Digital Chain of Custody
Enterprise internal and external compliance, regulatory and audit teams, as well as process managers are regularly in need of data that tracks the activities of people, files, goods or adherence to processes.
Chain-of-Custody, Digital Forensics and Audit Trail are common terms used to describe the activities, handling, safeguarding and storage of supporting data, or evidence, as it may be referred to in the legal profession.
In today’s world, assembling an irrefutable chain-of-custody, audit trails or digital forensics is typically impossible, due to:
- The data being fragmented across systems (email, text, enterprise systems)
- Data accuracy and completeness, whether it’s been tampered or modified, etc. are impossible to prove
- The cost, effort and time required to build compliance records is exorbitant
The above results in low trust in the data for compliance, regulatory and audit functions.
The Vouch Identity Platform Audit Engine
- A Secure Infrastructure – Digital forensics and handling chain of custody should be supported by a secure infrastructure. The volume of the digital evidence is growing and increasingly varied in terms of the file size. Storage of digital evidence is not just ordinary storage, but it should have technical specifications that comply with the provisions of the law, for example, the ability of data storage, data maintenance as well as data recovery. Blockchain provides the best protection to support data for chain of custody processes.
- Tied to Digital ID – All transactions made by humans or devices are permanently logged into the blockchain by the unique digital ID associated with each human or device
- Tamper-Proof Immutability – Blochchain’s high-strength cryptography ensures that records cannot be manipulated by super-adminisitrators or other hackers. Distributed – Blockchain’s tamper-proof, distributed ledger replaces the insecure centralized storage with decentralized blockchain storage of user credentials and transaction logs (see Vouch System Overview).
What Is the Chain of Custody in Digital Forensics?
Chain of custody is an essential part of authentication of digital evidence because it shows the provenance and integrity of the data or file.
The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis. It also documents each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.
Chain of Custody is an essential first-step in cyber forensics investigations. Chain of Custody is essentially documenting the way that we secure, transport and verify that items acquired for investigation were held in an appropriate manner. Chain of custody demonstrates ‘trust’ to the courts/auditors and to client that the media was not tampered with. It is an audit trail of ‘who did what’ and ‘when it happened’ to a particular piece of evidence.
What is an Audit Trail?
The Internal Revenue Service (IRS) has used the phrase “audit trail, defining it as documentary evidence that records a given business’ processes and financial activities. For their purposes, the IRS is reliant on these documents when they audit a given business.
Applying audit trail principles to other official process became a best practice over a number of industries, from medical, government, construction, and others that are tied to regulation compliance. As documents became electronic, the principles of audit trail began to be applied to other electronic content that was related to business and government.
Audit trails need to record dates, times, locations, and personnel who accessed or altered files in the system.
The Process for Digital Forensics
Digital evidence is typically acquired from a myriad of devices including a vast number of IoT devices. Digital evidence is an essential element in uncovering intent, mode and method in computer-related crimes and it is important in many internal investigations when an organization addresses risk mitigation to scope out internal processes.
The process for digital forensics follows a structured path. The process comprises four primary steps:
- Collection: This is the identification, labeling, recording and the acquisition of data from possible relevant sources that preserve the integrity of the data and evidence collected. This is where the Chain of Custody process is initiated. The Chain of Custody is used throughout these 4 steps, too.
- Examination: We use a forensically sound process to collect data in both automated and manual way. DF examiners will carve out particularly interesting data that will be used in testimony that supports or refutes the claim. The preservation of data is essential and we’ll further discuss secure methods to handle digital forensics investigations later. During this step, not only are the results of the investigation process recorded and noted, the Chain of Custody documentation is completed to note the disposition of any collected evidence used in the examination and how it was used.
- Analysis: The analysis is a result of the examination. We use legally justifiable methods and techniques to derive useful information to address questions posed in the particular case. Again, the Chain of Custody reporting ‘may’ be involved in this step.
- Reporting: This is the documentation of the examination and analysis. Reporting typically includes a statement regarding the Chain of Custody, the explanation of the use of the various tools, a description of the analysis of various data sources, issues and vulnerabilities identified, and recommendations for additional forensics measures.
The key elements that require documentation include (and are not limited to):
- How the evidence was collected
- When it was collected (e.g. Date, Time)
- How you transported it
- How it was tracked
- How it was stored
- Who has access to the evidence (e.g. this is the check-in/check-out process that you will need to develop. It is essential that we know who had access to each acquired piece of evidence. You will be asked to demonstrate this, if this is a court case.)