What is the Chain of Custody in Digital Forensics?
We explore why the chain of custody is paramount to digital forensics.
The concept of the ‘chain of custody’ refers to the logical sequence of gathering evidence, whether it be physical or electronic in legal cases. Each link (or step) in the chain (or process) is essential as if broken (i.e. a step is missed out), the evidence presented for consideration in a civil or criminal legal case may be rendered inadmissible. In this way, preserving the chain of custody is about following the correct and consistent procedure, and hence ensuring the quality of evidence brought before the Courts.
The everyday use of digital evidence in legal cases now means that the chain of custody must be captured and maintained when gathering and handling electronic evidence. For any given forensic case, the chain should be documented to show the end to end sequence of work undertaken, including by whom, when (i.e. date/time), and the purpose. Furthermore, the chain of custody is not just a requirement of the Courts, but it also steers the process of evidence examination by ensuring data elements are not just scrutinised from a single dimension. It encourages each item of evidence to be considered from the perspective of where it came from (i.e. company, device, geography), who created it, when, and why. This means that by viewing the whole chain custody, evidence which may otherwise seem unhelpful to an investigation may, in fact, hold useful clues.
What is the process of chain of custody for digital evidence?
In order to preserve digital evidence, the chain of custody should span from the first point of data collection, through examination, analysis, reporting, and the time of presentation to the Courts. This is necessary to avoid the possibility of any suggestion that the evidence has been compromised in any way. While it may have been handled correctly during the forensic process, if the evidence is then handed to the Court in a way which then leaves it open to alteration, perhaps by altering the timestamps or metadata associated, it may then be damaged. Let’s take each stage of the forensic process in turn:
- Data collection: the chain of custody starts from the first item of data collected. The examiner must ‘tag’ each item acquired and document the source, how and when it was collected, where it is stored, and who has access.
- Examination: during the examination process, the chain of custody information must be documented outlining the forensic process undertaken. It is useful to capture screenshots throughout the process to show the tasks completed and the evidence uncovered.
- Analysis: it may also be appropriate to capture the chain of custody information during the analysis stage.
- Reporting: it is at the reporting stage that the chain of custody is documented into a statement which explains the tools used, the sources of data, methods of extraction used, the process of analysis, and issues encountered and how these were overcome. Ultimately, it is this statement which must make it clear that the chain of custody has been maintained throughout the forensic process and that the evidence provided is legally defensible.
To maintain the chain of custody, digital forensic experts are well-practiced in the use of contemporaneous notetaking, enabling them to document the processes undertaken and recreate the results they have achieved.
How can the chain of custody be assured?
In addition to taking contemporaneous notes, digital forensic examiners use a variety of best practices to preserve the chain of custody, including:
- Assessing the scene before data is taken – it can be damaging to a case if an examiner acts too quickly in identifying and capturing data and devices of interest without assessing the situation and ensuring the scene is secure. This involves making sure that removing an item will have no negative impact on ongoing IT service provision, documenting the wider context and existing infrastructure from which the data item is being taken (including number and type of computers, network type, details of key administrative personnel, types of software used and operating systems used) – this may provide useful information which is material to the investigation.
- Using copies of the data captured – the central tenet of preserving the original evidence cannot be overstated, as if damaged or compromised in any way, the case may be jeopardised. There are several ways by which copies of digital evidence can be made and then used for examination and analysis, including creating a ‘bit-for-bit’ (i.e. digitally identical) clone of individual data items or whole system contents.
- Ensuring storage medium is sterilised – if an item of data is placed on to an examiner’s storage device (i.e. hard drive), that medium must be entirely clean and free of any potential contamination at every level.
Final words
The digital chain of custody is front and centre of every action taken by digital forensic specialists. They understand that days or weeks of intensive forensic work can be thrown away if they miss a step in the process or fail to ensure the integrity of the evidence they have worked so hard to find, analyse, and document. Much in the same manner that safety is paramount to aircraft engineers and doctors, integrity is always in the minds of digital forensic examiners. By doing so, they ensure that cybercriminals do not get away with the damage and chaos they leave behind, and they face the full weight of the justice system.
Lineal provide bespoke solutions to complex client problems, giving them full confidence in the process and the delivered outcome. We operate at the cutting edge of digital forensics, cyber security and eDiscovery technology, using our expertise to exceed client expectations and operate within budget and tight timeframes. To find out more about our services, please call us on +44 (0)20 7940 4799 or email info@lineal.com.
Digital forensics has been a core offering since Lineal began. We are industry leaders in recovering digital evidence in a forensically defensible manner. Our teams are available 24/7 for domestic and international incident response. We continually invest in technical infrastructure and forensic software giving our clients the confidence their project is being managed with the latest equipment and technology.