Digital forensics investigators tasked with the responsibility of preserving the integrity of digital evidence, guaranteeing that the chain of custody is not broken. More succinctly, chain of custody is the chronological list of individuals who have had the evidence, and the locations the evidence has been stored. All forensic data and storage units need to be preserved (copied) on stable media such as CD-ROM, using replicable techniques. Each component of the process taken to capture the data must be documented. Any changes made to the evidence must also be documented, including the reason for the change. The assumption should always be made that the process can be detailed in a court proceeding (Ryder, 2002).
The Chain of Custody process is an important component of the digital forensics investigation. This type of investigation focuses on the use of electronically stored data and storage devices by suspicious actors. Electronically stored data (ESI) are sometime necessary to solve cases presented in court. The electronically stored data may occur as information on a computer hard-drive, a cellular phone, a removable drive, websites, e-mails, or even social media content. Increasingly, criminal investigators need to be aware of the proper protocol to for the (1) search; (2) seizure; and (3) presentation as evidence. Criminal Justice specialist should also be cognizant that the search, seizure and presentation must be done legally.
The Fourth Amendment of the U.S. Constitution says:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Therefore, the search and seizure of electronically store date must not violate the law. This module will present the basic rules criminal investigator to perform digital forensics. Cybersecurity specialists have standardized the steps for digital forensics which would be especially useful for criminal justice practitioners.
Neubauer and Fradella (2017) defines Chain of Custody as the chronological documentation of the seizure, possession, exchange, analysis, and dissolution of evidence in the criminal justice system. It is important than any evidence that is collected after warrant has been served (including digital evidence) be preserved in a form similar to when it was first encountered. Finally, forensics investigators must ensure that the evidence if delivered to the repository of the police department, where evidence clerk will secure it until the next step in the criminal justice process.
Documentation of The Evidence: http://forensicir.blogspot.com/2008/01/bag-and-tag.html
The authentic chain of custody processes protects the agents in the criminal justice system from allegations that evidence has been mishandled. This is important for digital forensics evidence and cybersecurity cases. This is so, as digital forensic evidence can be more susceptible to manipulation than many other types of physical evidence such as DNA or finger prints. Exact replica of drives, files and the investigators who made the copies or the saved the evidence must be recorded.
If the digital forensics evidence was nor scrupulously handled, then the prosecutor may have trouble proving her case. The risk to investigators is that the presented evidence may be dismissed if it is alleged that the it was planted, unaccounted for, mishandled, or tampered with. Cybersecurity specialists also utilize the hash value much like an evidence collection plastic bag to collect digital evidence. The hash value is a unique algorithm that mirrors the path for an electronic file, which would then mitigate the changes of tampering with the evidence.
Sometimes it is necessary to go beyond law enforcement to professionally collect digital forensics evidence. The European Union has formalized the chain of custody process for digital forensics with the Community Emergency Response Team training program. A CERT [Community Emergency Response Team] staff can contribute to that work by helping to preserve it during the detection of a cybercrime (ENISA, 2014).
The following video of Real CSI – Digital Evidence, demonstrates how an investigator may interact with the evidence.
The second video simplifies the Chain of Custody steps. The relevant section runs from 26:00 to 34:18.
Real Life Examples
Consider the following case presented in Casey’s (2011) Digital Evidence and Computer Crime: