You must take care when gathering, handling, transporting, analyzing, reporting on, and managing evidence that the proper chain of custody or chain of evidence has been maintained.
Every jurisdiction has its definitions as to what this may mean in detail; however, in general, a chain of custody and chain of evidence
Why need Chain of custody?
- When an item is gathered as evidence, that item should be recorded in an evidence log with a description, the signature of the individual gathering the item, a signature of a second individual witnessing the item being gathered, and an accurate time and date
- Whenever that item is stored, the location in which the item is stored should be recorded, as should the item’s condition.
- The signatures of the individual placing the item in storage and of the individual responsible for that storage location should also be included, along with an accurate time and date.
- Whenever an item is removed from storage, it should be recorded, as should the item’s condition, the signatures of the person removing the item, the person responsible for that storage location, and an accurate time and date.
- Whenever an item is transported, that item’s point of origin, method of transport, and destination should be recorded, as should the item’s condition at origination and destination.
- Also record the signatures of the people performing the transportation, a responsible party at the origin and destination witnessing its departure and arrival, and accurate times and dates for each.
- Whenever any action, process, test, or another handling of an item is to be performed, a description of all such actions to be taken and the persons who will perform such actions should be recorded.
- The signatures of the person taking the item to be tested and of the person responsible for the item’s storage should be recorded, as should an accurate time and date.
- Whenever any action, process, test, or another handling of an item is performed, record a description of all such actions, along with accurate times and dates for each.
Also record the person performing such actions, any results or findings of such actions, the signatures of at least one person of responsibility as a witness that the actions were performed as described, and the resulting findings as described.
Ultimately, the chain of evidence is a series of events that, when viewed in sequence, account for the actions of a person during a particular period or the location of a piece of evidence during a specified period.
It is usually associated with criminal cases.
In other words, it can be thought of as the details that are left behind to tell the story of what happened.
The chain of custody requirement is the same whether the digital evidence is collected from a guest or a host OS.
Do the following when it comes to chain of custody:
- Be able to prove that evidence was secure and under the control of some particular party at all times.
- Take steps to ensure that evidence is not damaged in transit or storage:
Example 1: If stored for a long time, batteries may die, causing loss of information in complementary metal-oxide-semiconductor (CMOS) memory (such as BIOS configuration).
Example 2: Transport digital evidence in static-free containers, such as in paper or special foil, not in plastic bags.
Digital evidence has two parts: the physical medium containing the information and the information (bits) itself.
Chain of custody must be maintained for both parts.
Maintaining evidence from collection to trial is a critical part of digital forensics.
Have policies and procedures in place for the collection and management of evidence.
In some cases, you may need to collect digital evidence on short notice. Take care not to collect data outside the scope of the requesting legal document.
Certain legal discovery documents, or orders, specify that the chain of custody professionals is not allowed to disclose any activities undertaken in support of the order.
Both the CSP and the chain of custody professionals need to be aware of the issues surrounding disclosure of data-gathering activities.
Depending on the SLAs that the customer has in place, the data-gathering activities undertaken to support a forensics examination of a tenant’s data may not have to be disclosed to the tenant or any of the other tenants in a multitenant hosting solution.