15.3 Evidence Collection and Chain of Custody
A critical part of any computer forensic investigation is ensuring proper evidence collection and proper maintenance of the chain of custody of the evidence collected. Positive control is the phrase most often used to describe the standard of care taken in the handling of potential evidentiary material (e.g., suspect computer systems, hard drives, and any backup copies). You need to be sure that you can identify the who, what, when, where, how, and why of each piece of evidence or material that you collect during the investigation:
Who. Who handled the evidence?
What. What procedures were performed on the evidence?
When. When was the evidence collected and/or transferred to another party?
Where. Where was the evidence collected and stored?
How. How was the evidence collected and stored?
Why. For what purpose was the evidence collected?
If evidence must change hands multiple times, you may have a very long list of information to keep track of here.
At the beginning of the investigation in this case study we identified approximately 20 systems that required computer forensic analysis. Working with the client's IT department, however, we learned that the computers belonging to the people being investigated had recently been refreshed, and the old computers were still at the client site. That meant that we had to maintain positive control over approximately 40 computer systems.
The auditors on the team had already procured temporary office space near the client location to serve as the headquarters of the investigation. Because the investigative team members came from multiple firms, we needed a convenient space in which to work, and we certainly needed to be close to the client. The office space included a couple of offices that could serve as interview rooms, as well as a large conference room that would be the primary workspace. Before the team moved into that conference room, we had a locksmith install a new lock on the conference room door. (We joked that the owner of the facility might not be too happy that we were changing their locks, but the case warranted such action.) Only three keys to this door were produced, and all of them were marked "Do Not Copy." The keys were given to two of our investigators and the lead attorney. We all agreed to return the keys to the property owner at the end of the engagement.
The lead attorney expressed a lack of confidence in having the team's work papers secured by a simple door lock. The latch on the lock was so exposed that most of the team felt that any determined person could break into the room by simply using a credit card or wire coat hanger to move the latch away from the door frame and open the door. The security team was asked if anything else could be done to secure the room.
To add an extra layer of security, we recommended installing a miniature camera with a radar-based motion detector. The camera recorded to an extended-play VHS recorder and was turned on after hours, on weekends, and whenever any fewer than three team members were in the room. With the camera in place, we could monitor anyone entering, moving within, or leaving the room. We selected the radar-based motion detector because we needed to hide the entire apparatus in the conference room. During the day, many client personnel, including suspects, entered our room as a normal course of business, and we did not want any of them to know that the camera had been installed, so it needed to be out of sight. Further, if someone were to break into our room after hours, it was less likely they would uncover our camera and motion detector than if we had used an infrared-based motion detector that could not be hidden.
With the motion detector in place, the camera would automatically turn on when someone entered the room (and we wouldn't be recording hours and hours of no activity). For an extra level of protection, we added a battery backup to the camera and recorder in case power was cut to the room; our camera would run for an additional 60 hours on this battery (to cover a full weekend). In cases of fraudespecially when the dollar amounts involved start to riseyou don't take chances.
15.3.1 Take Your Hands off That Keyboard and Slowly Back Away
With the room secure, we proceeded to gather the computers and computer paraphernalia from the suspects. Several liaisons from the client's physical security team worked with us during this process. Their assistance proved an effective means of obtaining computer systems from company personnel (employees and executives), because those personnel were not expecting our request and were not prepared to resist the company's own physical security department. The fact that someone from the corporate security team was doing the confiscating made the process of turning over a computer system fairly tolerable. After all, yell all they might, the employees really had no choice. We needed this to be an exceptionally quick process because we wanted to mitigate the risk of anyone deleting pertinent files or e-mail from the systems we wanted to obtain. Therefore, we made the collection all at once, creating teams equal to the number of suspects.
Once the computers and all paraphernalia had been obtained by the liaison, with someone from our team present, we utilized a tracking form (see Figure 15.1) to ensure that we properly documented the chain of custody. Both team members (liaison and forensic investigator) signed our tracking form, as did the suspect. If anyone refused to sign the form, the refusal was noted and a witness (another employee who happened to be in the area) was asked to sign. (When faced with the threat of involving a witness, most suspects quietly signed.) This process was repeated when the computer was returned to the client.
Figure 15.1 Chain of Custody Tracking Form