Looking for some insight into chain of custody best practices from a corporate perspective.
I am often receiving a device, taking an image, taking logical image of contents from that image, then moving that logical image to a workstation for analysis.
Does the chain of custody only apply to the original device? Or do I need a separate chain for each piece of evidence, even though it all originates from the physical drive?
Â
Many Thanks
Depends what you mean. In most cases the term CoC refers to CoC's established by law enforcement. They have their own requirements, and you are probably unable to produce anything that can be used in a LE CoC. It may be used as evidence (or part of evidence). If you ask about creating your own CoC in a way that it can be used as evidence, you are asking about something that probably only can be answered by legal experts in the relevant jurisdiction (which I don't know).
From the corporate perspective ... either you know or should know what rules and regulations you must comply with, or you ask for a copy of them.
From your perspective ... (which you didn't exactly ask about) ... if you get a device delivered which you are supposed to image or analyze, and the device is not accompanied by a corporate CoC or similar formal handover, and your are not expected to deliver it with a similar handover, there's no clear purpose in starting a CoC, except for your own internal use. (You may have to know about corporate asset tagging practices, though, to ensure you have all required information.) You are likely to get asked questions by corporate HR later: 'We need to know about what you did with CCA 11215-12A. In detail. Right now .' That's not a good time to learn about asset ids.
In your case, I would suggest you establish your own CoC or documentation for the device (not necessarily a standard CoC form, but ensure handovers and other important points are documented), and possibly also for the gold image you presumably establish, and presumably is one of your work deliverables.
Â
Â
I am not a lawyer. This is not legal advice.
However, it seems to me that if you acquired a logical image, in a form that is tamper resistant and is hashed at the time of collection (e.g., FTK Imager's AD1), then it would not be necessary (or sensible) to create a separate chain of custody for each piece of derivative evidence, because hash verification provides the necessary link. In other words, if you can demonstrate that files you're examining are the same, by hash, as files originally collected, then you are effectively examining the "original" evidence.
As regards the original device and the resulting forensic images, follow a prudent chain of custody regimen per local legal requirements.
Also not a lawyer, but also work in corporate forensics.Â
I would say build a process where any new evidence that is going to be relied upon in an investigation is acquired in as sound a way as possible, and where it is not possible to get images, you have steps in place to demonstrate how any evidence has been handled and that integrity has been maintained. For example, our standards mandate that evidence should be legally admissible, but that is not a black and white concept in the UK. Providing you create a procedure, follow that procedure, and can explain the procedure and what it means, you should be ok. Agree on the derivatives not requiring CoC, providing verification takes place.