Chain of Custody

How can an investigator prove that electronic evidence has been managed properly and has not been tampered with? Following proper chain of custody procedures will help to prove that evidence is accurate, has not been improperly altered, and has been properly managed. 

The National Institute of Standards and Technology defines chain of custody as “a process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.” The investigation team must ensure the chain of custody is not broken from the time that the evidence is collected until the time the electronic evidence is presented at trial, or on appeal, in an administrative hearing, or a business legal matter. 

Any evidence must be traceable from the crime scene to the courtroom and everywhere in between. This applies to both physical hardware and the data that resides on the hardware and within the software. Any changes in possession or location of the evidence must be clearly documented. Any changes to the evidence itself must also be avoided and documented. If the chain of custody is broken, the investigation may be compromised.

The chain of custody log or form will include basic information regarding the case such as the case number, victim, officer, date/time, location of seizure, etc. The chain of custody must include a detailed chain of custody log that would include information such as evidence item number, date/time, person releasing the evidence, person receiving the evidence, and the location of the evidence.

Each agency will usually have its own evidence custody document (ECD).  However, no matter the format, the main purpose is to track the evidence from the time it is provided or seized by the law enforcement officer until its final disposition in court or on appeal. 

In describing the evidence items, an investigator should provide a description that will uniquely identify each item.  This is usually done by including a serial number (unique to that item) along with other descriptors such as model number, size, color, and any markings. This can be difficult at times given that some items, even digital items, may not have a serial number.  

In the chain of custody section, an investigator should track who handles the evidence, when, and why.  For example, when the evidence is seized, the law enforcement officer, let’s say Special Agent (SA) Jane Doe starts the chain of custody. So, if SA Doe then checks in that piece of evidence, she will note the item number, the date/time, and add “Released by SA John Doe” (print and sign), “Received by Everett Dents” (the evidence custodian), with comment “release into evidence.”  Any time anyone checks in or checks out that piece of evidence, a new line of information is added.

References

Chain of custody. (2004). In Guidelines on PDA Forensics, special publication 800-72. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-72 

Charters, I. (2009). The evolution of digital forensics: Civilizing the cyber frontier. http://www.guerilla-ciso.com/wp-content/uploads/2009/01/the-evolution-of-digital-forensics-ian-charters.pdf

NIST Digital Forensics chain of custody form.  https://www.nist.gov/system/files/documents/2017/04/28/sample-chain-of-custody-form.docx

Novak, M., Grier, J., & Gonzales, D. (2019). New approaches to digital evidence acquisition and analysis. NIJ Journal, 280.  https://nij.ojp.gov/topics/articles/new-approaches-digital-evidence-acquisition-and-analysis 

Ryder, K. (2002). Computer forensics: We’ve had an incident, who do we get to investigate? SANS Institute Infosec Reading Room. https://www.sans.org/reading-room/whitepapers/incident/computer-forensics-weve-incident-investigate-652 

US Secret Service. (2015). Best practices for seizing electronic evidence, version 4.2.  https://www.cwagweb.org/wp-content/uploads/2018/05/BestPracticesforSeizingElectronicEvidence.pdf

Resources

Further Reading