Digital Forensics – The Essential Chain of Custody

By Ron McFarland, Ph.D., CEH, CISSP

Picture1Figure 1: Chain of Custody, (Kent, 2006)

If you are into Cyber Security, you will be, at one point in your career, involved in Digital Forensics to one degree or another. One of the concepts that is essential to Digital Forensics is the Chain of Custody. As a Cyber Security Consultant and (occasional) Digital Forensics Investigator (e.g. Expert Witness), my experience in testifying includes dealing with many Chain of Custody questions when being cross-examined — whether I was investigating software source code theft (using Forensics techniques) or performing a relevant Penetration test (Pen Test).

Chain of Custody is an essential first-step in cyber forensics investigations. Chain of Custody is essentially documenting the way that we secure, transport and verify that items acquired for investigation were held in an appropriate manner. Chain of custody demonstrates ‘trust’ to the courts and to client that the media was not tampered with. It is an audit trail of ‘who did what’ and ‘when it happened’ to a particular piece of evidence.

Digital evidence is an essential element in uncovering intent, mode and method in computer-related crimes and it is important in many internal investigations when an organization addresses risk mitigation to scope out internal processes. Digital evidence is typically acquired from a myriad of devices including a vast number of IoT devices that store user information and data ‘spores’, digital video and images (which may store important metadata and obfuscated/hidden information), audio evidence, and other stored data on flash drives, hard disk drives, and other physical media.

The process for digital forensics follows a structured path. The process comprises four primary steps:

  1. Collection: This is the identification, labeling, recording and the acquisition of data from possible relevant sources that preserve the integrity of the data and evidence collected. This is where the Chain of Custody process is initiated. The Chain of Custody is used throughout these 4 steps, too.
  2. Examination: We use a forensically sound process to collect data in both automated and manual way. DF examiners will carve out particularly interesting data that will be used in testimony that supports or refutes the claim. The preservation of data is essential and we’ll further discuss secure methods to handle digital forensics investigations later. During this step, not only are the results of the investigation process recorded and noted, the Chain of Custody documentation is completed to note the disposition of any collected evidence used in the examination and how it was used.
  3. Analysis: The analysis is a result of the examination. We use legally justifiable methods and techniques to derive useful information to address questions posed in the particular case. Again, the Chain of Custody reporting ‘may’ be involved in this step.
  4. Reporting: This is the documentation of the examination and analysis. Reporting typically includes a statement regarding the Chain of Custody, the explanation of the use of the various tools, a description of the analysis of various data sources, issues and vulnerabilities identified, and recommendations for additional forensics measures.

When acquiring items for evidence, we need to tag each item and log each item into a document. I often use MS/Excel for some basic tracking. However, I do use pre-formatted forms that provide great documentation. Forms are essential, especially if you (a) are working for a professional practice that uses/requires a formatted document for each item in evidence, (b) will be presenting the results of the investigation (e.g. testifying) in court, or (c) if you are working in some capacity as an expert witness. The key elements that require documentation include (and are not limited to):

  1. How the evidence was collected (Bagged/tagged, pulled from a desktop, etc.)
  2. When it was collected (e.g. Date, Time)
  3. How you transported it (e.g. in sealed static-free bag, placed in a secure storage container)
  4. How it was tracked (as an example, I use a form and also track the forms used with an Excel spreadsheet. Provide a sequence number, too, as this serves as a key field for the evidence tracking reports that you may generate)
  5. How it was stored (for example, in secure storage at your facility)
  6. Who has access to the evidence (e.g. this is the check-in/check-out process that you will need to develop. It is essential that we know who had access to each acquired piece of evidence. You will be asked to demonstrate this, if this is a court case.)

Keep in mind that NIST (National Institute of Standards and Technology) provides excellent research about Digital Forensics that can be an essential element to either setting up or maintaining a high-quality Digital Forensics practice.


Kent, K., Chevalier, S., & Grance, T. (2006). Guide to Integrating Forensic Techniques into Incident.


Your e-mail address will not be published.
Required fields are marked*