Don't get her wrong—computer forensics investigator Kris Haworth loves the show Law & Order. But when an episode involves computers, "they always mishandle the evidence, and it kills me," says Haworth, a director with Navigant Consulting's Discovery Service Practices. Rarely if ever is the chain of custody concept maintained that is crucial for producing evidence admissable in court. "Every now and again, they'll have the cop who's investigating the murder go into the suspect's house and just pop on the computer"—thus showing blatant disregard for the evidence (but high regard, of course, for prime-time drama).
Let's call it rule number one for computer forensics: Don't count on getting your training from a TV show. Here's some more advice, straight from the experts, on how to handle digital evidence.
DO expect that chain-of-custody evidence will end up in court.
A chain of custody is the process of validating how any kind of evidence has been gathered, tracked and protected on its way to a court of law. A sloppy or nonexistent chain of custody may end up being enough for a simple internal investigation of an employee. But it's better not to take the chance. Instead, get in the habit of protecting all evidence equally so that it will hold up in court.
"If you don't have a chain of custody, the evidence is worthless," says John Petruzzi, director of enterprise security at Constellation Energy. "Deal with everything as if it would go to litigation."
DON'T wait until you have the evidence to make a plan for protecting it.
To prove chain of custody, you'll need a form that details how the evidence was handled every step of the way. This form should answer these five W's (plus an H):
- What is the evidence?
- How did you get it?
- When was it collected?
- Who has handled it?
- Why did that person handle it?
- Where has it traveled, and where was it ultimately stored?
DO guard the "best evidence" closely.
Digital evidence is different from physical evidence, in that a carefully protected image of a hard drive is as good as the original hard drive in the eyes of a court. The first image of a hard drive that investigators take is known as the "best evidence," because it's closest to the original source. The chain of custody form should be attached to the best evidence and stored under lock and key.
Ideally, if you do lots of investigations, the evidence should be stored offsite, but it may be more practical to keep everything onsite in a fireproof safe.
DON'T work off the best evidence.
After the best evidence is gathered, a second copy should be made, either from the original or from the best evidence. This is the working copy that investigators use for their research. This step can seem needless. "Sometimes the mind-set is, if we didn't seize the computer itself, why does it matter if it's the working copy or the first copy?" says Haworth, a licensed attorney. But "best evidence" is a distinction that lawyers likeand really, the point with chain of custody is to avoid doing anything that a lawyer might not like.
DO keep the chain of custody form up-to-date.
Every single time the best evidence is handed off, the chain of custody form needs to be updated, or a new form attached to the top of the stack. "You have to explain what this [evidence] is, where it came from and where it went, and there cant be a gap," explains Dana Lesemann, vice president and deputy general counsel of Stroz Friedberg, a consultancy that specializes in computer forensics and investigations. "You'd have a stack of log forms at the end [of the investigation], and you'd also input all the information from the log forms into the database" where youre tracking the investigation.
As an added legal precaution, the forensics investigator can run a mathematical algorithm on both digital copies. This proves—or you hope it proves—that the evidence you started with is the same as the evidence you ended up with.
DON'T submit the hardware to court unless you have to.
Judges rarely need to get their hands on the best evidence. Try to keep it that way. For instance, instead of submitting the actual image of a hard drive, Haworth writes an affidavit describing who she is, what she investigated and what she found. She has a colleague in her firm review the affidavit, and then she signs it and submits it to the court. That written information is much more enlightening for a judge or jury than the digital image itself, and the best evidence stays safe in storage.
DO get rid of the evidence as soon as you can.
Holding on to any kind of evidence longer than necessary is a waste of resources and could also set your company up for a potentially burdensome task if the evidence is later subpoenaed. To protect your company, make a plan for decommissioning the evidence sometime after the case is closed. (See The 7 Deadly Sins of Records Retention for more on this point.