top of page

Getting (the Chain of Custody) Wrapped Around the Axle

Lawyers, so you've recognized the need to preserve data on a device in your initial investigation.  (That deserves its own congratulations.) The device is probably a phone, but it could be essentially any device. (Well, for this discussion, any device that's portable). So you tell your client to bring the device to your office. And you set about finding an examiner to extract data from it.


What are you doing with the device in the meantime? Did it get handed to a receptionist in the lobby, who then buzzed you to let you know it was waiting for you up front or downstairs? Then the next time you went through the lobby, you picked it up and carried it to your assistant to hang on to? And then it sat on someone's desk until you finally got around to lining up a forensic examiner.


You probably recognized the need to preserve it because of the potential evidence it holds. Evidence that you would like to introduce. Evidence that will have to be authenticated, which requires showing that it is the same when introduced as it was when it was created. Or maybe you need to prove a negative--that the evidence never existed (rather than that the evidence was deleted at some point).


Can you account for who has had access to the device while it was in your office? Or what happened to it during that time? Have you taken steps to make sure data is not deleted through the normal operation of the device while it is at your office?


All of this affects chain of custody (or “proof of origin”), which may need to be established if data from the device is later introduced as evidence. Failing to be able to account for some of these periods of time can be breaks in the chain of custody and might prevent authentication of data from the device.


Think about this from the standpoint of opposing counsel—would you challenge evidence from a device that sat on someone’s desk for days or weeks, where anyone could have done anything to it during that time?


If you are going to take steps to preserve evidence on a device, take steps to document the device’s chain of custody. Consider the following:


·         When your office receives the device, document the date and time it was received, by whom, and from whom. Each transfer of the device from one person to another—even just from the receptionist to your assistant and then to you—should be similarly documented.


·         Take pictures of the device to show its condition upon receipt. If possible, capture identifying information, such as a model number or serial number. These are not always present on the outside of a device, and even if present, can be difficult to capture legibly.


·         Do not interact with the device while it is in your office’s custody. If it is off, leave it off. If it is on, consider charging it to keep it from going dead.


·         Restrict access to the device—sitting out on someone’s desk is not going to protect the chain of custody.


·         Do not delay in engaging a forensic examiner. Even if your client has bought a new phone and does not “need” this one anymore, it is generally better to get the device to an examiner sooner rather than later. This is not only to protect the chain of custody, but also to prevent data loss over time, which often occurs.


·         Consider having the device’s custodian transfer it directly to the digital forensic examiner rather than through your office. By putting your office in the chain of custody, you are creating the possibility that someone from your office may have to testify at some point.

 

25 views0 comments

Comments


Commenting has been turned off.
bottom of page