Maintain Chain of Custody

I’m Nauman Ashraf Bodla, Deputy Director in Federal Investigation Agency (FIA) Pakistan. With extensive experience in the field (since year 2000), I have sharpened my skills in identifying, analyzing, and neutralizing cyber threats and earned a reputation for my commitment to cybercrimes investigations & digital forensics. On top of all I have an honor to be declared as the first digital forensic expert of the country to present its expert opinions/testimonies in any court of law. I have also headed the first-ever digital forensic lab of the country and have been trained and educated by world-renowned agencies of the world that how to maintain chain of custody of evidence.

My career in cybercrime investigations and digital forensics has been driven by a relentless pursuit of knowledge and a desire to stay ahead of the curve for which I have travelled round the globe to collect informative trainings and hands on experience of the field. During this career I have been a part of a number of Joint investigation Teams which had international interests (More about me).

In this blog, I will discuss about how to maintain chain of custody in cyber crime investigations, why is it a crucial part of cyber crimes investigations, and how an investigator can ensure that the integrity of the evidence is intact.

Understanding Chain of Custody

In the world of cyber crime investigations, maintaining the chain of custody of evidence is paramount. It is considered the backbone of prosecution and ensures that the evidence collected is admissible in court. Chain of custody refers to the chronological documentation that records the handling of evidence. It begins from the moment evidence is identified then collected, through its various transfers, analyses, and storage, until it’s presented before the court. Meticulous documentation for each and every step is crucial for establishing the integrity and authenticity of the evidence.

Why Chain of Custody Matters

Admissibility: Without a properly maintained and recorded chain of custody, evidence may be deemed inadmissible in court which potentially may jeopardize the entire case.

Integrity: Maintaining integrity of evidence ensures that the evidence hasn’t been tampered, altered, or contaminated during the investigation, analyses, shifting or storage etc.

Transparency: Maintaining a clear and undoubted chain of custody which accounts for every step in the handling of evidence promotes transparency and results in better prosecution.

Legal Requirements: I don’t want to be country specific by citing section

s of law of a country here but the point to be made here is that all legal jurisdictions mandate the maintenance of chain of custody to uphold the fairness and integrity of evidence therefore, the investigator must keep in mind that no evidence is admissible before the court if its integrity is violated.

Key Steps in Maintaining Chain of Custody

Documentation: Detailed documentation is the key point of chain of custody. Each time evidence changes hands or its state, it must be documented thoroughly. The documentation must record that when and where the evidence was collected, who collected it, how was it collected, how was it procured, who handled it and for what purpose, how was it transferred from point of collection to the office / lab, who received it e.t.c every record in the documentation must also have time stamp with it. The cyber investigator must keep in mind that the evidence particularly digital evidence is fragile so document – document – document.

Packing and Sealing: Proper packaging and sealing of evidence are crucial to prevent contamination or tampering. Evidence should be placed in appropriate containers and sealed with tamper-evident seals to maintain its integrity. Keep in mind that different types of evidence require different type of packing, so the container to pack each evidence must be appropriate to avoid external or wireless access.

Labeling: All evidence must be clearly labeled with unique identifiers, such as case number or exhibit numbers, to track it throughout the investigation and legal proceedings. This will also help in cross referencing different evidences collected during investigation and analysis.

Storing: Evidence should be stored in secure and controlled environment to prevent unauthorized access or damage. Access to evidence storage should be restricted, and environmental conditions such as temperature and humidity should be observed. As already mentioned that digital evidence is fragile therefore it can very easily be damaged if it is stored in extreme conditions because heat and humidity can severely damage the evidence.

Transporting: When evidence needs to be moved from crime scene or from one location to another, strict protocols must be followed to ensure its security and integrity during transit. This includes using sealed containers, authorized access only, and documenting the transfer with time stamps.

Access Control: Access to evidence should be restricted to authorized personnel only. Any access or handling of evidence must be documented to maintain accountability.

Challenges and Best Practices

Identification of Digital Evidence: In cyber crime investigations, most of the evidence is in digital form, which poses challenges for maintaining chain of custody. Specialized techniques, softwares and tools are required to identify, capture, preserve, and analyze digital evidence while maintaining its integrity.

Training and Awareness: Investigators and law enforcement personnel must go through adequate training on chain of custody procedures and the importance of preserving evidence integrity. Regular refresher training sessions and awareness programs can help reinforce best practices.

Collaboration: Collaboration between law enforcement agencies, forensic experts, and prosecutors is essential for ensuring the seamless maintenance of chain of custody across different stages of an investigation and legal proceedings. Sometimes I have experienced that I had to collaborate with some foreign law enforcement agencies to collect significant pieces of data which I eventually used as evidence in courts of law. However, whenever an investigator collaborates with any of the other law enforcement agency including a digital forensic facility, he/she has to maintain a proper chain of custody for every piece of evidence that he/she collects or delivers for analysis.

Pre-designed Performa: Pre-designed forms for this purpose can help you document each step of the process consistently and efficiently. The supervisors or incharge of the investigation circles must develop pre-designed forms which the first responder must have handy with him at the time of collection of evidence. This will definitely help him to procure and standardize the documentation and recording of events. All this will eventually end up in having a formal and documented chain of custody for successful prosecution.

Forensic Software: Being a digital forensic expert, I am of the opinion that forensic tools allow investigators to collect, analyze, and preserve digital data from various devices, like computers, smart phones, and even cloud storage. They can recover deleted files

, uncover hidden messages, and identify traces of malicious activity. These tools / softwar

es are considered to be digital magnifying glasses o

r microscopes, which meticulously examining the electronic footprints that are left behind by online criminals. All the modern forensic softwares include chain of custody tracking functionalities that can automate docu

mentation tasks.

Conclusion

The bottom line is that on basis of my experience I can say that maintaining the chain of custody of evidence in cyber crime investigations is not just a procedural formality. It is a critical component of the cyber crime investigative and legal process in cyber crime cases. By following rigorous protocols, documenting every step, and leveragin

g technology and collaboration, investigators can uphold the integrity and admissibility of evidence, ultimately contributing to the pursuit of justice in the digital age.

Other Articles related to Cyber Crimes:

https://www.naumanbodla.com/delving-into-the-digital-a-look-at-cyber-crime-investigations/	https://www.naumanbodla.com/emerging-cyber-threats/