Proper Evidence Preservation

The proper collection, recording, storage, and handling of information which will be used as evidence are crucial to an effective prosecution . Information about the processes used in each of these steps will have to be supplied to show that they were done in a manner which would properly insure the quality of the information. For information to be admissable as evidence, it has to pass a number of tests.

Chain of Custody

Proper handling of evidence is required to prove that the evidence has not been tampered with. In the case of computer- related crimes, physical evidence consists of hardware, software, and, most importantly, storage media. Whether the matter is civil, criminal, or administrative, these items are the mother-lode of physical evidence in supporting legal actions. For this reason, it is imperative that these items remain unaltered and undisturbed until they are delivered to investigators . Facilitating the structure of a case, it is very important that a written chain of custody is maintained relative to those who had access to the evidence. A chain of custody schedule is simply a list identifying all the persons possessing evidence, and the times and dates on which they held the evidence. Some jurisdictions require that all persons are listed who had access to the evidence during the time of its custody. Extreme care must be exercised in completing a chain of custody. More than one piece of critical evidence has been thrown out because of an incomplete chain-of-custody schedule.

Proper Timestamps

Timestamps on logs at the time of the event which show the events of the incident are necessary to provide a strong evidence of the activities which were part of the incident. Timestamps show when files were created and last modified. They are important in showing that the file containing information which is to be used as evidence was collected at the time of the incident and that has not been altered after the incident. Timestamps used in conjunction with digital signatures provide strong support to the proper handling of evidence.