Chain of Custody
Chain of Custody
Evidence management (or maintaining chain of custody) is the administration and control of evidence related to an event so that it can be used to prove the circumstances of the event, and so that this proof can be tested by independent parties with confidence that the evidence provided is the evidence collected related to the event.
Evidence management requires that the evidence is:
- collected in a fashion which does not compromise the nature of the evidence; kept in a fashion which maintains the nature of the evidence;
- handled in a fashion which allows no doubt that the evidence could not have been accidentally or deliberately altered or substituted — that is, the evidence presented for the proof is the exact evidence collected.
A forensic examiner should follow four basic steps in order to correctly maintain a digital chain of custody. These steps include:
• Maintain a physical of the evidence, log all access to the evidence;
• Create a binary, forensic duplication of original data in a non-invasive manner typically using a writeblock device (Windows does not typically permit the mounting of a drive in a write-protected/ “read only” mode; however the mount command in Linux supports a read only mode by using -r flag);
• Create a digital fingerprint (hash) that continually verifies data authenticity; and
• Log all investigation details in a thorough report generated by an integrated computer forensics software application
Hashing of Files for Authentication Purposes.
When hashng a forensic image I recommend md5sum available at http://www.pc-tools.net/win32/md5sums/. However, where an image is not made of device, as is the case when copying files from a file server, I recommend using SafeCopy 2.0 (a commercial tool) or Robocopy and md5deep — available at http://md5deep.sourceforge.net/ – to compare the md5hashes of files before and after duplication. If you are not familiar with parsing text files and analyzing log files: the U3 (mobile) version SafeCopy 2.0 is by far the easier way to go assuming you are willing to pay about $250 dollars for a license. One last note if using Robocopy make sure you are familiar with all the flags and commandline options, the use of improper flags can result in the destruction of your files.
Security
Consideration should be given to whether the data at issue are sensitive, if so I recommend using a hard-ware encrypted hard-drive that uses a FIPS 140-2 approved algorithom. If you must send unencyrpted media (for example backup tapes) to a vendor or a law firm I recommend using Brinks or another armored car service. Considering the potential liability the cost is more then worth it.
Record Keeping
I personally prefer using UPC codes (Code 39) for tracking evidence along with a copy of the Serial Number of the media and electronic device the media is contained within. Below is an electronic form which I use to collect chain of custody data; however a paper form can work just as well.