The Chain of Custody (COC) is a critical document that has the potential to make or break a case because of its ability to prove the authenticity of evidence and confirm that the integrity of data collection has been strictly maintained. Without one, data preserved in a highly defensible manner can be rendered useless or unable to be properly authenticated.
The COC details the journey of evidence as it travels through a case and outlines the custody, control, transfer, analysis, and disposition of materials of physical and electronic evidence.
When a COC is created, it should contain descriptive details specific to the relevant evidence item and always remain with the item. Entries must be made to the COC anytime a different party takes possession of the evidence throughout the case.
However, COCs are often and easily overlooked, especially when it comes to electronically stored information (ESI). Consider the following scenario: a new case you have been working on requires evidence to be pulled from a mobile device. The mobile device has text messages that are important to the case. Once the phone’s owner delivers it to your firm, you store the device in your desk. Upon retrieval, the forensic investigator notices the phone has been wiped and all data is gone. The investigator asks you for the COC and you realize that you never filled one out. Although the device was in working order when it was dropped off, it’s possible that its original owner remotely wiped the data. At this point, the investigator informs you that there is no point in trying to preserve the mobile device.
Without a proper COC that includes timestamps documenting exchanges between parties, it would be extremely difficult to determine whether the phone was wiped before or after changing hands. And then, without the evidence from the phone and of the inability to defensibly prove or deny potential tampering, your case may be in jeopardy.
To ensure your electronic evidence remains defensible, carefully capture each detail of ownership, analysis, and location transfers in the COC.
During initial data collection, document the name of the person receiving the evidence, including the date and time it came into their possession. Next, a detailed description of the evidence should be logged. This should include the type and amount of data, the name of the manufacturer of the preserved device and any serial numbers, a characterization of the data, and write-protection status.
During eDiscovery processes, note the collection methods and procedures, their outcomes, and any problems that emerged. ESI preserved as evidence and used in eDiscovery is often duplicated to allow for a working copy of the data. During preservation, an A and B copy are made. It must be established in the COC that an identical copy was made. Additionally, during eDiscovery, file formats may be altered. In the event of format changes, it must be shown that the files’ actual content has remained unchanged throughout the eDiscovery phases.
During any movement of the device or data, the reason for transfer should be noted in the COC. When evidence changes hands, the COC documentation responsibilities fall on the recipient now in possession of the evidence. This can include attorneys and firm staff, IT personnel or eDiscovery professionals.
Finally, it is recommended to have experienced forensic investigators handle electronic evidence during your case. Engaging investigators to receive original evidence directly from the data or device custodian will allow the investigator to ensure an accurate COC is started, and they can take the necessary precautions to prevent disputable actions from occurring. LOGICFORCE has an expert team of forensic investigators and eDiscovery pros available to help. For more information, please contact us.
Joseph Morelli is a Digital Forensic Investigator at LOGICFORCE.