Document evidence with chain of custody forms
Let's continue our discussion on how documentation provides transparency through documents like chain of custody.
During incident response, evidence must be accounted for during the entire incident's lifecycle.
Tracking evidence is important if the evidence is requested as part of any legal proceedings.
How can security teams ensure that this is done?
They use a form called chain of custody.
Chain of custody is the process of documenting evidence possession and control during an incident lifecycle.
As soon as evidence gets collected, chain of custody forms are introduced.
The forms should be filled out with details as the evidence is handled.
Let's examine a very simple example of how chain of custody is used during digital forensic analysis.
Previously, you learned that digital forensics is the practice of collecting and analyzing data to determine what has happened after an attack.
During an incident response, Aisha verified that a compromised hard drive requires examination by the forensics team.
First, she ensures that the hard drive is write protected, so the data on the disk can't be edited or erased.
Then, she calculates and records a cryptographic hash function of an image of the hard drive.
Remember that a hash function is an algorithm that produces a code that can't be decrypted.
Aisha is then instructed to transfer it to Colin in the forensics department.
Colin examines it and sends it off to Nav, another analyst.
Nav receives the compromised hard drive and sends it to her manager, Arman.
Each time the hard drive is transferred to another person, they need to log it in the chain of custody form, so that movement of evidence is transparent.
Tampering with the data on the hard drive can be detected using the original hash that Aisha documented at the beginning of the process.
This ensures that there's a paper trail describing who handled the evidence, and why, when, and where they handled it.
Just like other documentation types,
there is no standard template of what the chain of custody form should look like, but they do contain common elements.
This is what you might examine on a chain of custody log form.
First, there should be a description of the evidence, which includes any identifying information, like the location, hostname, MAC address, or IP address.
Next is the custody log, which details the name of the people who transferred and received the evidence.
It also includes the date and time the evidence was collected or transferred and the purpose of the transfer.
You may be wondering: what happens if evidence gets logged incorrectly?
Or, if there's a missing entry?
This is what's known as a broken chain of custody, which occurs when there are inconsistencies in the collection and logging of evidence in the chain of custody.
In the court of law, chain of custody documents help establish proof of the integrity, reliability, and accuracy of the evidence.
For evidence related to security incidents, chain of custody forms are used to help meet legal standards so that this evidence can be used in legal proceedings. If a malicious actor compromised a system, evidence must be available to determine their actions so that appropriate legal action can be taken.
However, in some cases, major breaks in the chain of custody can impact the integrity, reliability, and accuracy of the evidence.
This affects whether or not the evidence can be a trusted source of information and used in the court of law.
Chain of custody forms provide us with a method of maintaining evidence, so that malicious actors can be held responsible for their actions.