As ever more evidence in police or intelligence cases is of a digital nature, there is a need for a Digital Evidence Management System. But this, in turn, has its own requirements: the Chain of Custody, as with all evidence, must be preserved at all times, to allow the evidence to be admitted in a trial. And, in the case of digital files, this brings some technological challenges.
The traditional Chain of Custody
With physical evidence, like a bullet at a crime scene, or some blood, the traditional Chain of Custody (CoC) starts right at the crime scene: everything is documented, where it was in the room (even with coordinates), pictures are taken to see the relationship between everything, etc. Then the evidence is collected by an officer and placed into a bag, while documenting what it is, exactly. Later, the officer will hand the evidence over to an evidence clerk, who will store the evidence in a secure place, while documenting its reception. Should it be needed for analysis, the clerk records the person, time and date, and where it goes (i.e. the lab). When It comes back, everything is chronologically recorded again, until the trial. Then the evidence and the Chain of Custody is handed over to the judge, with the signature of all those that have interacted with the evidence, so he/she can see that the evidence was handled properly, and only by authorized people, so it can be admitted in court. This also establishes the authenticity of the evidence and the fact that it pertains to the crime that is being judged.
And why is all of this so important? One of the reasons is that the CoC excludes that anyone can tamper with the evidence or even plant evidence in a case, to make the accused look guilty or innocent. Keeping an exhaustive record of all the movements and people precludes the possibility of evidence tampering.
The digital Chain of Custody
Today, besides the physical evidence, more and more frequent to have to deal with digital evidence in police cases. Phone records, files, pictures, videos, audio recordings, documents, PDF files…the list goes on and on.
However, as we all know, digital files can be edited, or tampered with quite easily. How then can you prove that the recording you are presenting to the judge is exactly the same that was copied off the phone of the criminal being judged? A good DEMS should be able to prove that the files that were uploaded to the system initially are exactly the ones the judge is going to see.
On the bright side, working with digital files has its advantages. For one, you can get a Hash of any file quite easily, which is a very long hexadecimal number calculated from each of the bits of the file. Even a change in one bit will modify the Hash ostensibly. Hence, if the Hash of a certain file is taken when it enters the DEM, it is easy to check if the file being presented to the judge has been modified or not, calculating the Hash again. If it checks out, the file integrity is completely intact. And this makes it easier to be compliant with regulations like NERC CIP, NIST CSF, PCI DSS, GDPR or HIPAA. But, mainly, it demonstrates that the evidence is original and unchanged in any way.
Access logging
Besides the file integrity, it is also of paramount important to know who exactly has seen the evidence. Again, being in the digital realm makes things easier at times like this. Almost any computer system is able to know when a file has been accessed, and by whom. This takes care of the access trail for a particular piece of evidence. And, as any user that has come in contact with the evidence is accountable for what happens to it, this keeps everything pristine.
But what’s more important is you can deny access to certain files with a complete granularity, assigning specific permissions to the people that will have to deal with it (like read-only, no printing, no screenshotting, no copying, no duplicating, no sharing or transferring, etc.). in this sense a good DEMS has much to offer and can show you the trail of accesses to a file at any time. Or even alert you if an unauthorized access is somehow gained.
Evidence destruction and retention schedules
Finally, ant the end of the Chain of Custody is the disposal and/or destruction of the evidence, when it has served its purpose and is no longer necessary. Any Digital Evidence Management System should provide several means of disposing of files either automatically, or manually. Usually some secure deletion system takes care of disposing of the files. This means that the data is not only deleted, but overwritten one or several times with varying patterns of bits, in order to preclude the possibility of a data recovery, by any means.
Usually retention schedules are defined at the beginning, when the first evidence is collected for a case. After the predefined time elapses, the system can take automatically of the deletion of affected files, or send you a message to let you know that you should dispose of the related files by hand.
Conclusion
Any Digital Evidence Management System needs to be able to keep an unbroken Chain of Custody for its evidence to be valid in a trial. Modern systems have several mechanisms in place that protect digital evidence from being tampered with, deleted or accessed by the wrong people. It also takes care of the secure destruction of the files, once they aren’t necessary anymore.