Chain of custody. From the moment evidence is received, its chain of custody must be maintained for it to be accepted by the court. This means that a record must be made when the item is received or when it leaves the care, custody, or control of the fraud examiner. This is best handled by a memorandum of the interview with the custodian of the records when the evidence is received. The memorandum should state: what items were received, when they were received, from whom they were received, and where they are maintained?
Chain Of Custody
The concept of the chain of custody refers to the logical sequence of gathering evidence, whether it is physical or electronic, in legal cases. Each link in the chain is essential as if the evidence presented for consideration in a civil or criminal legal case may be rendered inadmissible. In this way, preserving the chain of custody is about following the correct procedure and, therefore, making sure the quality of evidence brought before the courts are top-notch.
The everyday use of digital evidence in legal cases now means that the chain of custody must be captured and maintained when collecting and handling electronic evidence. For any given case, the chain should be documented to show the end of the sequence of work undertaken, including by whom, when, and the purpose. Furthermore, the chain of custody is not just a requirement of the courts, but it also supports the process of evidence examination by ensuring data elements are not just scrutinized from a single dimension.
It encourages each item of evidence to be considered from the perspective of where it came from, such as the company, device, geography, who created it, when, and why. This means that by viewing the whole chain of custody, evidence that may otherwise seem unhelpful to an investigation may serve as being useful.
What Is The Process Of A Chain Of Custody For Digital Evidence?
To protect digital evidence, the chain of custody consists of four steps. These are:
- Data collection: When the chain of custody begins from the first item of data collected. The examiner must ‘tag’ each item acquired and document the source, how and when it was collected, where it is stored, and who has access to it.
- Examination: When the chain of custody must be documented outlining the process undertaken. It is useful to capture screenshots throughout the process to show the tasks completed and the evidence exposed.
- Analysis: When it may be appropriate to capture the chain of custody information.
- Reporting: When the chain of custody is documented into a statement that explains the tools used, the sources of data, methods of extraction used, the process of analysis, and issues encountered, and how these were controlled. Ultimately, it is this statement that must make it clear that the chain of custody has been maintained throughout the process and that the evidence given is legally defensible.
The digital evidence is then presented to the courts. This is important to avoid the possibility of any suggestion that the evidence has been compromised in any way. While it may have been handled correctly during the process, if the evidence is then handed to the court in a way that leaves it open to alteration, perhaps by changing the timestamps or metadata associated, it may then be damaged.
To maintain the chain of custody, digital experts are well-practiced in the use of contemporaneous note-taking, allowing them to document the processes undertaken and recreate the results they have achieved.
How Can The Chain Of Custody Be Assured?
In addition to taking contemporaneous notes, digital examiners use some of the best practices to preserve the chain of custody, including:
- Examining the scene before data is taken – can be damaging to a case if an examiner acts too rapidly in identifying and capturing data and devices of interest without assessing the situation and ensuring the scene is secure. This includes making sure that removing an item will have no negative impact on ongoing IT service provision, documenting the wider context and existing infrastructure from which the data item is being taken, including number and type of computers, network type, details of key administrative personnel, types of software used and operating systems used – this may provide useful information which is material to the investigation.
- Using copies of the data captured – the central part of preserving the original evidence cannot be overstated, as if damaged or compromised in any way, the case may be jeopardized. There are many ways by which copies of digital evidence can be made and then used for examination and analysis, including creating a ‘bit-for-bit, such as digitally identical individual data items, or whole system contents.
- Ensuring storage medium is sterilized – if an item of data is placed on to an examiner’s storage device, such as a hard drive, that medium must be entirely clean and free of any possible contamination at every level.
The digital chain of custody is the center of every action taken by digital specialists. They understand that days or weeks of intensive work would be wasted if they miss a step in the process or fail to ensure the integrity of the evidence they have worked so hard to find, analyze, and document. Hence, integrity is always first in the minds of digital examiners.
Judges and juries evaluate cases based on the evidence presented in court when determining whether a defendant is guilty. They are not allowed to carry out their own investigations. Allowing judges or juries to base their decisions on tainted, untrustworthy, or tampered with evidence would jeopardize the judicial system’s integrity.
Chain of custody issues are especially important in cases involving drugs, firearms, or samples tested for the presence of drugs or alcohol in order to prove intoxication. Prosecutors must present documentary and testimonial evidence to establish that the item presented at trial is the same item that was in the defendant’s possession or taken from the defendant in order to establish chain of custody.