Question

Forensics Forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. It is usually on of the more interesting topics we can discuss. Take the following scenario and map out the chain of custody (in legal contexts, is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence) that needs to be followed if you are going to preserve the integrity of the evidence. Scenario: A co-worker is suspected of surfing the Internet on their work machine and downloading pornographic material and printing some of it on the department printer during the evening hours when most people have gone home. You are responsible to collect data to support the worker's dismissal. Describe the data you need to obtain, the methods you would use to get it, and the chain of custody of the data once collected. Don't just list the steps the book gives you for the chain of custody, explain in detail where/how/who will hold the evidence at which step and why it is important to follow each step. What could happen to the data at each step if the chain of custody is not followed? Make sure your paper is two pages long not including references. Be sure to cite and list your sources.

Answer 1

The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis. It also documents each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

It is important to maintain the chain of custody to preserve the integrity of the evidence and prevent it from contamination, which can alter the state of the evidence. If not preserved, the evidence presented in court might be challenged and ruled inadmissible.

In order to ensure that the chain of custody is as authentic as possible, a series of steps must be followed. It is important to note that, the more information a forensic expert obtains concerning the evidence at hand, the more authentic is the created chain of custody. Due to this, it is important to obtain administrator information about the evidence: for instance, the administrative log, date and file info, and who accessed the files. You should ensure the following procedure is followed according to the chain of custody for electronic evidence:

• Save the original materials: You should always work on copies of the digital evidence as opposed to the original. This ensures that you are able to compare your work products to the original that you preserved unmodified.
• Take photos of physical evidence: Photos of physical (electronic) evidence establish the chain of custody and make it more authentic.
• Take screenshots of digital evidence content: In cases where the evidence is intangible, taking screenshots is an effective way of establishing the chain of custody.
• Document date, time, and any other information of receipt. Recording the timestamps of whoever has had the evidence allows investigators to build a reliable timeline of where the evidence was prior to being obtained. In the event that there is a hole in the timeline, further investigation may be necessary.
• Inject a bit-for-bit clone of digital evidence content into our forensic computers. This ensures that we obtain a complete duplicate of the digital evidence in question.
• Perform a hash test analysis to further authenticate the working clone. Performing a hash test ensures that the data we obtain from the previous bit-by-bit copy procedure is not corrupt and reflects the true nature of the original evidence. If this is not the case, then the forensic analysis may be flawed and may result in problems, thus rendering the copy non-authentic.

The procedure of the chain of custody might be different. depending on the jurisdiction in which the evidence resides; however, the steps are largely identical to the ones outlined above.

A couple of considerations are involved when dealing with digital evidence. We shall take a look at the most common and discuss globally accepted best practices.

1. Never work with the original evidence to develop procedures: The biggest consideration with digital evidence is that the forensic expert has to make a complete copy of the evidence for forensic analysis. This cannot be overlooked because, when errors are made to working copies or comparisons are required, it will be necessary to compare the original and copies.
2. Use clean collecting media: It is important to ensure that the examiner’s storage device is forensically clean when acquiring the evidence. This prevents the original copies from damage. Think of a situation where the examiner’s data evidence collecting media is infected by malware. If the malware escapes into the machine being examined, all of the evidence can become compromised.
3. Document any extra scope: During the course of an examination, information of evidentiary value may be found that is beyond the scope of the current legal authority. It is recommended that this information be documented and brought to the attention of the case agent because the information may be needed to obtain additional search authorities. A comprehensive report must contain the following sections:
   • Identity of the reporting agency
   • Case identifier or submission number
   • Case investigator
   • Identity of the submitter
   • Date of receipt
   • Date of report
   • Descriptive list of items submitted for examination, including serial number, make, and model
   • Identity and signature of the examiner
   • Brief description of steps taken during the examination, such as string searches, graphics image searches, and recovering erased files
   • Results/conclusions
4. Consider the safety of personnel at the scene. It is advisable to always ensure the scene is properly secured before and during the search. In some cases, the examiner may only have the opportunity to do the following while onsite:
   • Identify the number and type of computers.
   • Determine if a network is present.
   • Interview the system administrator and users.
   • Identify and document the types and volume of media, including removable media.
   • Document the location from which the media was removed.
   • Identify offsite storage areas and/or remote computing locations.
   • Identify proprietary software.
   • Determine the operating system in question.

The considerations above need to be taken into account when dealing with digital evidence due to the fragile nature of the task at hand.

Conclusion

In this article, we have examined the seriousness of digital evidence and what it entails. Throughout the article, three main points stand out in the preservation of evidence integrity:

1. Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.
2. Persons conducting an examination of digital evidence should be trained for that purpose.
3. Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.

Through all of this, the examiner should be cognizant of the need to conduct an accurate and impartial examination of the digital evidence.

References

https://www.thetruthaboutforensicscience.com/chain-of-custody-the-essential-forensic-link/

https://en.wikipedia.org/wiki/Chain_of_custody

http://www.primeauforensics.com/audio-forensics/7-importance-of-the-chain-of-custody-for-digital-media-evidence/