Disclaimer: This is my opinion, which is not a legal opinion. I call it Brett's Opinion. But along with that, I have identified, seized, analyzed, requested analysis, checked-in/out, transferred/assumed custody, and had entered into court cases thousands of items of evidence from electronic data to brain matter.
This short post is to give my opinion on the use “forensically sound”. The reason I want to mention this is because I witnessed a DF expert state in public that capturing live (volatile) memory is not forensically sound because you can’t reproduce it or enter it as evidence. I think we must be careful about some things we say.
In the most basic sense, any “thing” that is accepted by a court as evidence is forensically sound, since the court accepted the process used and admitted the "thing" as evidence.
We get caught up when performing computer science work in digital forensics and tend to forget that every situation is a bit different from the next situation, in either minor or major ways. The general processes we use are similar for each situation, but of course we vary a little depending on what we come across. The situation we approach dictates how we proceed.
There was a time when pulling the plug on a computer to image the hard drive with a hardware write blocker was the only forensically sound method accepted. Doing it any other way meant you ruined the evidence. This belief persisted for years even after realizing volatile memory is also valuable evidence (sometimes even more valuable than data on the drive). Sure, sometimes you need to pull the plug and sometimes volatile memory has nothing to do with what a specific case may need. That goes to the point of every case being different. For the must-always-use-a-hardware-writeblocker crowd, I’m not sure what they do with the computers that the hard drive cannot be removed for a multitude of reasons. Situation dictates choices.
My point is that we all have best intentions and rely upon generally accepted processes; however, we need to also be aware of what evidence is and what evidence is not. If you can get a ‘thing’ admitted into court that can prove or disprove an allegation, then you have evidence. Forensically sound more aptly applies to the technical processes and methods, but does not really define whether or not a ‘thing’ is evidence or not or that a court will accept it or not.
Another holdover from days past is that of being able to exactly reproduce an analysis in order to be forensically sound. On a hard drive that was shut down when you approached it, imaged through a hardware write blocker, and verified using a software that everyone else uses – easy peasy. On anything else, good luck. Live memory changes as you capture it. Shutting down/pulling the plug on a computer changes the data. Waiting to decide whether or not to shutdown or pull the plug or image live changes the data (it changes as you watch and think about what to do!) A crime lab that tests the content of a drug destroys a portion of the drug that it tests. An autopsy on a body damages and changes the body (as does the passage of time with decomposition). A burning building destroys evidence of the cause of the fire, as does the efforts to put out the fire.
When teaching court admissibility of digital evidence, be careful if you are unsure of what is forensically sound, especially when talking about evidence. You’d be amazed at the types of evidence that can be admitted in a trial along with the evidence that doesn’t. Best answer: do your best with the evidence seizing situation you encounter, admit it as evidence, and let the court decide if it was forensically sound. Personally, I believe anyone working in a job where you look at data should be versed in 'evidence'. Cops have it easy. They deal with it every day until it becomes second nature. For everyone else, a short class in 'what is evidence' can make or break a case later.
Then there is the sliding scale of veracity…but that’s another story.