Chain of custodyDigital evidence can impact legal proceedings. Because of this, law enforcement must be trained to maintain a well-defined and correctly documented chain of custody as it would for any kind of physical evidence. From the time evidence is obtained, documentation must include the time, person’s name, and purpose for which evidence was handled. In the case of material evidence, law enforcement officials tag it and place it in a secure location. Those who access it must sign it out when they receive it and sign it in when they return it. With digital data, chain of custody is more complicated. Digital evidence is easier to change, copy and destroy than evidence that is an object. This makes the way in which digital chain of custody is maintained even more critical. Even a single flaw in the custody chain can destroy years of investigative work. There is growing skepticism that the digital evidence chain of custody process is secure from tampering (Stone, 2015).
The FBI chain of evidence begins with the hardware on which potential evidentiary data is stored. The hardware is tagged and secured. Those who access it must sign it out and sign it back in. At the start of the process a write blocker is installed. It allows the data to be examined without risk that the data on the device can be altered. The write blocker prevents the data on the original device from being erased or modified. Cloud computing introduces external operators that may encrypt, transmit and possess digital evidence. Can the government still prove that chain of custody is secure when it is in the hands of a third party? (Stone, 2015)
Forensic Disk Imaging
If it looks as if a forensic investigation has the possibility of leading to a criminal investigation or litigation, the drive should be pulled and delivered to ISC Security with a chain of custody form. Methods of forensic imaging are drive cloning and drive imaging. Images are preferable because they are portable and easy to work with. A hash algorithm is used to create what is essentially a digital fingerprint of the device data. If the digital record is modified in any way a new hash will result. The hash value carries through chain of custody from beginning to end. The National Institute of Standards and Technology (NIST) recommends that first responders be trained to handle digital evidence in the same way that they are trained to handle physical material. The FBI recommends permanent retention of hardware as it may be significant in a future case (Keane, J, 2013).
Forensic Tool Testing
Security testing must be an integral part of testing digital forensic tools. Technological innovations include network imaging as part of forensic cloud services. There is a need to provide security testing on these tools as they support digital evidence integrity. TD3 has been validated as a hardware duplicator and write blocker. It has networking functionality. Yet, in one study an attack corrupted the integrity of the destination drive without the user’s knowledge. The firmware update was modified and repackaged. This demonstrated that an opponent can execute a phishing attack that tricks digital forensic practitioners into updating their device with a malicious operating system. Such opponents can be outside or inside a company. This study brings to light a significant weakness in security tool design. It suggests that it might be good business practice to define and adopt security standards for digital forensic tools (Meffert, 2016).
Preserving chain of custody with digital evidence is more complex and just as important with digital media as with physical evidence. It’s important that the original digital media be imaged and a hash tag obtained from the original media. Tools used for analysis must be approved of by organizations that test this type of software like the National Institute of Standards.
- Keane, J. (2013). Capturing a Forensic Image. University of Pennsylvania. Retrieved from https://sites.sas.upenn.edu/sites/default/files/kleinkeane/files/forensic-capture.pdf
- Meffert, C. (2016). Deleting collected digital evidence by exploiting a widely-adopted hardware write blocker. Digital Investigation 17(7). Retrieved from http://www.sciencedirect.com/science/article/pii/S1742287616300354
- Stone, A. (2015). Chain of Custody: How to Ensure Digital Evidence Stands Up In Court. Retrieved from https://www.govtechworks.com/chain-of-custody-how-to-ensure-digital-evidence-stands-up-in-court/#gs.wx9g_Xw