Evidence Handling

• WHAT IS EVIDENCE?
During an investigation of a computer security incident, you may be
unsure whether an item (such as a floppy disk) should be marked as
evidence or merely be an attachment or addendum to an
investigative report.
• We can define evidence as any information of probative value,
meaning it proves something or helps prove something relevant to
the case. It is safest to treat any information of probative value that
you obtain during an investigation as evidence.
• Therefore, any document, electronic media, electronic files, printouts,
or other objects obtained during an investigation that may assist you
in proving your case should be treated as evidence and handled
according to your organization’s evidence-handling procedures.
Original Evidence
• For our purposes, we define original evidence as the original copy of the evidence
media provided by a client/victim. We define best evidence as the original
duplication of the evidence media, or the duplication most closely linked to the
original evidence.
• The evidence custodian should store either the best evidence or the original
evidence for every investigation in the evidence safe.
• THE CHALLENGES OF EVIDENCE HANDLING
One of the most common mistakes made by computer security professionals is
failure to adequately document when responding to a computer security
incident.
• Critical data might not ever be collected, the data may be lost, or the data’s
origins and meaning may become unknown. Added to the technical complexity of
evidence collection is the fact that the properly retrieved evidence requires a
paper trail.
• Such documentation is seemingly against the natural instincts of the technically
savvy individuals who often investigate computer security incidents.
• The biggest challenges to evidence handling are that the evidence
collected must be authenticated at a judicial proceeding and the chain-of-
custody for the evidence must be maintained. You also must be able to
validate your evidence.
• Authentication of Evidence
The FRE, as well as the laws of many state jurisdictions, define computer
data as “writings and recordings.” Documents and recorded material must
be authenticated before they may be introduced into evidence.
• Authentication, defined in FRE 901(a), basically means that whomever
collected the evidence should testify during direct examination that the
information is what the proponent claims. In other words, the most
common way to authenticate evidence is to have a witness who has
personal knowledge as to the origins of that piece of evidence provide
testimony.
Chain of Custody
• Maintaining the chain of custody requires that evidence collected is
stored in a tamper-proof manner, where it cannot be accessed by
unauthorized individuals. A complete chain-of-custody record must
be kept for each item obtained.
• Chain of custody requires that you can trace the location of the
evidence from the moment it was collected to the moment it was
presented in a judicial proceeding. To meet chain-of-custody
requirements, many police departments and federal law enforcement
agencies have property departments that store evidence (the best
evidence) in a secure place.
• Experts and law enforcement officers must “check-out” the evidence
whenever they need to review it, and then “check-in” the evidence
each time it is returned to storage.
OVERVIEW OF EVIDENCE-HANDLING
PROCEDURES
• When handling evidence during an investigation, you will generally
adhere to the following procedures:
1. If examining the contents of a hard drive currently placed within a
computer, record information about the computer system under
examination.
2. Take digital photographs of the original system and/or media that
is being duplicated.
3. Fill out an evidence tag for the original media or for the forensic
duplication(whichever hard drive you will keep as best evidence and
store in your evidence safe).
4. Label all media appropriately with an evidence label.
5. Store the best evidence copy of the evidence media in your
evidence safe.
• 6. An evidence custodian enters a record of the best evidence into
the evidence log. For each piece of best evidence, there will be a
corresponding entry in the evidence log.
7. All examinations are performed on a forensic copy of the best
evidence, called a working copy.
8. An evidence custodian ensures that backup copies of the best
evidence are created. The evidence custodian will create tape
backups once the principal investigator for the case states that the
data will no longer be needed in an expeditious manner.
• Evidence System Description
Before any electronic evidence is gathered, certain data should be recorded
regarding the status and identification of the originating computer system.
The type of information typically recorded includes the following:
▼ Individuals who occupy the office or room where the original evidence is
found
■ Individuals who have access to the office or room where the original
evidence
is found
■ The users who can actually use this system (is it available for use by all
users,
or do only a select few individuals use it?)
■ Location of the computer in the room
■ State of the system: powered off/on, data on the screen
■ The time/date from the system BIOS
■ Network connections: network, modem
■ Individuals present at the time of the forensic duplication
■ Serial numbers, models of the hard drives and system components
▲ Peripherals attached to the system
• Digital Photos

After recording system details (or even prior to this), you may want to
take several photographs of the evidence system. There are several
reasons for this:
▼ To protect your organization/investigators from any claims that
you damaged property
■ To ensure you return the system to its exact state prior to forensic
duplication
▲ To capture the current configuration, such as network
connections, modem connections, and other external peripherals
• Evidence Tags
All best evidence collected should be labelled in a manner that
satisfies federal and state guidelines, at a minimum. Our practice,
which supplements the federal guidelines, requires recording the
following information for each item we collect:
▼ Place or persons from whom the item was received
■ If the item requires consent to search
■ Description of the item(s) taken
■ If the item is a storage device, the information contained within
■ Date and time when the item (evidence) was taken
■ Full name and signature of the individual initially receiving the
evidence
▲ Case and tag number related to the evidence (for example, if you
take three floppy disks from three people, the floppies may be
assigned evidence tag numbers 3, 4, and 5)
• Evidence Labels
After the evidence tag is created for the best evidence, the evidence
itself—the hard drive in this example—must be labeled. We use
special labels that allow us to erase permanent marker (Sharpie
pens), so we place a single label on a hard drive and change its label
when needed. If labelling the original evidence, we suggest that you
actually mark your initials and date on the original drive.
• Most people opt to use a permanent marker, but you could actually
scratch your initials on the original evidence media in a discrete
location. Your goal is to simply mark the evidence so that it is both
readily identified as evidence media, and so you can immediately
identify who was the individual who retrieved the evidence (for
authentication purposes in court).
• Evidence Storage
The investigator collecting the evidence (and all others who have custody
of the items) must maintain positive control of the evidence at all times.
This requires that consultants working at a client site have a means to
store and transport any evidence in a manner that protects the evidence
and prevents unauthorized access.
• At the very least, the container must be able to show signs of tampering by
parties outside the chain of custody. The evidence must also be protected
from alteration by the environment. This means that the evidence must
not be exposed to possibly damaging electromagnetic fields, or kept in
areas of extreme temperatures or conditions.

• Shipping Evidence Media

When you are performing your forensic analysis off-site, you may not be
able to hand deliver the best evidence to your organization’s evidence
custodians.
• The Evidence Log
The evidence custodians should receive and store all best evidence for every case your
organization investigates. When they receive the evidence, the evidence custodians log
the receipt of the evidence in the evidence log. A complete inventory of all the evidence
contained within the safe should be kept in the evidence log.
Every time an action is taken for a particular case, the following information should
be logged:
▼ Evidence tag number
■ Date
■ Action taken
■ Consultant performing the action
▲ Identifying information for the media being acted upon (for example, transferring
the best evidence data to another media or shipping data back to the original
owner)
•
Therefore, the evidence log contains entries for each case where evidence was collected,
following the entire life cycle of the best evidence from initial submission through
final disposition. We use an Evidence Safe Access Log form for this purpose (see
Appendix B). A cop
• Evidence Backups
You never want to have all your eggs in one basket. One of the
advantages digital evidence has over other types of physical evidence
is that it can be forensically duplicated an infinite number of times.
One of the disadvantages of digital evidence is that hard drives and
electronic equipment may fail.
• Therefore, in order to minimize the malevolent effects of equipment
failure or natural disasters, it is prudent to create backups of all
electronic evidence.
• Evidence Disposition
It is often convenient and necessary to practice the disposition of evidence
in two stages: initial disposition and final disposition.

• Initial disposition occurs when the final investigative report has been
completed and the analysis, for all practical purposes, is finished. In other
words, the forensic expert or the investigator has no outstanding tasks
that require the best evidence.
• All media that contained working copies of the evidence should be
returned to the evidence custodian to be wiped clean and placed back into
the rotation as a clean storage drive. The evidence custodian disposes of
the best evidence, but not the tape backup of the best evidence.
• We adhere to a final disposition of evidence occurring five years from the
date a case was initially opened, unless otherwise directed by law, the
court, or some deciding body.