Computer forensics: Chain of custody [updated 2019]
In this article, we will learn what the chain of custody entails in digital forensics and how it is maintained. We’ll also look at the chain of custody process and the importance of maintaining it. Due to the nature of digital evidence collection, we will need to discuss a couple of special considerations, as well.
What is the chain of custody in computer forensics?
The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis. It also documents each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.
Why is it important to maintain the chain of custody?
It is important to maintain the chain of custody to preserve the integrity of the evidence and prevent it from contamination, which can alter the state of the evidence. If not preserved, the evidence presented in court might be challenged and ruled inadmissible.
Importance to the Examiner
Suppose that, as the examiner, you obtain metadata for a piece of evidence. However, you are unable to extract meaningful information from it. The fact that there is no meaningful information within the metadata does not mean that the evidence is insufficient. The chain of custody in this case helps show where the possible evidence might lie, where it came from, who created it, and the type of equipment that was used. That way, if you want to create an exemplar, you can get that equipment, create the exemplar, and compare it to the evidence to confirm the evidence properties.
Importance to the Court
It is possible to have the evidence presented in court dismissed if there is a missing link in the chain of custody. It is therefore important to ensure that a wholesome and meaningful chain of custody is presented along with the evidence at the court.
What Is the procedure to establish the chain of custody?
In order to ensure that the chain of custody is as authentic as possible, a series of steps must be followed. It is important to note that, the more information a forensic expert obtains concerning the evidence at hand, the more authentic is the created chain of custody. Due to this, it is important to obtain administrator information about the evidence: for instance, the administrative log, date and file info, and who accessed the files. You should ensure the following procedure is followed according to the chain of custody for electronic evidence:
- Save the original materials: You should always work on copies of the digital evidence as opposed to the original. This ensures that you are able to compare your work products to the original that you preserved unmodified.
- Take photos of physical evidence: Photos of physical (electronic) evidence establish the chain of custody and make it more authentic.
- Take screenshots of digital evidence content: In cases where the evidence is intangible, taking screenshots is an effective way of establishing the chain of custody.
- Document date, time, and any other information of receipt. Recording the timestamps of whoever has had the evidence allows investigators to build a reliable timeline of where the evidence was prior to being obtained. In the event that there is a hole in the timeline, further investigation may be necessary.
- Inject a bit-for-bit clone of digital evidence content into our forensic computers. This ensures that we obtain a complete duplicate of the digital evidence in question.
- Perform a hash test analysis to further authenticate the working clone. Performing a hash test ensures that the data we obtain from the previous bit-by-bit copy procedure is not corrupt and reflects the true nature of the original evidence. If this is not the case, then the forensic analysis may be flawed and may result in problems, thus rendering the copy non-authentic.
The procedure of the chain of custody might be different. depending on the jurisdiction in which the evidence resides; however, the steps are largely identical to the ones outlined above.
What considerations are involved with digital evidence?
A couple of considerations are involved when dealing with digital evidence. We shall take a look at the most common and discuss globally accepted best practices.
- Never work with the original evidence to develop procedures: The biggest consideration with digital evidence is that the forensic expert has to make a complete copy of the evidence for forensic analysis. This cannot be overlooked because, when errors are made to working copies or comparisons are required, it will be necessary to compare the original and copies.
- Use clean collecting media: It is important to ensure that the examiner’s storage device is forensically clean when acquiring the evidence. This prevents the original copies from damage. Think of a situation where the examiner’s data evidence collecting media is infected by malware. If the malware escapes into the machine being examined, all of the evidence can become compromised.
- Document any extra scope: During the course of an examination, information of evidentiary value may be found that is beyond the scope of the current legal authority. It is recommended that this information be documented and brought to the attention of the case agent because the information may be needed to obtain additional search authorities. A comprehensive report must contain the following sections:
- Identity of the reporting agency
- Case identifier or submission number
- Case investigator
- Identity of the submitter
- Date of receipt
- Date of report
- Descriptive list of items submitted for examination, including serial number, make, and model
- Identity and signature of the examiner
- Brief description of steps taken during examination, such as string searches, graphics image searches, and recovering erased files
- Consider safety of personnel at the scene. It is advisable to always ensure the scene is properly secured before and during the search. In some cases, the examiner may only have the opportunity to do the following while onsite:
- Identify the number and type of computers.
- Determine if a network is present.
- Interview the system administrator and users.
- Identify and document the types and volume of media, including removable media.
- Document the location from which the media was removed.
- Identify offsite storage areas and/or remote computing locations.
- Identify proprietary software.
- Determine the operating system in question.
The considerations above need to be taken into account when dealing with digital evidence due to the fragile nature of the task at hand.
In this article, we have examined the seriousness of digital evidence and what it entails. Throughout the article, three main points stand out in the preservation of evidence integrity:
- Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.
- Persons conducting an examination of digital evidence should be trained for that purpose.
- Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.
Through all of this, the examiner should be cognizant of the need to conduct an accurate and impartial examination of the digital evidence.
Chain of custody – Wikipedia