Chain of Custody – A Suspect’s Chargesheet

by Saurabh Ghelani, NII Consulting

In computer forensics a suspect’s chargesheet is as good as the Chain of Custody log. It is the documented version of the circumstantial evidence which can be produced in the court, similar to the chargesheet which is filed by law enforcement agencies.

Chain of Custody -> gathering and preservation of the identity and the integrity of the evidential proof that is required to prosecute the suspect in court. It is basically the maintenance of the integrity of the evidence from the time it was seized till the time it was produced in court.

Preserving Chain of Custody log in E-Investigation is very important as it is very easy to alter/modify electronic data if proper precautions are not taken. While preserving the log, ensure that the data is properly copied, transferred and stored, there has been no alteration of data and the storage media is secured throughout the process.

In a computer forensics investigation, never say “There’s nothing there”

Some technical mistakes that could occur while handling evidence include:

  • Altering time and date stamps on evidence systems before recording them
  • Killing (terminating) rogue processes
  • Patching the system before investigators respond
  • Not recording the commands executed on the system
  • Writing over potential evidence by installing software on the evidence media – original hard drive that needs to be investigated
  • Writing over potential evidence by running programs that store their output on the evidence media

Chain of Custody helps to streamline the evidence handling process. The most basic way to accomplish this is to keep a detailed list of individuals who had control of the evidence at any point, from collection to final disposition. It is in the best interest of your organization to treat all incidents with the mindset that every action you take during incident response may one day be under the scrutiny of individuals who desire to discredit your techniques, testimony and fact finding skills.

Confidentiality, Integrity and Availability of the log needs to be maintained as it may be reviewed at any time. Every instance of contact with the data must be documented throughout the entire investigation process.

Email ProcedureFigure 1: Chain of Custody Log

The Chain of Custody log should include the following

Peliminary Data Gathering

  • Name of individual who received the evidence
  • Name of custodian
  • Date, time and place of investigation
  • Description of data obtained including media-specific investigation
    • Media-type, standard and manufacturer
    • Serial numbers and/or volume names
    • Writing on labels
    • Characterization of data
    • Amount of data
    • Type of data
    • Write-protection status
  • Description of data collection procedures
    • List of tools used for each procedure
    • Name of the individual conducting each procedure
    • Outcome of procedures
    • Problems encountered, if any

Additional Records

  • Movement of evidence (transfer and transportation), including purpose
  • Date and time of media check-in and check-out from secure storage
  • Physical (visual) inspection of data
  • Description of data analysis
    • List of tools used for each procedure
    • Name of the individual conducting each procedure
    • Outcome of procedure
    • Problems encountered, if any
  • Notes section to record anything out of the ordinary

While conducting a forensics investigation, it is important that the client be updated regularly about the progress of the investigation and a comprehensive report be sent to the concerned recipients at the end of the investigation so that it can be produced in the court along with the Chain of Custody.

Conclusion

Complete and accurate maintenance of procedures will ensure the authenticity of the electronic data, which can be used to in court to prosecute the suspect. A little extra effort at the beginning of the project will ensure a smooth, efficient chain of custody logging process.

References

Web

The Role of Computer Forensics in Stopping Executive Fraud

How to Keep a Digital Chain of Custody

Book

Incident Response & Computer Forensics – Kevin Mandia, Chris Prosise, Matt Pepe

1 Comment

  1. Dear Saurabh,

    This is a really nice and informative article and I appreciate your efforts in creating awareness on ‘Forensics’ which is a pretty important area of research in information and data security.

    Just like the IT Act 2000, you people should also talk about other acts like EU Data Privacy Act, etc.

    Keep it up!!!

    Warm Regards,

    Dr. Paul Dowland
    Senior Lecturer
    School of Computing, Communications and Electronics (SoCCE)
    University of Plymouth
    Tel: +44 (0)1752 232513
    Email: [email protected]

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.