SANS Digital Forensics and Incident Response Blog: Tag - Composition Books

Keeping Evidence Safe for Litigation

You have an incident. You have collected hard drives, USB drives, thumb drives, and PDAs. You made bit for bit images of all of them. Now, what do you do with the originals to ensure chain of custody?

First, make sure they are all stored inside static free bags, such as those in which hard drives are packaged when new. It is possible to obtain static free evidence bags, but the easiest thing to do is to use a plain static free bag to wrap the device, then store the device, bag and all, inside an ordinary plastic evidence bag. Such bags are available from companies that sell them to law enforcement.1 Just Google "Evidence Bags" for lots of choices. Here are the bags we use in my organization: