Tip

How to secure the chain of custody in a digital forensics investigation

Service provider takeaway: Digital forensics expertise is in high demand. Most customers are unable to keep a digital forensics expert in-house because of salary requirements, which means they are turning to service providers to gather evidence and secure a chain of custody. These best practices in securing a chain of custody can help service providers improve their

    Requires Free Membership to View

methodology for evidence gathering.

Impartiality of an investigation is becoming a new standard in digital forensics, one that service providers are well-suited to deliver. Outsourcing almost guarantees that any investigation is impartial. It also saves organizations money since they don't have to keep a digital forensic investigator on the payroll. Service providers who offer digital forensic services can ease customer's minds by remaining impartial and taking the necessary steps to ensure that collected evidence is not tampered with and can be relied upon when called upon.

One element often overlooked in the rush to obtain evidence during a forensic investigation is control. To prove impartiality you must be able to answer the five W's and H questions: who, what, why, when, where and how. Who controlled the evidence? What was used to collect it? Why was it done in that manner? When was each piece of evidence found? Where was the evidence found? How was it documented? Ultimately, if the chain of custody (also referred to as the chain of evidence) is not maintained, all evidence can be challenged and thrown out of court. This can be particularly devastating when valuable time and resources have been used to collect the evidence in the first place, not to mention the fact that a failed investigation erodes customer confidence. How then should you ensure that forensic evidence is properly controlled to maintain the chain of custody? There are forms and software programs to assist in documenting the chain of custody, but here are my top tips that you won't find in reference guides.

Label everything

Cables, plugs, peripherals, computers, monitors, disks, wireless access points -- anything and everything that is found at the site should be labeled. It's easy to forget what goes where when you get into a tangle of cables and equipment, especially in a server room. If you have to tear down the site and reassemble it in a lab, the labels make sure you get everything right.

Witness everything

I've found it invaluable, particularly when an examination is facing tough scrutiny, to have a witness for everything. If your labels, printed photos and recovered data are all physically signed by another person (another professional examiner preferred but not critical), it gives an additional level of credibility to the examination. And, heaven forbid, if you are incapacitated and not able to provide testimony when needed, the witness may be used to back up your investigation.

A unique ID for everything

Last but not least in the investigation is controlling the evidence by maintaining an indisputable chain of custody. The best method is to give everything a unique ID (bar codes work well) with accurate and complete descriptions. Include in your descriptions any unremoveable marks on equipment such as deep scratches and dents. Address the five W's and an H for all evidence, seal it with tamper-proof seals, sign and witness the seals. Then, lock it up in an indisputably secure location and log every time the evidence is accessed. If you have to turn evidence over to legal authorities, they are not above these rules, so have them sign for everything they take.

Digital forensics is an exciting new industry that is bound to see new methods and challenges as techniques and technology continue to change. To maintain a solid reputation in the field, build solid skills with existing software tools and ensure your methodology is beyond reproach.

About the author
Chey Cobb has 20 years of experience in the security industry and is the former senior technical security advisor for one of the top intelligence agencies in the country. Cobb was also in charge of security for the largest computing facility in the Southern Hemisphere. Additionally, she is a professor in the master of science program in information assurance at Norwich University.


This was first published in December 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.