How to Keep a Digital Chain of Custody

Tracking data and equipment with a chain of custody process will help evidence stand up in court

After the best evidence is gathered, a second copy should be made, either from the original or from the best evidence. This is the working copy that investigators use for their research. This step can seem needless. "Sometimes the mind-set is, if we didn't seize the computer itself, why does it matter if it's the working copy or the first copy?" says Haworth, a licensed attorney. But "best evidence" is a distinction that lawyers likeâ¬and really, the point with chain of custody is to avoid doing anything that a lawyer might not like.

DO keep the chain of custody form up-to-date.

Every single time the best evidence is handed off, the chain of custody form needs to be updated, or a new form attached to the top of the stack. "You have to explain what this [evidence] is, where it came from and where it went, and there canâ¬"t be a gap," explains Dana Lesemann, vice president and deputy general counsel of Stroz Friedberg, a consultancy that specializes in computer forensics and investigations. "You'd have a stack of log forms at the end [of the investigation], and you'd also input all the information from the log forms into the database" where youâ¬"re tracking the investigation.

As an added legal precaution, the forensics investigator can run a mathematical algorithm on both digital copies. This proves—or you hope it proves—that the evidence you started with is the same as the evidence you ended up with.

DON'T submit the hardware to court unless you have to.

Judges rarely need to get their hands on the best evidence. Try to keep it that way. For instance, instead of submitting the actual image of a hard drive, Haworth writes an affidavit describing who she is, what she investigated and what she found. She has a colleague in her firm review the affidavit, and then she signs it and submits it to the court. That written information is much more enlightening for a judge or jury than the digital image itself, and the best evidence stays safe in storage.

DO get rid of the evidence as soon as you can.

Holding on to any kind of evidence longer than necessary is a waste of resources and could also set your company up for a potentially burdensome task if the evidence is later subpoenaed. To protect your company, make a plan for decommissioning the evidence sometime after the case is closed.