Keeping a Chain of Custody for Digital Evidence
By: Dr P Dennis Newsom, CIS, CCFE, IACFE,
Head Professor of Computer Forensics - Cosmopolitan

© December 31, 2005

Don’t get me wrong, as a computer forensics investigator I love the shows CSI-Las Vegas and Law & Order. However, when an episode involves computers they always mishandle the evidence, and it kills me. Every now and again, they’ll have the crime scene investigator, or cop who’s investigating the murder go, into the suspect’s house and just turn on the computer - thus showing barefaced disrespect for the evidence. Let’s call it rule number one for computer forensics: Don’t count on getting your training from a TV show. Here’s some more advice, straight from the experts, on how to handle digital evidence.

DO expect that all evidence will end up in court.

A chain of custody is the process of validating how any kind of evidence has been gathered, tracked and protected on its way to a court of law. A sloppy or nonexistent chain of custody may end up being enough for a simple internal investigation of an employee. But it’s better not to take the chance. Instead, get in the habit of protecting all evidence equally so that it will hold up in court. If you don’t have a chain of custody, the evidence is worthless. Deal with everything as if it would go to litigation.
DON’T wait until you have the evidence to make a plan for protecting it.

To prove chain of custody, you’ll need a form that details how the evidence was handled every step of the way. This form should answer these five W’s (plus an H):

What is the evidence?
How did you get it?
When was it collected?
Who has handled it?
Why did that person handle it?
Where has it traveled, and where was it ultimately stored?

The following is an Example of a Chain of Custody Form

DO guard the "best evidence" closely.

Digital evidence is different from physical evidence, in that a carefully protected image of a hard drive is as good as the original hard drive in the eyes of a court. The first image of a hard drive that investigators take is known as the "best evidence," because it’s closest to the original source. The chain of custody form should be attached to the best evidence and stored under lock and key.

Ideally, if you do lots of investigations, the evidence should be stored offsite, but it may be more practical to keep everything onsite in a fireproof safe.

DON’T work off the best evidence.

After the best evidence is gathered, a second copy should be made, either from the original or from the best evidence. This is the working copy that investigators use for their investigation. This step can seem needless. Sometimes the mind-set is, if we didn’t seize the computer itself, why does it matter if it’s the working copy or the first copy? But "best evidence" is a distinction that lawyers like—and really, the point with chain of custody is to avoid doing anything that a lawyer might not like.

DO keep the chain of custody form up-to-date.

Every single time the best evidence is handed off, the chain of custody form needs to be updated, or a new form attached to the top of the stack. You have to explain what the evidence is, where it came from and where it went, and there can’t be a gap. You’d have a stack of log forms at the end of the investigation, and you’d also input all the information from the log forms into the database where you’re tracking the investigation. As an added legal precaution, the forensics investigator can run a mathematical algorithm, or hash set on both digital copies. This proves—or you hope it proves—that the evidence you started with is the same as the evidence you ended up with.

DON’T submit the hardware to court unless you have to.

Judges rarely need to get their hands on the best evidence. Try to keep it that way. For instance, instead of submitting the actual image of a hard drive, I personally write an affidavit describing who I am, what I’ve investigated and what was found. I always have a colleague review the affidavit, and then I sign it and submit it to the court. That written information is much more enlightening for a judge or jury than the digital image itself, and the best evidence stays safe in storage.

DO get rid of the evidence as soon as you can.

Holding on to any kind of evidence longer than necessary is a waste of resources and could also set your company up for a potentially burdensome task if the evidence is later subpoenaed. To protect your company, make a plan for decommissioning the evidence sometime after the case is closed.