Data can be created, altered, or destroyed in the blink of an eye. This fact gives rise to the single most important principle in digital forensics, a principle so fundamental it is the first thing you are taught when entering the field.

Preserve the Data

The moment an investigator approaches a compromised or potentially compromised system, their primary goal shifts from problem-solving to preservation. Every action taken has the potential to contaminate the digital crime scene changing file access times, altering memory contents, or overwriting crucial evidence.

Your priority is not to solve the crime; it is to secure the evidence.

A poorly preserved scene can lead to evidence being ruled inadmissible in court, regardless of how damning it might be. This is why following a rigorous, documented process is non-negotiable.

3 Critical Steps Before Touching a Compromised Computer System

Before physically interacting with the device, plugging in a flash drive, or even clicking a mouse, a professional investigator must complete these three preliminary steps:

1. Document the Scene and its State

The digital investigation begins in the physical world. Just as a traditional detective photographs a room, a digital investigator must document the physical and operational context of the system.

• Photograph the Setup: Document the computer, monitor, cables, and any peripherals connected. Note network connections.
• Record the System State: Note whether the system is On or Off. If it’s on, photograph the screen (if possible, without touching the keyboard/mouse) to capture any running programs, error messages, or user interfaces. The state (on or off) dictates the later acquisition strategy.
• Establish a Chain of Custody (CoC): Begin the official, written record of everyone who handles the evidence, when they handled it, and why. This document proves the evidence has not been tampered with from the moment of collection to presentation in court.

2. Isolate the System from the Network

The goal here is to prevent two things: further compromise and evidence destruction by remote means.

• Unplug the Network Cable: The most immediate and critical action is physically disconnecting the Ethernet cable.
• Disable Wi-Fi: If it is a laptop, ensure the Wi-Fi is disabled (often via a physical switch or by removing the Wi-Fi card if necessary and safe).
• Why Isolate? Malware may phone home for new instructions, attackers may remotely wipe drives, or automated security scans/updates could run, fundamentally altering the system’s state and potentially destroying volatile data.

3. Plan the Acquisition Strategy

With the scene documented and the system isolated, the investigator must now determine the safest way to copy the evidence, focusing first on the most volatile data—information that is easily lost.

• Volatile Data First: Data in memory (RAM), network connections, running processes, and the system clock must be captured before the system is powered down. This often requires specialized tools and a process called “live acquisition.”
• Non-Volatile Data Second: After volatile data is secured, the investigator moves to acquiring the hard drive’s contents (non-volatile). The standard is to create a forensically sound, bit-by-bit copy (an image) of the entire drive, often using a hardware write-blocker to guarantee that the original drive is never altered.

Digital forensics is a science and an art of non-invasiveness. By strictly adhering to the fundamental rule of preservation you ensure the integrity of the evidence, building a rock-solid foundation for the rest of the case.

Don’t Touch. Document. Isolate. Plan. Your case depends on it.