By Keith G. Chval

Chain of Custody

Recent incidents have shown how important it is for colleges and universities to preserve evidence — including digital evidence — that may be required in a legal investigation.

ey Jon, I need the “ chain of custody.” H “The what?” Your general counsel has just stopped by your office and dropped that bombshell on you as you were drinking your morning cup of coffee. “Remember all those e-mails and other electronic files you gave us in connection with that internal investigation of Smith last summer? Well, the case is going to trial, and we need the chain of custody to prove that Smith really wrote all those things. Without the chain of custody, the judge won’t admit any of that information, and we’ll get killed at trial.” While chain of custody is a legal is challenging the authenticity of If “chain of custody” is a new or term of art — meaning it has a evidence — particularly where digital vague concept to you, you’re not alone. specific meaning in the law and can evidence is involved — I’ve found that

In simplest terms, a proper chain have legal consequences — it has there are very few who adequately Henderson L ael of custody establishes the integrity significant practical implications for account for the chain of custody, let of a piece of evidence, showing that IT managers and other professionals. alone appreciate its importance,” it wasn’t tampered with or otherwise “Although it plays a critical function observes Scott Carlson, a partner in

altered since it was first collected. in litigation where opposing counsel the Chicago office of Seyfarth Shaw, by illustration

38 | CDW•G EdTech - Higher Education edtechmag.com | May/June 2006 Security Checklist

to produce from Smith’s computer road map for the handling of electronic proved that he was sharing proprietary evidence from beginning to end by information with your competitor, recording on an evidence log all getting those files into evidence at items that have been collected and trial is an entirely different matter. tracking in chronological sequence Opposing counsel will challenge every individual who has had custody the integrity of the files and may of each object. IT managers should claim that the court should not allow work with general counsel to develop that evidence because it was altered, and implement a plan for collecting deleted or inserted long after Smith and preserving electronic data in order last set foot on your premises. Your to maintain a solid chain of custody. attorney is going to need sworn However, before even beginning to testimony from you, or someone on collect evidence and create the chain your staff, to overcome this attack. of custody, other potentially valuable Rules of evidence require that a party evidence needs to be collected at seeking to admit an item of evidence the scene of the crime (in this case, must first prove that the item is what the Smith’s workspace). Before moving party claims it is. In the world of digital evidence, even a modern-day Perry Mason might be left scratching his head. How do you establish that the critical e-mail you found through your examination of a copy of Smith’s hard There are going drive is from the same set of ones and zeroes that existed on his computer to be times when when you seized it 18 months ago? It’s not as if you could crack open the it’s tempting to case on Smith’s computer, pull out the hard drive, open it and say, “Aha, I’d “forgo collecting recognize those ones and zeroes on that hard drive platter anywhere!” and maintaining The chain of custody is the device the chain of custody. that the proponent of an item of evidence uses to authenticate that an Don’t succumb! object is what it purports to be. In this case, it establishes that the e-mail comes from the set of ones and zeroes that were present on Smith’s hard drive on the day it was taken into custody. or touching anything there, steps should be taken to record the location Collect and Preserve and condition of the computer and “Early in my career, we used the chain other items in Smith’s workplace.” A of custody to show that a particular digital camera and a notepad can be packet of heroin was the same packet handy tools for capturing evidence that we seized from a drug dealer, such as what was on Smith’s computer even though one packet of heroin screen when investigators arrived. looks like any other packet of heroin,” Now that the scene has been explains Dan Bellich, who retired after documented, the process of constructing 27 years with the FBI to form Protek the chain of custody begins. As each International, a computer forensics item is carefully collected, it should whose practice focuses on electronic and investigations firm in Clarendon be marked with a unique identifying evidence and complex litigation. Hills, Ill. “With digital evidence, number to allow you to locate and track we use the chain of custody in the that item. An example in Smith’s case Where’s the Proof? same way: to establish that otherwise might be “06 Smith A 1.1,” where 06 To illustrate the significance of indistinguishable digital evidence refers to the year, Smith is the name chain of custody, let’s go back is the same as what was previously of the investigation, A refers to items to the original anecdote. While seized from a bad guy’s hard drive.” related to his computer system, the first the electronic files you were able The chain of custody provides a 1 is the group of peripherals and the

May/June 2006 | CDW•G EdTech - Higher Education edtechmag.com | 39 Security Checklist

second 1 is the number for the monitor. that the data is in substantially the The extraordinary unlikelihood of two The person collecting this item same condition as when it was seized,” different data sets generating matching should initial or sign and date the item explains Patrick Zeller, a former high- hash values is sufficient to allow a so that when authenticating it in court, tech prosecutor and litigator who judge to rely on matching hash values he can explain that he knows this is is now assistant general counsel for as sufficient evidence of authenticity. the monitor he collected from Smith’s Guidance Software, a Pasadena, Calif., By obtaining a hash value as quickly office because it has the evidence computer forensics software developer. as possible after taking custody of label that includes his handwritten Critical areas for establishing this an item of digital evidence and then signature and the date it was collected. aspect of authenticity include confirming demonstrating that it matches the hash The evidence number for all items that there are no missing links in value of that same evidence at a later is recorded on the evidence log, and the chain of custody; detailing how date (or a duplicate forensic image that a record is created of every person your storage facility is inaccessible you are working on), you can take the who handles that evidence. Those to unauthorized individuals and has wind out of the sails of any arguments individuals should also be prepared proper climate and environment by opposing counsel that the data was changed after you took custody of it.

A Shield and a Sword Chain of Custody Checklist Proper evidence handling and chain of custody provide both a shield and a sword for the credibility and ■ Have a plan before an incident occurs. Identify your “go-to” people, persuasiveness of your whether in-house or outside, while the waters are still digital evidence. First, calm. opposing counsel is ■ Do not touch the computer unless you are experienced either going to shy in digital forensics. Thousands of files are altered away from this line simply by turning it on. of attack because a ■ Document the location and condition of everything strong chain of custody before touching anything. A digital camera can help. makes it apparent that ■ Systematically collect items of evidence, marking and you have handled the recording each item with a unique number. evidence properly, or ■ Record the date, time, personnel and purpose for every they are going to lose transfer of custody. credibility with the ■ Store evidence in a secured, climate-controlled location, judge or jury by wasting away from other items that might alter or destroy digital their time on a pointless evidence. matter. Second, the ■ Computer forensic examiners should be able to testify persuasive value of that they have validated that their tools and processes your digital evidence do not create alterations to the data. is bolstered, and your ■ Hash values of files and/or media should be created as credibility is enhanced. early as possible. With all the responsibilities placed on busy professionals today, there are going to be times to testify about how they stored the controls; and demonstrating how when it’s very tempting to forgo evidence. The record is kept until after the tools and processes utilized by collecting and maintaining the the investigation or court proceedings, your examiner are used in such a chain of custody. Don’t succumb! when the evidence is no longer needed way as to not alter any of the data Take the time to develop and and is not required to be maintained. in the course of the examination. implement your chain of custody The proponent of an item of Even with helpful testimony on all and evidence handling protocols. evidence also must be able to establish these points, you still can’t testify, “I saw You will be thankful when you’re that the evidence is in substantially the ones and zeroes and electromagnetic in court and your smoking gun the same condition as it was when dust 18 months ago, and what is e-mail nails a conviction. ■ it was taken into custody. before us today is in substantially the “Because digital evidence is more same condition as it was back then.” Keith G. Chval is a principal with susceptible to intentional or inadvertent However, you do have the next best Protek International, a computer forensics, alteration or destruction than many thing — what’s called a hash value. This litigation support and investigations forms of evidence, it is critical that value is created when a sophisticated firm, and a member of the law firm a witness be able to offer evidence algorithm is run against a particular set of Connolly, Ekl & Williams PC, upon which the judge can conclude of data, such as a file, CD or hard drive. both based in the Chicago suburbs.

40 | CDW•G EdTech - Higher Education edtechmag.com | May/June 2006