SANS Digital Forensics and Incident Response Blog

Keeping Evidence Safe for Litigation

You have an incident. You have collected hard drives, USB drives, thumb drives, and PDAs. You made bit for bit images of all of them. Now, what do you do with the originals to ensure chain of custody?

First, make sure they are all stored inside static free bags, such as those in which hard drives are packaged when new. It is possible to obtain static free evidence bags, but the easiest thing to do is to use a plain static free bag to wrap the device, then store the device, bag and all, inside an ordinary plastic evidence bag. Such bags are available from companies that sell them to law enforcement.1 Just Google "Evidence Bags" for lots of choices. Here are the bags we use in my organization:

Evidence bags have a place to record what is in the bag along with the current and previous custodian information. This particular type of bag is sealed permanently by peeling a strip off and sticking the bag together. The only way to get the contents out is to tear or cut the bag open.

Once sealed, the bags need to be locked in a secure place. We selected a combination gun safe from which we removed the built in gun racks and installed shelves. Gun safes are a good option in that they are relatively inexpensive and they have some fire protection built in. They come in many sizes and, therefore, prices. Again, a quick Google search for "gun safe" will provide you with many options.2

The safe we acquired is a Winchester safe with a combination AND key lock. Here is a picture similar to the one we purchased:

These models of safes are available with combination and/or key, or electronic combination lock styles.

Finally — and possibly most important — keep a detailed log of when evidence is placed in the safe, and removed from the safe, including date, time, person responsible, and a reason. I recommend using a standard composition book with a specific number of pages so any missing pages will be obvious. Store the book (and an ink pen) in the safe with the evidence to protect the log. Such books are available from any office supply store and a host of other retailers.

Place the safe in a secure area with limited access, and limit the number of persons who know the combination and/or who have access to the key. (Only two persons have access in my organization.) Make sure you record the INs and OUTs of the evidence in a log. Then, when you get to court, you will be able to demonstrate in a defensible manner how you protected the chain of custody.

J. Michael Butler, GCFA Gold #00056, is a Information Security Consultant employed by a fortune 500 application service provider who processes over half of the approximately $5 trillion of residential mortgage debt in the US. He is a certified computer forensics specialist. In addition, he authored the enterprise wide information security policies for his corporation.

1. Examples of evidence bags available on line. (Google "Evidence Bags" to find many more options.) http://shop.armorforensics.com/mm5/merchant.mvc?Screen=CTGY&Store_Code=RedWop&Category_Code=2642

http://securitybag.com/evidence-bag/index.shtml?acp=7104&gtse=goog&gtkw=evidence+bags&gclid=CM6DhduswZYCFSCysgodNS7UyA

2. Examples of gun safes available on line. (Google "gun safe" to find more options.)

http://www.patriotsafe.com/?gclid=COudt-GzwZYCFRJexwodgGWzxQ

http://www.safesetc.com/gun-safes.html

http://www.gunsafes.com/

1 Comments

Posted April 5, 2011 at 1:52 PM | Permalink | Reply

forensics

Security is always important!