±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36445
New Yesterday: 2 Visitors: 95

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

How to Keep a Digital Chain of Custody

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

TMD22
Member
 

Re: How to Keep a Digital Chain of Custody

Post Posted: Jan 30, 06 07:32

What if you keep the original hard drive, and also make a copy to another hard drive?

Would you still keep both?


Just curious, some clients will allow you to hold onto hard drive. I give it back after imaging sometimes, or give an exact copy "Best evidence"

Thanks

Mark  
 
  

blaresutton
Newbie
 

Re: How to Keep a Digital Chain of Custody

Post Posted: Feb 06, 06 03:18

We use a security bag chain of custody system.

When we receive evidence into our lab (or collect it in the field), all items are catalogued, signed in on a custody form, and bagged. Each time the bag is opened, this gets recorded on a chain of custody form, similarly when it gets resealed. The old bags are retained with the item.

Our process is to image the original to one of our previously prepared drives. The original evidence is then either returned to the client, or stored in a safe using the security bag system. We then copy the image file from our 'original image' to a 'working copy' on our network. The 'original image' gets bagged and stored in the safe. Only examiners working on the case have access to the directory that the image is stored in.

We have a couple of file servers dedicated to the task of storing our images, and run a 1.6 GB SATA array in each (i.e. 4 x 400GB SATA HDD's configured in a single volume). This gives us maximum capacity, as we are not too concerned with redundancy as you can always copy the images from the 'original image' should you have a failure.

Examination results, cases, reports, etc are stored on a RAID 5 array.

Hope this information helps.

Cheers,

Blare Sutton
Manager
PPB Forensics
Level 10, 90 Collins St
Melbourne
VIC 3000
AUSTRALIA
+61 3 9653 6241
 
 

Page 2 of 2
Page Previous  1, 2