How to Keep a Digital Chain of Custody
Nice little article, but it sparks something that I've been thinking about within a forensic lab. How does everybody else store the working forensic images that they are doing analysis on? Do you leave it on the forensic analysis workstation even for periods when you aren't working on it?
Reason I ask is because I have been toying with the idea of a "image" server which is just basically a digital safe for all working images. Then when you sit down at the analysis workstation, you "check out" the image you are working on (and only the examiner allowed to check it out is able to).
Then I started thinking about disk size and budget..and I just scrapped the idea. For now, locking it on the forensic analysis workstation works because it's only me with access to the room and the workstation but I'm trying to get an idea if this is the right thing to do with more people?
If you aren't working on it, it should go in the safe, that is the only place it should be.
Say you were to leave your images up on a computer and that computer gets stolen, have fun explaining that to the firm that hired you. On the other hand to steal things from me you would have to remove a safe that is bolted to concrete with 4 x 8" bolts and within that safe is another safe with the actual drives. The time that it would take them to bust into the safe as opposed to lifting one machine out is huge. I have heard the argument before that people can encrypt their drives and that will make them safe if someone steals them. While it will add a layer of protection, and 2 layers of protection if you also encrypt the .e01 files, I wouldn't want to take the chance.
I am wondering how long to keep the image in storage. Until the case is adjudicated?
Also, I have heard several ways of what to do with the originla image on this forum
1) Send first copy "best evidence" on a HDD to the client and have them store it.
2) Burn image to DVD's for storage
3)Store on RAID,HDD or tape drive
I would welcome any input from anyone doing forensic investigations already on the methods used. I had planned on doing above item # 1.
Any replies welcome, Happy Holidays to all on the forum
I used to burn DVD back ups but with cases now regularly topping 200 gig+ I've had to shelve that. For data I need to keep I simply write to a hard drive of a similar size to the case files, and store that. With H/D's getting cheaper its not an expensive option and they are small enough to store easily.
Storage time depends on the case type. With defending illegal images cases I agree with the prosecuting force to destroy the data once the case is finalised. With corporate fraud I will normally send a copy of the data to the company that hired me and inform them that I will destroy the copies 3 months after the conclusion of the matter. It all depends on the circumstances. Hi Tech Crime Units have different methods and guidelines of course.
Just an extra bit re the chain of custody. We only accept exhibits for examination that are contained in sealed and number exhibits bags (either bags that are numbered or seals that are numbered). The bag/seal numbers are recorded againsts the exhibits they contain. Each time a bag is opened the fact is recorded and once the exhibit is dealt with it is resealed, along with the original packaging/seal in another sealed and/or numbered exhibits bag.
Obviously we use a lot of numbered exhibits bags and numbered seals but such is life.
At least this way we can prove the security of the evidence along with a documented chain of custody and all the bags/seals that relate to the particular exhibit
In terms of chain of custody documentation. If you are given a physical HDD to image and subsequently examine this image, assuming both are locked away (the original HDD immediately after imaging). Are most maintaining two seperate chain of custody documents..?
One for the original and one for the image?
As quoted in the article
"The first image of a hard drive that investigators take is known as the "best evidence," because itâ€™s closest to the original source. The chain of custody form should be attached to the best evidence and stored under lock and key."
What if you keep the original hard drive, and also make a copy to another hard drive?
Would you still keep both?
Just curious, some clients will allow you to hold onto hard drive. I give it back after imaging sometimes, or give an exact copy "Best evidence"
When we receive evidence into our lab (or collect it in the field), all items are catalogued, signed in on a custody form, and bagged. Each time the bag is opened, this gets recorded on a chain of custody form, similarly when it gets resealed. The old bags are retained with the item.
Our process is to image the original to one of our previously prepared drives. The original evidence is then either returned to the client, or stored in a safe using the security bag system. We then copy the image file from our 'original image' to a 'working copy' on our network. The 'original image' gets bagged and stored in the safe. Only examiners working on the case have access to the directory that the image is stored in.
We have a couple of file servers dedicated to the task of storing our images, and run a 1.6 GB SATA array in each (i.e. 4 x 400GB SATA HDD's configured in a single volume). This gives us maximum capacity, as we are not too concerned with redundancy as you can always copy the images from the 'original image' should you have a failure.
Examination results, cases, reports, etc are stored on a RAID 5 array.
Hope this information helps.
Level 10, 90 Collins St
+61 3 9653 6241