Chain of custody

Chain of custody describes the documentation of a piece of evidence through its life cycle. This life cycle begins when an individual first takes custody of the piece of evidence to when the incident is finally disposed of and the evidence can either be returned or destroyed. Maintaining a proper chain of custody is critical. In the event that a piece of evidence has to be brought into a courtroom, any break in the chain of custody can lead to the piece of evidence being excluded from ever being admitted into the proceedings. It is critical, therefore, to ensure that the entire life cycle of the piece of evidence is recorded.

There are two primary ways that a CSIRT can record and maintain the chain of custody of a piece of evidence. The first is electronically. There are a number of software manufacturers that provide organizations such as forensic laboratories or law enforcement agencies with hardware and software that automates the chain of custody process for evidence. These systems utilize unique bar coded stickers for each piece of evidence. A scanner then creates an electronic trail as it reads these bar codes. The second method for creating and maintaining a chain of custody is a paper and pen method. This method makes use of paper forms that contain the necessary information to start and maintain a chain of custody. While the paper and pen method can be a bit cumbersome and requires more due diligence to ensure that the form is safeguarded from destruction or manipulation, it is a much more cost effective solution for smaller CSIRTs that may not have the resources necessary to implement an automated solution.

In terms of what a proper chain of custody contains, there are several sections each with its own details that need to be provided. The following screenshot is a template chain of a custody form that is provided by e-Fense, which contains the necessary pieces of information:

The first of these sections is a detailed description of the item. It may seem redundant to include a number of the different elements, but digital forensics is about details. Having the information recorded leaves no doubt as to its authenticity. This description should contain the following elements:

  • Item number: A unique item number should be included on the form. In the cases of multiple pieces of evidence, a separate chain of custody form will be completed.
  • Description: This should be a general description of the item. This can be a simple statement such as 500 GB SATA HDD.
  • Manufacturer: This detail assists in the case of multiple pieces of evidence with potentially different manufacturers.
  • Model: This further details the specific piece of evidence for later separation if needed.
  • Serial number: This is a critical piece in the event that an incident involves a number of systems with exactly the same configuration. Imagine attempting to reconstruct which chain of custody goes with which HDD if six were all seized together and they had the same make and model number.

A completed first section for the chain of custody form will look like this:

The next section details the specific steps that the piece of evidence took while in the life cycle. For each stage, the following details should be captured:

  • Tracking number: This number indicates the step in the life cycle that the piece of evidence took.
  • Date and time: This is a critical piece of information in any chain of custody and applies equally to each step that evidence took. This allows anyone that views the chain of custody to be able to reconstruct down to each minute each step in the chain of custody life cycle.
  • To and from: These fields can either be a person or a storage place. For example, if an analyst has seized a hard drive and is moving it to a secure storage locker, they would note that as the "To" location. It is critical to have those individuals named within the chain of custody sign the form when applicable to enforce accountability.
  • Reason: Moving a piece of evidence should never be done without a reason. In this portion of the chain of custody, the reason is completed.

The following screenshot is a sample of the movement of the hard drive recorded in the previous screenshot. Each move of the individual piece of evidence is recorded here. The first move is the actual seizure of the drive from the system. In this case, there is no individual custodian as the drive has been taken from the data center. What is critical is that the individual John Smith of ACME Corp. is the custodian of the drive until he is able to transfer the drive to secure storage as noted in the following screenshot:

The chain of custody is maintained throughout the life of the piece of evidence. Even when the evidence is destroyed or returned, an entry is made in the chain of custody form. These forms should be maintained with any other material generated by the incident and also made part of any reporting that is created.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset