Thursday, June 9, 2011

Chain of Custody

Chain of custody is defined as “the order in which a piece of criminal evidence should be handled by persons investigating a case, specif. the unbroken trail of accountability that ensures the physical security of samples, data, and records in a criminal investigation” (, n.d.). Royal Canadian Mounted Police (RCMP), a branch of Canadian Government responsible for investigating digital crime in Canada, refers to chain of custody as “the tracking of evidence items from the scene of a crime to the item presentation in a legal proceeding.” (Royal Canadian Mounted Police, 2008a). In other words, chain of custody is a process of handling (digital) evidence in order ensure authenticity, therefore admissibility of the evidence in the court of law. It is imperative to maintain the chain of custody, especially in cases where there is a store reliance on the digital evidence since “altered [evidence] and a break in the chain of custody would undoubtedly compromise the evidential weighting in a criminal case” (Royal Canadian Mounted Police, 2008a).
As a result, in its guide for victims of copyright and trademark infringement (Royal Canadian Mounted Police, 2008b), RCMP instructs evidence handle to keep it under lock and key, and to maintain chain of custody – document all handling and movement of the exhibit, including date and signature of the individual handling the evidence. Furthermore, chain of custody has to be maintained (recorded and traced) from the initial evidence acquisition to the presentation in the court of law.
The importance to maintain the chain of custody is relevant not only to criminal cases. For example, a decision to dismiss an employee for violating corporate policy could end up in the court as a non criminal case. The employee could file a “wrongful dismissal” suit against the employer and the collected digital data could become a critical evidence. If a defence alleges that the digital evidence has been altered or could have been altered, it is up to the prosecution to prove otherwise (Douglas Schweitzer, 2003).
In many cases, the traditional methods of handling digital data are not sufficient to ensure admissibility of the digital evidence in the court of law. For example, standard file copying technique, such as using copy or cp commands, could alter access time of the original file therefore impacting the authenticity of a potential evidence. Furthermore, simply “pulling the plug” (as a way to preserve the data on the non-volatile storage) approach could result in a loss of a vast amount of volatile data such as encryption keys and “hacking tools and malicious software that may exist solely within memory” (Association of Chief Police Officers, 2008).


No comments:

Post a Comment