A much more serious defense is when a person claims that the investigator's process was faulty. They may claim, for example, that the evidence was contaminated; that their case was unfairly handled; that their rights were not upheld; or that crucial data was skipped, among other things.

The most efficient way to troubleshoot against such things happening is to take precautions to make sure you do not come up against them in the first place. Arguably, the most important of these is establishing and maintaining a proper chain of custody.

A chain of custody is essentially the paperwork that shows where the evidence you have collected has been, how long it has been there, and who was responsible for it. So if you are working in a team of investigators, your chain of custody documentation should detail who attended the scene, who viewed the devices at the scene and decided whether to remove them or not, how were they handled when they were removed (for example, were they shut down and unplugged, or were they already switched off when they were found), how they got to the processing area, who was responsible for them during that time, and who was ultimately responsible for analyzing the data.

Other important details to note include any actions that were taken on the device, for example:

• At which point did you take a forensic image of the device?
• Did you back up the original device? At what point did you do so, and where was this backup stored?
• How was the device transportation handled? For example, was it put in a Faraday bag?
• Which tools did you use to examine the device, and how did you determine that they were working correctly?

If you can answer all of the questions above, and you have accurately filled in your chain of custody document, your defendant will be hard-pressed to argue a fault in your process.