Topics In Demand
Notification
New

No notification found.

COMPUTER FORENSICS: CHAIN OF CUSTODY
COMPUTER FORENSICS: CHAIN OF CUSTODY

May 12, 2022

5170

2

 

What is the chain of custody in computer forensics?

The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of digital evidence. It indicates the gathering, sequence of control, transfer, and analysis. It also documents everybody who handled the digital evidence, the date/time it was collected or transferred, and also the purpose for the transfer.

 Why is it important to maintain the chain of custody?

It is important to maintain the chain of custody to preserve the integrity of the electronic evidence and prevent it from contamination, which might alter the state of the electronic evidence. If not preserved, the electronic evidence presented in court may be challenged and ruled impermissible.

Importance to the Examiner

Suppose that, as the examiner, you acquire metadata for a piece of electronic evidence. However, you're unable to extract meaningful information from it. The actual fact that there's no meaningful information within the metadata doesn't mean that the electronic evidence is insufficient. The chain of custody during this case helps show wherever the attainable proof may lie, wherever it came from, who created it, and the sort of equipment that was used. That way, if you want to create model, you'll be able to get that equipment, create the model, and compare it to the electronic evidence to verify the evidence properties.

Importance to the Court

It is possible to have the electronic evidence presented in court laid-off if there's a missing link within the chain of custody. it's so vital to make sure that a wholesome and meaningful chain of custody is presented along with the electronic evidence at the court.

What Is the procedure to establish the chain of custody?

In order to make sure that the chain of custody is as authentic as possible, a series of steps should be followed. it's important to notice that, the additional information a forensic professional obtains concerning the electronic evidence at hand, the additional authentic is that the created chain of custody. Due to this, it's important to get administrator information regarding the evidence: for example, the executive log, date and file information, and who accessed the files. You must make sure the following procedure is followed according to the chain of custody for electronic evidence:

Save the original materials: You must always work on copies of the electronic evidence as against to the original. This ensures that you are able to compare your work product to the original that you preserved unmodified.

Take photos of physical electronic evidence: Photos of physical (electronic) evidence establish the chain of custody and build it additional authentic.

Take screenshots of electronic evidence content: In cases wherever the evidence is intangible, taking screenshots is an effective way of establishing the chain of custody.

Document date, time, and the other information of receipt: Recording the timestamps of whoever has had the electronic evidence permits investigators to create a reliable timeline of wherever the evidence was prior to being obtained. Within the event that there's a hole within the timeline, any investigation could also be necessary.

Inject a bit-for-bit clone of digital evidence content into our forensic computers: This ensures that we obtain to complete duplicate of the digital evidence in question.

Perform a hash test analysis to further authenticate the working clone: Performing a hash test ensures that the information we tend to acquire from the previous bit-by-bit copy procedure isn't corrupt and reflects true nature of the original proof. If this is not the case, then the forensic analysis may be flawed and will lead to issues, so rendering the copy non-authentic.

The procedure of the chain of custody might be completely different: Depending on the jurisdiction within which the electronic evidence resides; but the steps are mostly identical to the ones outlined above.

What considerations are involved with the digital evidence?

A couple of considerations are concerned once handling digital evidence. We tend to shall take a glance at the foremost common and discuss globally accepted best practices.

Never work with the original evidence to develop procedures: The most important thought with digital evidence is that the forensic professionals need to build a whole copy of the evidence for forensic analysis. This can't be overlooked because, once errors are created to operating copies or comparisons are needed, it'll be necessary to match the original and copies.

Use clean collecting media: it’s important to make sure that the examiner’s storage device is forensically clean once getting the electronic evidence. This prevents the original copies from damage. Think about a scenario wherever the examiner’s data electronic evidence collecting media is infected by malware. If the malware escapes into the machine being examined, all of the electronic evidence will become compromised.

Document any extra scope: Throughout the course of an examination, information of evidentiary value could also be found that's beyond the scope of this legal authority. it's suggested that this information be documented and brought to the attention of the case agent because the information may be required to get further search authorities. A comprehensive report should contain the subsequent sections:

  • Identity of the news agency
  • Case identifier or submission range
  • Case investigator
  • Identity of the submitter
  • Date of receipt
  • Date of report
  • Descriptive list of items submitted for examination, including serial range, make, and model
  • Identity and signature of the examiner
  • Brief description of steps taken throughout examination, like string searches, graphics image searches, and ill erased files
  • Results/conclusions
  • Consider safety of personnel at the scene. it's judicious to always make sure the scene is correctly secured before and through the search. In some cases, the examiner may only have the opportunity to do the following while onsite:
  • Identify the number and type of computers.
  • Determine if a network is present at a moment.
  • Interview the system administrator and users.
  • Identify and document the types and volume of media, including with removable media.
  • Document the location from that the media was removed.
  • Identify offsite storage areas and/or remote computing locations.
  • Identify proprietary software system.
  • Determine the operating system in question.

The considerations above need to be taken into account when dealing with electronic evidence because of the fragile nature of the task at hand.

Conclusion

In this article, we have examined the seriousness of electronic evidence and what it entails. Throughout the article, three main points stand out in the preservation of electronic evidence integrity:

  1. Actions taken to secure and collect electronic evidence should not affect the integrity of that evidence.
  2. Persons conducting an examination of electronic evidence should be trained for that purpose.
  3. Activity relating to the seizure, examination, storage, or transfer of electronic evidence should be documented, preserved, and out there for review.

Through all of this, the examiner should be cognizant of the necessity to conduct an correct and impartial examination of the electronic evidence.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Harshita C. Jadhav
Founder and CEO

© Copyright nasscom. All Rights Reserved.