Join Us!

A few questions wit...
 
Notifications
Clear all

A few questions with chain of custody with drives/images  

  RSS
Chape87
(@chape87)
New Member

I'm studying computer forensics and i had a chain of custody question.
From my understanding

1. Due to the complexity, hard drives are typically collected and bagged at the scene and then later investigated offsite. Is this correct?

2. An image is made of the drive. Both get a hash value (MD5) and the hash values are compared to verify integrity of the image. I'm a little confused on if the original drive gets a hash value at the crime scene or before/after image is made.

3. Original is put back into evidence and the image is analyzed. We have a continuous chain of custody for the orginal since its just sitting in storage. Do we need more COC documentation on the image after analyzing begins?

4. At trial, what all is brought to court? I've read that the original stays in evidence. I figure the image, evidence found on the image, hash values, and chain of custody logs are all needed.

Quote
Posted : 12/04/2016 4:59 am
tracedf
(@tracedf)
Active Member

I'm studying computer forensics and i had a chain of custody question.
From my understanding

1. Due to the complexity, hard drives are typically collected and bagged at the scene and then later investigated offsite. Is this correct?

2. An image is made of the drive. Both get a hash value (MD5) and the hash values are compared to verify integrity of the image. I'm a little confused on if the original drive gets a hash value at the crime scene or before/after image is made.

3. Original is put back into evidence and the image is analyzed. We have a continuous chain of custody for the orginal since its just sitting in storage. Do we need more COC documentation on the image after analyzing begins?

4. At trial, what all is brought to court? I've read that the original stays in evidence. I figure the image, evidence found on the image, hash values, and chain of custody logs are all needed.

1) It depends on the situation.

Why you might work on-site Some search warrants may require that the investigators take a quick look at the drive to determine it contains relevant evidence (e.g. contraband images) before seizing the computer. The police won't image on-site, but they will view/search. In some civil cases or internal investigations, the original drive/computer may need to stay on site. For instance, the target computer might be a server that is essential to the business. Or, the investigator may find that the computer is on but has full-disk encryption; s/he would need to preserve the data while the computer is running to avoid losing the data when the computer is powered off.

Why you would take the drive off-site to image In general, off-site imaging is preferable because imaging takes a long time and it's easier to get the drive/computer to a lab where it can be imaged without someone standing watch over it. In many cases, there may not be a digital forensics examiner available to assist in seizing the computer. Other law enforcement officers will need to seize any computer evidence and make it available to the forensic examiner/lab later on.

2) The drive image is computed as the image is made. The image is then hashed and the drive hash is compared to the image hash to verify that it's a good copy. If there is a corruption error when writing the image file, the verification will fail.

3) My experience is primarily with HR investigations so I can't speak to current practices in law enforcement or large private labs. The safest way to handle the evidence is to image the drive then make a working copy of the image. Put the original drive and original image back in evidence storage. Then, you can do your examination on the working copy. If the working copy gets damaged, you can copy the original image again without having to spin the drive up a second time.

4) I haven't appeared in court as an examiner yet. I was supposed to last month but the defendant disappeared. I believe you are correct, the examination reports, examiner's notes, hash values, custody logs, the drive image and specific exhibits could all potentially be admitted in court.

ReplyQuote
Posted : 12/04/2016 9:55 am
Share: