Some clients will not hash/be able to hash. They wont know how to encrypt with PGP. So the client is passive. What I am trying to get at is, what can we do (if anything); to insure CoC. Will and FTP log along with us hashing it do?
Or is the answer simple, "you dont have a real CoC, if something is sent to you that is not encrypted, over non secure channels, and not hashed, not matter what you do when you recieve it on your end"
Now, by our end, i mean our FTP site, or SFTP, or whatever. We will do what is required, and would take any extra effort (hashing script on ftp), logging, etc.
I just want to know when I get something via FTP, if we can still consider it CoC. Thanks.
It would be like a family who's child was murdered sending evidence via a courier to the police department - the evidence integrity would be questioned. I mean, I know you have to accept what a client is giving to you in the manner they can give it to you - but that isn't a chain of custody that I would take to court.
Understood. So unless someone has a solution; if we recieve data via FTP that is not secure and does not have hash created prior to FTP; we should/could not call it a CoC.
In this case, we just do our best faith efforts by hashing, etc.
Some clients will not hash/be able to hash. They wont know how to encrypt with PGP. So the client is passive. What I am trying to get at is, what can we do (if anything); to insure CoC. Will and FTP log along with us hashing it do?
This may be more than a bit cumbersome, and your client might object, but why not use GoToMyPC?
He hosts you.
You export whatever hash and encryption software you want to his machine.
You then remotely set it for transmission. You do the hashing, encryption, etc on his machine. You control every click of the entire operation at both ends of the transmission.
Your "Bonded Courier" sounds OK on the surface if you are going to send hardware. However, unless it is hashed by your client before it was entrusted to your courier, you can't really be sure that it was not tampered with en route. I would be concerned by the background of the individual bonded courier. I have personally investigated a few bonding companies and have found that in some cases, all it takes to get a bond is the ability to pay a premuim.
I personnally prefer to use Registered US Mail. CoC receipts are built into the system. It is approved by the US Government for the Transmission of classified documents up to "Secret" and other forensic evidence is routinely sent to the FBI and other government labs via that method. There have for years been stories about the Hope Diamond being mailed to the Smithonian using US Registered mail. (I would want to see the CoC receipts on that one!)
Should we not start one step back? Why are we worried about the Chain of Custody (or Continuity of Evidence as it is some times called)? The whole purpose of CoC is so that when we stand in Court with an exhibit in our hand we can say, beyond reasonable doubt, that it goes right back to the accused. We can only prove the CoC from the instant that the item came into our possession and control. We hope that the person who gave it to us can do the same and so on back to the accused.
In the easiest case you take the blood-stained knife from the hand of the accused and place it in a sealed, numbered, tamper-proof evidence bag and keep it with you until you produce it to the Magistrate that afternoon.
Of course nothing is that simple. In the case of the FTP server all that you can say is that some data arrived on your FTP server and that someone told you that he sent some data. Is it the same data? Perhaps, probably but who knows? If, on the other hand, the sender has kept a secure copy of that data even though he does not have the technical ability or interest to produce a hash you could do the hashes later. Hash your data as soon as possible after it arrives on your server to start your CoC and hope that you can patch that together with the sender at a later date. Not as good as hashing it upon seizure and keeping the copy in a proper evidence bag, in a locked safe but a whole lot better than nothing.
With CoC we are often, perhaps usually, only one link in the chain. The best that we can do is to ensure that we maintain the CoC in a fully auditable way and to try to persuade others in the chain to do the same.