Chain of Custody
The purpose of the chain of custody is to quickly identify the users, individuals and departments where a given object or piece of equipment was stored and/or transported. Without this specific document it would be and can become difficult for a computer related forensics case to commence in a court of competent jurisdiction. Lacking this piece of evidentuary paper can lead to a solid case being thrown out of court whereby, if inconsistencies are in fact noted within your case or the evicence brought forward -- there is no way to guarantee where the impact to the evidence may have been introduced and, who to hold liable for it.
There are forms that you can utilize with regards to the chain of custody. One of them being forms from NIST: NIST MS WORD Chain of custody that you can utilize as a template or modify to suit your needs.
With regards to the chain of custody, here are some things to consider that a chain of custody can provide for you:
Benefit |
Description |
Preservation of Evidence / Integrity | A proper chain of custody ensures that digital evidence remains intact and unaltered from the time it is collected until it is presented in court. This is essential for demonstrating that the evidence has not been tampered with or modified, thus ensuring its reliability and credibility. |
Admissibility in Court | Courts require evidence to be authenticated and reliably sourced to be admissible. A well-documented chain of custody provides the necessary documentation to prove the authenticity and integrity of the evidence, increasing its admissibility in legal proceedings. |
Legal Compliance | Following a chain of custody protocol helps ensure compliance with legal and procedural requirements. This is particularly important in cases where the legality of evidence collection and handling is scrutinized. A properly maintained chain of custody demonstrates that proper procedures were followed throughout the investigation. |
Protections against Challenges | A thorough chain of custody can help defend against challenges to the validity of the evidence. If the chain of custody is well-documented and maintained, it becomes more difficult for the opposing party to argue that the evidence is unreliable or inadmissible. |
Maintaining Trust in the Judicial Process | A transparent and accountable chain of custody enhances public confidence in the judicial system. It assures stakeholders, including the court, the parties involved, and the public, that the evidence presented is reliable and has been handled with integrity throughout the investigation process. |
Starting the Chain of Custody
If there is an event that is of particular concern the business can request the forensics be engaged. This also has to be from a legal standpoint and should accompany one of the following things:
- A legal hold must be sent to the user to make sure no further changes are to be made to the system.
- Physical security should be called to either secure the area or make sure nothing is tampered with.
- Users profile should be preserved and a temporary user profile be provided.
- During acquisition all media should be photographed, logged and a protective tape applied over any ports.
- Note and photographs of open programs an ditems on the screen(s)
- Acquisition of memory if possible
- Abrupt shutdown by pulling the plug!
Shutdown Process
highlight about encrypted disks vs non-encrypted disks.There are arguments on each side of the fence about how to "properly" shutdown a system during the acquisition process before everything is bagged and tagged. Here are some things to consider which can help you and your organization make an informed and sound decision:
Action |
Description |
Disk Encryption | If the disk is encrypted and you do not have any form of key recovery for the disk, this can make things especially difficult during your disk acquisition and analysis. Approach pulling the plug with much thought. |
Shutdown Scripts | Do you know if the user has placed a shutdown script in the system that depending on certain circumstances software or tools may attempt to make data more difficult to recover? If not, pulling the plug it is. |
External Devices | During your digital photoshoot are you noticing external storage mediums plugged in? (USB keys, Mass Storage Devices, CF/SD/MMC etc cards, etc). If so, you may want to perform a graceful shutdown so whatever needs to be written is written to those disks. |
Live System | If the system is live and running, one of your considerations could potentially be to perform a live forensics if that is in scope and then pulling the plug. However, many considerations need to be accounted for before such an event is undertaken. |
Memory Acquisition Process
Depending on the system in which you are working on -- you may have to consider some options for memory acquisition. By default in Windows or windows opreating systems our go-to is FTK Imager. Within Linux you will need to consider a few different applications. Of those applications you an use: LiME, AVML, memdump. While some of the Linux tools require that you have the tools built for each version and kernel update, it can become time consuming to get this as a business justification and finally get this rolled out and implemented. So please, keep this in mine for the Linux side of the house. For MacOS -- good luck.
While there are some good tools to consider, you also have to factor in a few key things for acquisition of memory:
- Linux systems can be configured where kernel access is limited (systemctl kernel.modules_disabled=1). In this case you cannot acquire the contents.
- If you are working on a system with the module set by systemctl and, it is in a VM there are methods to recover memory via API.
- If the tools aren't compiled / installed at the time of your incident -- installing them in your time of need may change some forensic data that you will need to defend.
- During acquisition all media should be photographed, logged and a protective tape applied over any ports.
- You also need to consider compiling a driver for each Kernel version or going with a solution that will work out of the box for your OS.
- Try to find a software solution that will limit installation and work with many distros before commiting to one or the other.
- Your environment will dictate what you will ultimately end up using.
Bagging & Tagging
When you have decided on the objects that you want to bag up and tag for investigation you need to understand a few key areas of removing evidence. 1) The evidence must be clearly labeled with the date/time it was acquired, from where it was acquired and the type of evidence. 2) Photos as well as a numbering system should be noted on the device(s) and the documentation. 3) Each item is then sealed in an evidence bag and also photographed. After this has been processed, it is then suggested that you start your chain of custody. Suspect -> Investigator or where suspect is depicted, whoever you have picked up the device(s) from. Additionally when the evidence is making it's trip to/from or from/to locations the person picking up the information must also sign and document the chain of custody with where the device(s) were obtained, and when they are dropped off to where date/time and the receiving parties.
In order to seal items, you can also look into purchasing: Evidence Bags which contain the details discussed in the previous paragraph of Bag & Tag.