Newbie Chain of Custody Question
This is my first post here on the site and being straight up about it, I'm self studying Digital Forensics before taking a it as a module in an upcoming third level course.
I've a question regarding chain of custody in a particular situation detailed below.
Employee X has handed in his notice to his employer and informed them that he is starting his own business, that will be a competitor to his former employer, on which X is escorted from the building.
His employer then proceeds to review X's emails and the files on his desktop as well as some external drives found at X's desk as well as a mobile phone that the company pays for the sim on.
During this search the employer finds a number of open files and some password protected files that they believe holds information of their customers, such as contract renewal dates etc.
At this point the employer decides to contract a digital forensics firm to review the desktop and phone and have them advise as to possible breaches carried out by employee X.
My question is as a digital investigator, where does the chain of custody start in a situation like this, could it already be considered broken by the actions of the employer by reading the emails and accessing the documents on employee X's desktop and phone, which could potentially be seen as tampering
given that the employer has noted what he has done and when mean that it is intact and can be taken in by an investigator?
I know this is a very newbie question and appreciate that different countries may have different laws around this situation.
Many thanks in advance for all replies.
The chain of custody begins (from the digital investigator view point) the moment he/she is physically given the devices.
Whatever happened before is not (and cannot be) the digital investigator's responsibility.
You have to understand that the whole point of a chain of custody is that each pro-tempore custodian (the digital investigator in this case) guarantees that no modifications were made to it (or if modifications are made they are being properly documented) while it is in his/her custody.
When custody is given to someone else (let's say to the clerk of the lab warehouse) it is "next" link of the chain, when the investigator takes it again, it is another "link" etc., each individual is responsible only for the single "link" he/she is involved in.
Of course a note about the reported "history" of the device would be advisable, but the accent is on the reported nature of the informations.
As a side note, for all is known, the employer, directly or through another person may well have planted those files on the computers/hard disks right after the employee X was escorted from the building.
Or another employee, could have done the same, let's say because of envy.
So, in the case you depicted, the chain of custody is not really "broken", it is rather "shorter" than it could have been (because one or two initial links are missing).
These initial missing links may be replaced (it depends on the specifics) by statements (or affidavits) by the people that in the meantime could access (or came into possession) of the device(s).
Such statements will be however (necessarily) vague when it comes to actions performed on the PC, and - at least in theory - less credible because performed by one of the involved parties in the (hypothetical) legal case.
It depends on specific situations, but in the (hopefully rare) case where such a sudden break of reciprocal trust as to provoke the escorting of the (ex-)employee X out of the building immediately happens, the procedure is slightly different
1) at the presence of both the employer (or one delegate) and of the employee, the employee room is accessed, the employee is allowed to draw out of it his/her personal belongings, making sure that no storage media of any kind exits the room (quite difficult nowadays given the size of micro-SD cards wink )
2) the computer(s) are switched off AND disconnected from mains
3) employee's X room is locked AND a seal is placed on the door
4) a "concise minute" of the above proceedings is written and signed by everyone present in two copies, one for the employer and one for (ex-)employee X
5) the (digital or otherwise) investigator is called and given access to the (until his/her arrival) sealed room
Of course in case of open space offices, the equivalent is to put everything in boxes and put them into a locker, warehouse, etc.
But I propose you an alternative scenario, employer and employee X are in the most cordial terms and the resignation is a "plain" one, there is no real reason why the employer would suspect that data were stolen, two weeks later the employer casually needs a copy of a letter that could be on X's PC, and while looking for it finds something suspect, then immediately calls the digital investigator.
Would this be as well a "shorter" chain?
Who will take charge assuring that noone accessed the machine in the two weeks since employee X left?
And describe what exactly has been done with the machine?