Evidence Preservation and Chain of Custody

Evidence Preservation and Chain of Custody – A Complete Guide for GIAC GCIH

Introduction

Evidence Preservation and Chain of Custody are foundational concepts in incident response and cyber investigations. Whether you are a security analyst responding to a breach or a forensic examiner preparing evidence for legal proceedings, understanding how to properly preserve evidence and maintain an unbroken chain of custody is critical. For the GIAC GCIH certification, these topics are tested frequently, and a solid understanding can make the difference between a correct and incorrect answer on the exam.

Why Is Evidence Preservation and Chain of Custody Important?

1. Legal Admissibility: If digital evidence is not properly preserved and documented, it may be deemed inadmissible in court. Courts require proof that evidence has not been tampered with or altered since collection.

2. Integrity of the Investigation: Poorly handled evidence can compromise an entire investigation. If an attacker's actions cannot be reliably reconstructed due to tainted evidence, the investigation fails.

3. Organizational Accountability: Organizations have regulatory and legal obligations (e.g., HIPAA, PCI-DSS, GDPR) that may require them to preserve evidence of security incidents for audits, lawsuits, or regulatory inquiries.

4. Credibility: A well-maintained chain of custody demonstrates professionalism and due diligence, lending credibility to the incident response team and any resulting legal action.

5. Reproducibility: Proper preservation allows other examiners to independently verify findings, which is a cornerstone of forensic science.

What Is Evidence Preservation?

Evidence preservation refers to the process of protecting digital and physical evidence from alteration, destruction, or contamination from the moment it is identified through its eventual disposition. Key principles include:

- Bit-for-bit imaging: Creating exact forensic copies (images) of storage media rather than working on the original. Tools like dd, FTK Imager, and EnCase are commonly used.

- Write-blocking: Using hardware or software write blockers to prevent any modification to the original media during the imaging process.

- Hashing: Generating cryptographic hash values (MD5, SHA-1, SHA-256) of evidence at the time of collection and at every subsequent transfer or access. If the hash remains the same, integrity is confirmed.

- Volatile data collection: Capturing data that would be lost if the system is powered off, such as RAM contents, running processes, network connections, and logged-in users. This follows the Order of Volatility principle.

- Secure storage: Storing evidence in a physically secure, access-controlled environment (e.g., locked evidence room, safe, or tamper-evident bags for physical media).

What Is Chain of Custody?

Chain of custody is the documented, chronological record of who has handled a piece of evidence, when, where, and for what purpose. It provides an unbroken trail from the moment evidence is collected until it is presented in court or otherwise disposed of. A proper chain of custody record includes:

- Description of the evidence: What the item is (e.g., hard drive, USB drive, forensic image file), including serial numbers, model numbers, and any identifying marks.

- Date and time of collection: When the evidence was first obtained.

- Identity of the collector: Who collected the evidence (name, title, organization).

- Each transfer event: Every time evidence changes hands, the record must note who released it, who received it, the date/time, and the reason for the transfer.

- Storage location: Where the evidence was stored between handling events.

- Hash values: Recorded at each stage to verify integrity has been maintained.

- Actions performed: What was done with the evidence at each stage (e.g., imaging, analysis, review).

How Does the Process Work in Practice?

Step 1: Identification
During incident response, the handler identifies potential sources of evidence — servers, workstations, network devices, logs, cloud resources, mobile devices, etc.

Step 2: Collection
Evidence is collected following the Order of Volatility:
1. CPU registers and cache
2. RAM (memory)
3. Network state and connections
4. Running processes
5. Disk (hard drives, SSDs)
6. Remote logging and monitoring data
7. Archival media (backups, tapes)

Volatile data is collected first because it disappears when power is lost. Non-volatile data (disk images, logs) is collected next.

Step 3: Preservation
- Create forensic images using write-blockers.
- Generate and record hash values of original media and forensic copies.
- Store originals securely; work only on forensic copies.
- Label all evidence with unique identifiers.

Step 4: Documentation (Chain of Custody)
- Fill out chain of custody forms for every piece of evidence.
- Document every action taken, by whom, and when.
- Use tamper-evident bags or seals for physical media.
- Photograph the scene and evidence as appropriate.

Step 5: Analysis
- Conduct analysis only on forensic copies, never on originals.
- Re-verify hash values before and after analysis to ensure no changes occurred.
- Document all tools used, versions, and methodologies applied.

Step 6: Reporting and Presentation
- Include chain of custody documentation in final reports.
- Be prepared to testify about evidence handling procedures if the case goes to court.

Step 7: Disposition
- Evidence is retained according to organizational policy and legal requirements.
- When evidence is no longer needed, it is securely destroyed and documented.

Key Concepts to Remember for the GCIH Exam

- Order of Volatility (RFC 3227): Always collect the most volatile data first. This is a frequently tested concept. Remember: registers → RAM → network state → disk → archival.

- Forensic Imaging vs. Logical Copy: A forensic image is a bit-for-bit copy that captures all data including deleted files and slack space. A logical copy only captures visible files. Forensic images are preferred for investigations.

- Write Blockers: Hardware or software mechanisms that allow read access to a drive while preventing any writes. Essential for maintaining evidence integrity.

- Hashing for Integrity: MD5 and SHA-1/SHA-256 hashes are used to verify that evidence has not been modified. If the hash of the copy matches the hash of the original, integrity is maintained.

- First Responder Actions: The first person on the scene should secure the area, document the state of systems (screens, running applications), and avoid making changes. Do NOT turn off a running computer without first capturing volatile data (unless policy or safety dictates otherwise).

- Legal Hold / Litigation Hold: A directive to preserve all relevant evidence when litigation is anticipated. Failure to comply can result in spoliation sanctions.

- Best Evidence Rule: Courts prefer original evidence. Forensic copies are acceptable if their creation process is well-documented and integrity is verified through hashing.

- Admissibility Criteria: Evidence must be relevant, authentic (proven to be what it claims to be), and reliable (collected and preserved using sound methods).

- Four Principles of Digital Forensics (ACPO Guidelines):
1. No action should change data on a computer or storage media that may subsequently be relied upon in court.
2. If access to original data is necessary, the person must be competent and able to explain the relevance and implications.
3. An audit trail of all processes applied to evidence should be created and preserved.
4. The person in charge of the investigation is responsible for ensuring that the law and these principles are adhered to.

Common Exam Scenarios and How to Approach Them

Scenario 1: A server is suspected of being compromised. What should the incident handler do first?
Answer: Capture volatile data (RAM, network connections, running processes) before imaging the disk. Follow the order of volatility.

Scenario 2: An analyst creates a forensic image of a hard drive. How do they prove the image is an exact copy?
Answer: By comparing cryptographic hash values (e.g., SHA-256) of the original drive and the forensic image. If they match, the image is verified.

Scenario 3: Evidence is transferred from the collector to an analyst to a legal team. What documentation is required?
Answer: A chain of custody form recording each transfer — who released, who received, date/time, purpose, and hash verification at each stage.

Scenario 4: A question asks what could make evidence inadmissible.
Answer: A broken chain of custody, failure to use write blockers, analyzing originals instead of copies, or inability to prove integrity through hashing.

Exam Tips: Answering Questions on Evidence Preservation and Chain of Custody

1. Memorize the Order of Volatility: This is one of the most commonly tested topics. Know RFC 3227 and be able to rank data sources from most volatile to least volatile.

2. Think "Integrity First": When in doubt, choose the answer that best protects the integrity of evidence. Write blockers, hashing, and forensic imaging are almost always correct in the context of evidence collection.

3. Chain of Custody = Documentation: If a question asks about maintaining chain of custody, the answer almost always involves thorough documentation — who, what, when, where, why, and how.

4. Never Work on Originals: Any answer suggesting analysis should be performed on the original evidence (rather than a forensic copy) is almost certainly wrong.

5. Volatile Before Non-Volatile: If a question presents a scenario where a system is still running, the correct first step is capturing volatile data (RAM, processes, network connections), not pulling the plug or imaging the hard drive.

6. Know Your Tools: Be familiar with common forensic tools — dd, dcfldd, FTK Imager, EnCase, Volatility (for memory analysis), and Wireshark (for packet capture). Know which tool is appropriate for which type of evidence.

7. Hashing Is Key: Understand that hashing is used to verify evidence integrity. Know the difference between MD5 (faster but considered weaker) and SHA-256 (stronger, preferred). Some questions may test whether you know that a hash mismatch indicates evidence tampering or corruption.

8. Read Questions Carefully: GCIH questions often include subtle distinctions. For example, a question about preserving evidence is different from one about analyzing evidence. Preservation focuses on integrity and documentation; analysis focuses on examination techniques.

9. Understand Legal Context: Know the basics of legal holds, the best evidence rule, and what makes evidence admissible. You do not need to be a lawyer, but you should understand how forensic practices support legal requirements.

10. Eliminate Wrong Answers: In multiple-choice questions, eliminate answers that suggest skipping documentation, modifying original evidence, ignoring volatile data, or failing to use write protection. These are almost always incorrect.

11. Practice with Scenarios: Many GCIH questions are scenario-based. Practice walking through incident response steps mentally: identify → preserve → collect → analyze → report. Knowing where evidence preservation and chain of custody fit in this process helps you select the best answer.

12. Remember the Goal: The ultimate goal of evidence preservation and chain of custody is to ensure that evidence is trustworthy, unaltered, and admissible. Every correct answer will align with these goals.

Summary

Evidence Preservation and Chain of Custody are not just procedural formalities — they are the backbone of any credible cyber investigation. For the GCIH exam, focus on the order of volatility, forensic imaging with write-blockers, cryptographic hashing for integrity verification, and meticulous documentation of every evidence handling event. Always prioritize answers that protect evidence integrity, follow established forensic procedures, and maintain a complete, unbroken chain of custody. Mastering these concepts will serve you well both on the exam and in real-world incident response.