actions are completed). By taking contemporaneous notes, they reduce the risk that some important action will be missed and by making them detailed notes, they reduce the risk that some apparently minor action, which may turn out to be very important, will go unrecorded.
These notes will include sketches and detailed descriptions of what they can see, step by step records of their movements and actions and detailed descriptions of anything they remove from the scene. Ideally, their notes will be complemented by photographs to back up their descriptions - and those photos will also be recorded in the notes.
It should be possible for another person to take the contemporaneous notes and repeat, exactly, the actions described in them or, by reversing the processes described, to put every item removed from the scene back exactly where it was found.
Generally, non-specialists should not move anything at a scene, but it may be necessary. If it is essential to remove something, then everything done should be recorded in the notes and every item removed should be given a unique identifier. The exact format of this is down to personal preference, but it is common to use your own initials followed by a number, so the first item you gather is XXX/1, the second is XXX/2 and so on. Each item should be put into "tamper-evident" packaging - i.e. some sort of container which has been manufactured or marked in a way which makes it obvious that the packaging has been opened. It should be labelled with the time & date, the identity of the person responsible for collecting and packaging it, and the identifier for the item should be clearly marked on the label as well, so that it can be traced back to the contemporaneous notes.
Once an item has been packaged in this way, a custody or continuity log needs to be maintained so that everything that happens to the item can be reported and examined. Often, this is done via additional sections on the label on the packaging, but handling of any item should also be recorded in the notes of the person who had control of the item and the person who has taken control (so, 2 sets of notes should record that the item has been transferred from one person to another).
Digital evidence seems different to other types of evidence as it can be much harder to see - but the principles of note-taking and recording apply equally well. In some cases, physical devices will be seized - and later treated as digital crime scenes - while in others, data will be extracted from devices which are being left behind. In any case, it is still important that the processes used to find evidence, the original location(s) of that evidence, and the people who controlled the processes and the evidence can be identified.
For more information and advice on this subject, please contact n-gate ltd. now.