Nowadays, digital forensics are a crucial part for many investigations. However, for any digital evidence to hold weight in a court of law it must be properly identified, collected, preserved and documented. This is where the Chain of Custody (CoC) comes into play, serving as the cornerstone of cyber forensic investigations. The CoC is the documentation that tracks the collection, handling, transfer and storage of (digital) evidence from collection to archiving.
In the current digital age, evidence can be easily altered which calls for an even bigger need of a proper CoC.[1] A broken or mishandled CoC can lead to evidence becoming inadmissible, which subsequently jeopardises the entire case. This blog article will explain what the chain of custody is, why it matters, the challenges involved and best practices to follow in cyber forensic investigation to strengthen its integrity.
Over the past years, we have set new industry standards across Europe and have continued our growth beyond Amsterdam by establishing offices in Brussels, London, and Frankfurt. Our commitment to providing high-quality services has earned us the trust and loyalty of our clients, and we are excited to bring this same level of excellence to the French market.
What is the Chain of Custody and why is it critical?
The CoC is a process used for the maintenance and chronological documentation of handling (digital) evidence. Every transmission from the moment the evidence is collected, from one person to another is recorded to establish that nobody else could have accessed or possessed that evidence without authorisation.[2] There should be documentation on how the data was identified, collected, transported, analysed and preserved for production.[3]
The CoC is also critical for forensic investigations as digital evidence is vulnerable to external factors.[4] According to Vanstone, this relates to the concept of digital integrity:
“The property whereby digital data has not been altered in an unauthorised manner since the time it was created, transmitted, or stored by an authorised source.”[5]
The CoC’s main purposes are ensuring authenticity, maintaining integrity, legal admissibility and accountability. Firstly, a well maintained CoC proves that the evidence was not tampered with and is in the same state as at the time of initial collection. According to the European Union Agency for Network and Information Security ‘documenting a chain of custody is extremely important to establish the authenticity of the evidence.[6] Secondly, since digital evidence is susceptible to altering, there has to be guidelines in place to ensure no modifications have taken place and no unauthorised access or changes took place. A properly maintained log of access and transfers protects the integrity of the evidence.[7] Thirdly, it is often required by Courts to have proof of an unbroken CoC for the (digital) evidence to be accepted in the proceedings. For example, the European Union has been highlighting the need for harmonisation of rules on electronic evidence gathering given its cross-border dimension in many cases. This is not only important for the prosecution but also the defendant and their fair trial rights under which the evidence must be reliable and collected lawfully.[8] Lastly, through the CoC the people involved in the investigations are being held accountable for how the evidence is handled. According to the National Institute of Standards and Technology, every person handling the evidence should make a record of it.[9]
If the CoC is not properly maintained and becomes compromised, even irrefutable evidence may become inadmissible or suppressed. This issue can occur in several ways. First, if evidence falls into unauthorised hands, there is a risk that it could be tampered with, contaminated, or altered, leading courts to question its authenticity and integrity. Second, improper storage can degrade or destroy evidence, particularly when dealing with sensitive physical or digital materials that require controlled environments to maintain their original state. Third, inadequate documentation of the CoC can leave crucial gaps in the tracking of evidence movement, making it impossible to demonstrate that the evidence has remained untouched or unaltered since collection. Furthermore, any discrepancies or unexplained lapses in the CoC record may raise reasonable doubt about the reliability of the evidence, triggering legal challenges from the opposing counsel. Ultimately, such failures can result in the exclusion of otherwise credible evidence from trial, and weaken the prosecution’s position and potentially cause an entire case to collapse due to insufficient admissible proof.[10]
Challenges in Preserving the Chain of Custody
While the maintenance of the CoC for physical evidence (weapons, samples etc.) has been developed over decades, that is not the case for digital evidence. This type introduces new challenges due to how easy it can be altered and/or tampered with.
Digital evidence is fragile and can be changed unpredictably fast. For example, bits and bytes can be altered without leaving any obvious traces, timestamps or logs can be altered by simply turning on a computer, copying a file modifies its metadata etc.
To determine if digital evidence has been altered, investigators must examine the hash data and logs and take appropriate measures to ensure no unintentional changes have taken place.[11]
Connected to this is the fact that if the evidence has been tampered with, such alterations are not easily noticeable unless forensic analyses are performed. This unexplained gap leads to a broken CoC, which in turn leaves the door open to the assumption that something malicious has happened to the data. In order to avoid this, pressure should be put on the actors involved in the evidence handling to make sure these gaps do not exist and that the evidence is in a secure environment. [12]
Another challenge is cloud-based evidence such as emails, documents and user activity.[13] Cloud-based evidence is often requested as it provides crucial communication and decision-making information. In these situations a copy is made from the original source which is usually an email server or cloud drive. This adds complexity to maintaining the CoC, as in some cases, a certificate or affidavits are required to verify how the data was collected and sometimes it is hard to track who accessed or handled the data beforehand. An answer to these issues can be found for example, under the e-Evidence Regulation where once evidence is collected, maintaining custody is required to ensure its integrity and admissibility.[14] While the Regulation is directed towards law enforcement and judicial authorities, it will certainly have a broader impact on eDiscovery and digital evidence in the upcoming years.[15] The proper maintenance of the CoC is one of the challenges of cloud-based evidence, but the challenges get more complex in cases of cross-border exchange of evidence
Often when dealing with digital evidence, the source might be in different countries. Various legal systems may work under differing rules on document exchange which makes the proper maintenance of the CoC more complicated. It is unrealistic to expect individuals to be familiar with the legal requirements of every jurisdiction involved. With the lack of uniformity present and when proper procedures are not followed, the court in the receiving country might deem the evidence inadmissible. To ensure admissibility across jurisdictions, collaboration and harmonisation of the rules are necessary for proper CoC preservation. For example, the EU with its e-Evidence framework ensures that evidence shared across member states is accompanied by proper custody documentation and is admissible throughout the EU.[16]
Digital investigations often include enormous amounts of data and managing the CoC for dozens of drives and files can be overwhelming and may lead to mislabelling or misplacing. Current market leading eDiscovery tools, such as RelativityOne, help with this issue and systematise the process by tracking and monitoring each change made through their audit functionalities.[17] However, in most situations the CoC is maintained by humans who make mistakes and even the smallest mistakes can breach the CoC, thus, training and diligence are always of high importance.
In the European Union there are ample privacy and legal constraints regarding the CoC. The GDPR and national data protections laws require that any personal data is used only for legitimate purposes. In this instance, the CoC is not only important for the maintenance of evidence integrity but also to ensure no unauthorised viewing of the raw data or leakage of sensitive information takes place.
Best Practices
To make sure the actors involved keep the CoC intact the following practices are recommended to be followed:
- Document in detail every action at the time it is done.
If evidence is moved from one place to another or if a disk is being examined it is crucial to have a record of it with a specific date and time. This is necessary to later prove the integrity of the evidence in court.
- Treat digital evidence with the same care as other evidence.
Use tamper-evidence packaging and seal computers or drives in evidence bags with signatures. Secure the evidence in a locked evidence room or safe and limit access to the evidence. Digital files should be stored safely on a server with access control. Encryption can be used to prevent unauthorised examination. An audit log of these files should be kept.
- Preserve the original copy in an unaltered state.
For analysis, forensic copies should be made to protect the original files from modifications. This also serves as a protection of the original file if corruption were to occur. Each copy should be documented and its hash saved together with the original file to prove the match if necessary. As all the copies become part of the evidence, each will need their own CoC initiated.
- Ensure all actors involved are properly trained on digital evidence handling.
It is important that the individuals involved are aware that any minor action can have significant consequences for the CoC and therefore has to be documented accordingly. Organising refresher trainings can ensure everyone involved is up to date with the procedures. Some agencies follow guidelines such as ISO/IEC 27037:2012 which includes training recommendations.[18] Making the CoC part of the organisational culture is crucial.
- Align your processes with internationally recognised standards.
For example, ISO/IEC 27037:2012 provides a framework for identification, collection, acquisition and preservation of digital evidence, including the CoC. The Budapest Convention on Cybercrime calls for proper evidence handling and requires signatory countries to ensure the integrity of the evidence.[19] This will ensure that the processes are standardised throughout the organisation and provide the courts with more confidence in the evidence at a later stage.
- Protect personal data.
It is important to handle evidence in compliance with the applicable laws. In the EU it is, among other things, the rights of individuals whose (personal) data is involved. Access control and data minimisation can help with said protection. Under the principle of confidentiality [20] appropriate security of personal data is required which can be fulfilled through the CoC as it aims to prevent unauthorised access or alteration. Moreover, for cross-border transfers of evidence containing personal data, legal transfer mechanisms need to be in place (another item in the CoC).
- Perform periodic audits.
Through checking the trace of the CoC on random cases, the completeness and weaknesses can be assessed. This allows for any issues to be addressed and fixed before they become a real problem. Internal or external auditing will also be helpful in the courtroom as it proves consistency in the process and trustworthiness of the evidence.
- Take advantage of modern tools.
Software that is able to automate or enforce the CoC, for example digital signing of evidence logs, can lead to less errors along the way. Of interest is also the usage of blockchains to record evidence. Blockchain because of its immutable ledger can secure custody transaction in a way that no party can change. LOCARD, is an EU-funded project providing a platform where evidence metadata is stored on a blockchain. If evidence is logged or transferred, the transaction is added to the blockchain and any attempt to tamper with it will be evident and would break the CoC. However, it is important to remember that the technology should only be used as an aid and not be the replacement of human oversight.
Understanding the CoC is crucial for anyone involved in cyber investigations. It enables the actors involved to present their findings with confidence while at the same time protecting individuals through preventing evidence tampering and ensuring the fair trial right is upheld.
About the author:
Karolina Smereczyńska joined FORCYD as a Cyber Forensics and eDiscovery analyst as part of the Starters Academy.
Karolina holds an LL.B in European law with a specialisation in Business Law, and an LL.M. in Forensics, Criminology and Law. Before joining Forcyd she undertook an internship as a legal analyst at the International Criminal Court.
References
[1] Mutual Admissibility of Evidence and Electronic Evidence in the EU – eucrim and https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-72.pdf
[2] https://www.ncbi.nlm.nih.gov/books/NBK551677/
[3] Matthew N.O. Sadiku 1 , Adebowale E. Shadare 2 , and Sarhan M. Musa, ‘Digital Chain of Custody’ [2017] International Journal of Advanced Research in Computer Science and Software Engineering; and Cybercrime Module 6 Key Issues: Handling of Digital Evidence
[4] Jasmin Ćosić and Miroslav Bača ‘An Ontological Approach to Study and Manage Digital Chain of Custody of Digital Evidence’ [2011] Journal of Information and Organizational Sciences
[5] Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, [1997] CRC Press
[6] Cybercrime Module 6 Key Issues: Handling of Digital Evidence; and European Union Agency for Network and Information Security, ‘Electronic evidence – a basic guide for First Responders’ [2014]
[7] Cybercrime Module 6 Key Issues: Handling of Digital Evidence
[8] Mutual Admissibility of Evidence and Electronic Evidence in the EU – eucrim
[9] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-72.pdf
[10] What Happens If The Chain Of Custody Is Broken? | Joyce A. Julian, P.A.
[11] Cybercrime Module 6 Key Issues: Handling of Digital Evidence
[12] European Union Agency for Network and Information Security, ‘Electronic evidence – a basic guide for First Responders’ [2014]
[13] Cloud vs. Physical Evidence Storage for Digital Evidence
[14] Article 6 Regulation (EU) 2023/1543; and New regulation simplifies the exchange of digital evidence in criminal cases within Europe | News item | Government.nl
[15] E-evidence – cross-border access to electronic evidence – European Commission
[16] Mutual Admissibility of Evidence and Electronic Evidence in the EU – eucrim; and Recital 9 and Article 20 Regulation (EU) 2023/1543
[17] Hansken, the open digital forensic platform – Eipa
[18] Audit – RelativityOne
[19] ISO/IEC 27037:2012 – Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
[20] Article 5(1)(f) Regulation (EU) 2016/679