Chain of Custody
I am interested to know how the chain of custody of digital evidence is maintained. In our laboratory after the receipt of properly sealed exhibits (HDs/Floppys/CDs/CPUs/Laptops etc) from the Investigating Agencies, the sealed exhibits are opened in presence of the special messenger and after documenting the information (Serial No., Make, Model, Capacity etc) the write protected suspected media is hashed using appropriate tools and the recipt of exhibits is handed over the messenger along with the hash value of the media .It is easy to maintain the physical chain of custody.. but in digital forensics what is the opinion of the forum to have a digital(hash) chain of custody?
In some situation we have seen that in cases where the media is currupt the hash values are not unique. So what should be the "best practice" for maintaining the chain of custody?
A "chain of custody" for a checksum sounds a lot like just making an entry on your existing chain of custody. Once the checksum is done, (which should be as early as possible) notating that information in the report actions should suffice.
Should a change in the checksum be noticed, I would personally start the process over with a new copy of the image file used for examination.
Just my $.02.
I do not understand the importance providing the messenger with a receipt that identifies the checksum?
Do you allow the media an opportunity to envirnomentally stabilize before use? Media should always be allowed to stabilize to the current operating envirnoment prior to use. [The media could be stored in a 120 degree box or a freezing airplance cargo hold for hours.] What if the media is physically defective? It seems your procedures assume all media will arrive in good serviceble condition. Bad assumption!
The Chain of Custody establishes physical control over the evidence. Your lab should have specific instructions for documenting control within your facility.