In Depth

How to Keep a Digital Chain of Custody

Tracking data and equipment with a chain of custody process will help evidence stand up in court

By Sarah D. Scalet

December 01, 2005CSO

Don't get her wrong—computer forensics investigator Kris Haworth loves the show Law & Order. But when an episode involves computers, "they always mishandle the evidence, and it kills me," says Haworth, a director with Navigant Consulting's Discovery Service Practices. Rarely if ever is the chain of custody concept maintained that is crucial for producing evidence admissable in court. "Every now and again, they'll have the cop who's investigating the murder go into the suspect's house and just pop on the computer"—thus showing blatant disregard for the evidence (but high regard, of course, for prime-time drama).

Let's call it rule number one for computer forensics: Don't count on getting your training from a TV show. Here's some more advice, straight from the experts, on how to handle digital evidence.

DO expect that all evidence will end up in court.

A chain of custody is the process of validating how any kind of evidence has been gathered, tracked and protected on its way to a court of law. A sloppy or nonexistent chain of custody may end up being enough for a simple internal investigation of an employee. But it's better not to take the chance. Instead, get in the habit of protecting all evidence equally so that it will hold up in court.

"If you don't have a chain of custody, the evidence is worthless," says John Petruzzi, director of enterprise security at Constellation Energy. "Deal with everything as if it would go to litigation."

DON'T wait until you have the evidence to make a plan for protecting it.

To prove chain of custody, youâ¬"ll need a form that details how the evidence was handled every step of the way. This form should answer these five W's (plus an H):

  • What is the evidence?

  • How did you get it?

  • When was it collected?

  • Who has handled it?

  • Why did that person handle it?

  • Where has it traveled, and where was it ultimately stored?

(Go to www.csoonline.com/printlinks to download a sample form from Navigant.)

DO guard the "best evidence" closely.

Digital evidence is different from physical evidence, in that a carefully protected image of a hard drive is as good as the original hard drive in the eyes of a court. The first image of a hard drive that investigators take is known as the "best evidence," because it's closest to the original source. The chain of custody form should be attached to the best evidence and stored under lock and key.

Ideally, if you do lots of investigations, the evidence should be stored offsite, but it may be more practical to keep everything onsite in a fireproof safe.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development