Chain of Custody

Chain of custody in digital forensics
Chain of custody in digital forensics

Chain of custody is the trail of documentation that links each piece of evidence to an aspect of a law enforcement investigation. Chain of custody is a very important concept regarding digital forensics especially in law enforcement investigations. Disruptions in the chain of custody can result in evidence being inadmissible in court if items are handled incorrectly. The reason for this is that chain of custody guarantees the integrity of digital evidence and proves that it has not been contaminated or altered in any way. Digital evidence can be extremely volatile which means that actions such as viewing a media file incorrectly could diminish its integrity.

Techniques for preserving evidence and maintaining effective chain of custody include making digital copies of original evidence, photographing physical evidence, capturing screenshots of digital evidence, documenting the date and time receipts and saving analytic data on separate computers. Additionally when working with electronic evidence it is important to always conduct testing and analysis on copies of the original evidence. This way you are able to learn from the evidence without corrupting the integrity of the original data.

Chain of custody is an essential element of the digital forensics process and must be adhered to with the utmost scrutiny during an investigation. Chain of custody has the greatest impact on a case when dealing with a law enforcement investigation. If evidence in a criminal investigation has been tampered with during analysis it may be inadmissible in court. This can result in criminals not being charged for crimes they’ve committed. Because of this digital evidence must be carefully extracted, copied and then analyzed to preserve the original evidence (National Institute of Standards and Technology, 2018).

Chain of custody is also important for other use cases of digital forensics such as corporate, government and military investigations. The reasons for chain of custody in these fields may be different then that of a law enforcement investigation. For example in a corporate setting chain of custody will have importance from the standpoint of incident response after a security related event as well as for accounting and documentation purposes. Additionally, chain of custody may be important due to cases involving civil litigation such as corporate espionage.

In a government or military setting chain of custody has relevance from the standpoint of preserving information of intelligence value. For example if electronic equipment is captured during an operation it may have valuable information that can be used by tactical level decision makers. If this information is corrupted during the extraction and analysis process it may not be as useful, if at all. Chain of custody may also be important from the counterintelligence standpoint in terms of analyzing security breaches in order to determine proper attribution to a threat actor (Scientific Working Group on Digital Evidence, 1999).