Chain of Custody

Previous page
Table of content
Next page

Chain of custody refers to maintaining a documented record of the location and possessor of each piece of evidence at all times from its initial collection through potential court use and subsequent storage. For a piece of evidence to be used effectively in court, chain of custody must be maintained .

Chain of custody begins with the securing of the evidence. The initial individual who secures and catalogs the evidence becomes the first custodian in the chain of custody. This person is responsible for ensuring that the evidence remains secured and intact until it can be brought back to the evidence room. This means that the evidence is in the possession of the custodian at all times or is locked in a location accessible only to the custodian.

Tip 

When transporting electronic media in a vehicle, do not place it in the glove box. Summer temperatures in hot climates of up to 140F have been recorded in the glove box, well outside the recommended operating temperature of most electronics.

The evidence room should be access-controlled and have direct access by no more than two individuals. Upon arrival, all evidence should be signed in to the evidence room by filling out a chain of custody form. (See Appendix A for an example chain of custody form.) It is then turned over to the evidence room custodian. The evidence must then be logged as present in the evidence room. When the evidence is ready for analysis, the computer investigator requests signs the evidence out of the evidence room and takes custody for a period of time. After the evidence has been analyzed , it should be returned to the evidence room for proper storage.

Retention of evidence in the storage room will depend on space constraints, volume of evidence, and local statutes of limitations on the type of case. The retention policy should be documented and strictly enforced. Many companies use a 10-year rule for evidence of potentially illegal activity or evidence involved in civil litigation. When presented at court, the chain of custody form for a piece of evidence and any supplementary documentation may need to be presented to prove validity. The documentation should adequately show the following:

  • The evidence collected is the same as that presented in court.

  • The location of the evidence was known at all points in time.

  • An evidence custodian was assigned at all points in time.

  • No individuals outside of those listed on the chain of custody form had access to the evidence.

  • The evidence was not intentionally or inadvertently modified as part of the investigative process.


Previous page
Table of content
Next page
Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
.NET System Management Services
Special Edition Using FileMaker 8
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
The Oracle Hackers Handbook: Hacking and Defending Oracle
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy