Data integrity and data preservation are fundamental to the value of electronic evidence. The data must be preserved well, so as to protect it from damage. Maintaining data integrity means that the data should mean the same from point of collection through to the point of use.

To help with both, data should be collected through standardized and recorded processes and procedures to ensure that all the evidence is equally representative of the true status of the systems at the point of collection.

Trust in the integrity of the evidence can be increased by comparison to the original. If direct, bit-by-bit comparison is possible, this is the highest possible standard. If this is not possible or practical, proxies such as using hashes, or maintaining logs and chains of custody can be used instead.

As we discussed in Chapter 10, Data Normalization and Exploitation, sometimes it is more efficient to use centralized logs, and even more so if the data is normalized to reduce redundancy. To aid the maintenance of data meaning, the original, transformed, normalized, and analyzed logs should all be kept. Alternatively, a copy of the original data can be kept alongside a record of all the actions taken. If the results can be reproduced (for example, by the defense team or independent verifiers), this will increase the trust in the evidence.