±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 3 Overall: 36445
New Yesterday: 2 Visitors: 181

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

How to Keep a Digital Chain of Custody

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 

Site Admin

How to Keep a Digital Chain of Custody

Post Posted: Dec 18, 05 03:46

Christine has very kindly mailed me with the following useful link:

How to Keep a Digital Chain of Custody

Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 


Re: How to Keep a Digital Chain of Custody

Post Posted: Dec 18, 05 20:41

Nice little article, but it sparks something that I've been thinking about within a forensic lab. How does everybody else store the working forensic images that they are doing analysis on? Do you leave it on the forensic analysis workstation even for periods when you aren't working on it?

Reason I ask is because I have been toying with the idea of a "image" server which is just basically a digital safe for all working images. Then when you sit down at the analysis workstation, you "check out" the image you are working on (and only the examiner allowed to check it out is able to).

Then I started thinking about disk size and budget..and I just scrapped the idea. For now, locking it on the forensic analysis workstation works because it's only me with access to the room and the workstation but I'm trying to get an idea if this is the right thing to do with more people?

Senior Member

Re: How to Keep a Digital Chain of Custody

Post Posted: Dec 19, 05 08:39

If you aren't working on it, it should go in the safe, that is the only place it should be.

Say you were to leave your images up on a computer and that computer gets stolen, have fun explaining that to the firm that hired you. On the other hand to steal things from me you would have to remove a safe that is bolted to concrete with 4 x 8" bolts and within that safe is another safe with the actual drives. The time that it would take them to bust into the safe as opposed to lifting one machine out is huge. I have heard the argument before that people can encrypt their drives and that will make them safe if someone steals them. While it will add a layer of protection, and 2 layers of protection if you also encrypt the .e01 files, I wouldn't want to take the chance.
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 


Re: How to Keep a Digital Chain of Custody

Post Posted: Dec 20, 05 01:13

I am wondering how long to keep the image in storage. Until the case is adjudicated?

Also, I have heard several ways of what to do with the originla image on this forum:

1) Send first copy "best evidence" on a HDD to the client and have them store it.
2) Burn image to DVD's for storage
3)Store on RAID,HDD or tape drive

I would welcome any input from anyone doing forensic investigations already on the methods used. I had planned on doing above item # 1.

Any replies welcome, Happy Holidays to all on the forum


Senior Member

Re: How to Keep a Digital Chain of Custody

Post Posted: Dec 20, 05 03:03

I used to burn DVD back ups but with cases now regularly topping 200 gig+ I've had to shelve that. For data I need to keep I simply write to a hard drive of a similar size to the case files, and store that. With H/D's getting cheaper its not an expensive option and they are small enough to store easily.

Storage time depends on the case type. With defending illegal images cases I agree with the prosecuting force to destroy the data once the case is finalised. With corporate fraud I will normally send a copy of the data to the company that hired me and inform them that I will destroy the copies 3 months after the conclusion of the matter. It all depends on the circumstances. Hi Tech Crime Units have different methods and guidelines of course.


Senior Member

Re: How to Keep a Digital Chain of Custody

Post Posted: Dec 20, 05 05:25

Just an extra bit re the chain of custody. We only accept exhibits for examination that are contained in sealed and number exhibits bags (either bags that are numbered or seals that are numbered). The bag/seal numbers are recorded againsts the exhibits they contain. Each time a bag is opened the fact is recorded and once the exhibit is dealt with it is resealed, along with the original packaging/seal in another sealed and/or numbered exhibits bag.

Obviously we use a lot of numbered exhibits bags and numbered seals but such is life.

At least this way we can prove the security of the evidence along with a documented chain of custody and all the bags/seals that relate to the particular exhibit

Senior Member

Re: How to Keep a Digital Chain of Custody

Post Posted: Jan 30, 06 05:45

In terms of chain of custody documentation. If you are given a physical HDD to image and subsequently examine this image, assuming both are locked away (the original HDD immediately after imaging). Are most maintaining two seperate chain of custody documents..?

One for the original and one for the image?

As quoted in the article:

"The first image of a hard drive that investigators take is known as the "best evidence," because it’s closest to the original source. The chain of custody form should be attached to the best evidence and stored under lock and key."


Page 1 of 2
Page 1, 2  Next