This document will go over fundamentals for maintaining chain of custody and performing data collection of evidence. Maintaining the integrity of evidence collected is an essential part of digital forensics and ensures that your analysis results are correct and can stand up in a court of law.
The key principles of chain of custody and data acquisition of evidence are below.
- Describe the system you are collecting.
- What is the configuration of the system?
- Where and when did you acquire the system?
- What is it going to be used for?
Appendix A provides a acquisition form that should be filled out when performing a data collection. Appendix B contains a Chain of Custody form that should be used to maintain custody of evidence. Both of these forms will help fulfill the key principles stated above.
Chain of Custody is defined as showing the chronological order of seizure, custody, control, transfer and disposition of physical or digital evidence.
Refer to Appendix B for an example of a Chain of Custody form. It is divided into five sections.
- Section 1 – General Information: This section provides details on the initial handoff of the evidence and provides background to why the evidence is being transferred.
- Section 2 – Media Description Information: This section goes over the details of the evidence being acquired. It is important to be as specific as possible here and provide make/model/SN# of all evidence. For example, if you receive a laptop, you should record the make/model/SN# for the laptop as well as the internal hard drive.
- Section 3 – Quality and Risk Management: This section will provide the details of how the evidence was given to you and what tools/methods you used to ensure it’s integrity.
- Section 4 – Chain of Custody Log: This is where you keep track of change of possession of the evidence. This is the most important aspect of the chain of custody and all fields are required to be filled out.
- Section 5 – Notes/Comments: You can provide any notes/comments in this section that are either overflow from other sections or to note something that didn’t apply to any of the other sections.
Evidence acquisition refers to the collection of volatile and non-volatile data. In most cases, this will be a “bit by bit” copy or image of the original media in which the copy or image can be proven without a doubt to be a exact copy of the original and that no changes to the original were made by the actions used to image the media. This will be referred to as a “fully verified forensic image”.
The general rules for evidence acquisition to be forensically sound are;
- Minimize data and evidence loss
- Avoid adding/changing data to the system due to actions
- Recovery and downtime are major concerns
For volatile data, it is understood that you may not always be feasible to create a fully verified forensic image. As long as the above guidelines are followed, this type of data collection is considered to be sound as part of the rules of Best Evidence.
For non-volatile data, every effort must be made to create a fully verified forensic image. A detailed explanation should be provided for any non-volatile data that can’t be a fully verified forensic image.
For media imaging, the key components are:
- The tool(s) shall make a bit by bit duplicate or an image of an original disk or partition on fixed or removable media
- The tool(s) shall not alter the original disk
- The tool(s) shall be able to access IDE, SCIS, SATA, ZIF and MicroSata
- The tool(s) shall be able to verify the integrity of a disk image file
- The tool(s) shall log I/O errors
- The tool(s) shall provide good documentation and have a good record in the court of law