Procedure to establish the Chain of Custody in case of Digital Evidence:
A variety of procedures must be taken to ensure the legitimacy of the chain of custody. It is necessary to keep in mind that the more information a Forensic expert collects about the evidence, the more legitimate the constructed chain of custody becomes.
According to the chain of custody for electronic devices, the following procedures must be followed:
• Preserve original evidence.
• Photograph the physical proof.
• Capture snapshots of digital evidence.
• Record the date, time, and any other information related to the evidence’s acquisition.
• Insert forensic computers with a bit-for-bit clone of digital evidence material.
• Run a hash test analysis to validate the functioning clone.
Consideration should be given while gathering digital evidence and constructing a chain of custody.
Why Never work with the Original Evidence?
The most important factor when working with digital evidence is that the forensic expert must create a complete copy of the evidence for forensic analysis. This cannot be neglected since when errors are made to working copies or comparisons are performed, an original copy is required.
Sterilization of Storage Media
When gathering evidence, it is important to ensure that the examiner’s storage device is forensically clean. If the examiner’s storage media is contaminated with malware, malware can then spread to the system being checked, compromising all of the data.
Record any extra information
It is necessary to document all information that is brought to the notice of the case investigator during the examination process. The following points must be included in a full report:
• The investigating agency’s name.
• A unique identification code.
• Case investigator name
• The submitter’s identity.
• The date the item was received.
• The report’s date.
• A detailed description of the submitted item.
• The examiner’s name and signature
• A summary of the procedures done throughout the examination.
While collecting digital evidence, it is important to protect its integrity and security.
Before and throughout the search, it’s essential to make sure the crime scene is completely secure. The examiner may only be able to conduct the following when on site in specific cases:
• Count the number of computers and their types.
• Conduct interviews with the system administrator as well as users.
• Identify and document the different types and quantities of media, including removable media.
• Check for the presence of a network.
• Keep a record of the information about the location where the media was removed.
• Locate off-site storage and/or remote computing facilities.
• Determine which software is proprietary.
• Figure out what operating system you’re dealing with.