Last week we looked at the hash Function. This is a set of instructions that turns a variable-sized amount of text into a fixed-sized output number or single integer (hash function). We saw that hash functions are used to ensure the integrity of digital evidence. The use of hash functions is an integral concept in computer forensic investigation. Without its use digital evidence can easily be contested in a court of law and determined as contaminated.
Today we look at another pillar of computer forensic investigation. This is the chain of custody.
Evidence is at the centre of any computer investigation because it is used to support legal proceedings. This digital evidence is however inherently volatile and susceptible to damage or corruption. A simple act of switching on a seized computer can trigger software code that erases all the contents of a hard disk. It is not uncommon to hear that crucial digital evidence was contaminated because an over-zealous investigator briefly switched on the computer just to “check” what was in it.
The fundamental point in the handling and investigation of digital evidence is documenting the activity relating to its seizure, examination, storage, or transfer. These activities should be scrupulously documented and the documentation should be available for review at all times.
This chain of custody ensures integrity of the evidence through a paper trail that details the whereabouts of all evidential sources during custody. It, for example, documents the circumstances, place and state of a laptop that was seized for investigation. The chain of custody goes further and details all individuals who have had access to the seized laptop (or evidence), what they did with it, how they did it and their findings. This documentation ensures that a seized media has not been corrupted or compromised following seizure.
Adhering to the chain of custody requirement combined with the application of the hash function guarantees the integrity of evidence. This ensures that crucial digital evidence is not tossed out of court because it was contaminated by the presence of a gap in the chain of custody timeline.