Tips: How to Ensure Chain of Custody After a Cybersecurity Incident

With the rise of connected devices, digital evidence has become increasingly more common in legal proceedings after a cyber incident or data breach.

Devices store a collection of digital evidence including data, text messages, digital photographs, videos and social media profiles and conversations all of which can be used in legal cases. The information found on devices in digital formats can reveal how cyber crimes and breaches are committed. This is where chain of custody comes in.

In a forensics case handled by 24By7Security, the team members who worked on the chain of custody were certified fraud examiners and experienced digital forensics experts who were also qualified to be called upon as legal witnesses in court proceedings if needed. 

The computer forensic team was able to secure the infected machine and hard disk. Following the rules and procedures involved in determining chain of custody, they were able to dig up deleted files and document a comprehensive timeline of the hack.  The findings allowed the lawyers to assess the nature of the breach and indicate how many parties were affected. This information helped legal counsel to determine the next steps.

What is Chain of Custody?

In a legal context, a chain of custody is the process of gathering evidence - both digital and physical. It involves best practices to ensure that the evidence has been legitimately gathered and protected. 

Those involved in chain of custody must do their due diligence when collecting digital evidence, otherwise it might get compromised. Following best practices is incredibly vital because it is easy to erase or manipulate the information. It's recommended that you do not take any chances. Instead, it is better to get into the habit of protecting all the evidence, so that it holds its weight in court.

Four Steps Simplified

In computer forensics, digital evidence can indicate the intent in computer or cyber related crimes. The chain of custody process can be done following these four steps:

1. Collection: This is the identification, recording and the gathering of information from credible sources that maintain the integrity of the information and evidence that is gathered.
2. Examination: Data is collected in two ways - automated and manual. Examiners will carve out information that will be used during the testimony in court. While this step is going on, the results of the investigation process are recorded and noted.
3. Analysis: The analysis is the overall result of the examination. Investigators use justifiable methods to decrypt useful information to answer the questions that are brought up in a specific case.
4. Reporting: Lastly, this step is the documentation of the examination and analysis. Reporting includes a statement regarding the chain of custody, an explanation of the tools used, and issues and vulnerabilities that were identified.

To prove chain of custody, answer these questions:

• Where is the proof?
• How did you acquire it?
• When was it gathered?
• Who handled it?
• Why did that specific person handle it?

What is the Chain of Custody Form?

This form is where you will document the evidence gathered. In most forms, the “Case Number, Date/Time Seized, Item Number, and Comments/ Location” are at the top.

In the middle of the chain of custody forms are 2 or more big boxes which have an Item number, Quantity, and Description of Item. In those 2 boxes you will describe the Model and Serial number of the evidence collected. At the bottom of the Chain of Custody forms are the release disclosure agreements for the lawful owner and witnesses. 

What else is included in the Chain of Custody Form?

The pieces of information that need to be included in the chain of custody form depend on the evidence that was collected and the type of case. As an example, standard details that should be included are the reason for the collection, multiple and relevant serial numbers, a description of the item that is collected, and the signatures of individuals who possessed the evidence.

Evidence that is digital is different from physical evidence. Once the best evidence is collected, you should make a second copy. The second copy is what investigators should use for their research.

What occurs when the Chain of Custody is broken?

The largest risk of breaking the chain of custody is presenting evidence in court that is inadmissible. In other words, important evidence could be valued as legally worthless. This happens often if the evidence item is mislabeled or if the evidence falls into the wrong hands or if it is not possible to properly track where the evidence has been or if it was tampered with.

Eye Opening Statistics:

• Usually, data breaches are unrecognized by organizations for as long as 6 months (Source: Ponemon)
• Damage that was connected to ransomware attacks exceeded $11 billion last year (Source: Phoenixnap)
• 56% of Americans don’t know what steps to take in the event of a data breach (Source: Varonis)
• It is estimated that there will be about $6 trillion dollars in damages worldwide due to attacks in 2021 (Source: Forbes)

A person’s ability to present the evidence in a case relies heavily on their ability to prove how the evidence was collected, stored and transported. If any slight misstep takes place, the evidence could be invalidated in court. Organizations should take the effort to become cyber resilient and to plan for incident response and post-incident recovery. For more information about our services in these areas, visit our cyber forensics page and our cyber incident management services page.