The entire job of a digital forensic examiner is to get to the truth that the digital device under his analysis will reveal. This expertise is what the courts rely on to make conclusion on a case. The weight placed on such evidence how ever good the job done is, can be thrown away if the defence can prove a broken chain of custody. Therefore, it is imperative for a digital forensic practitioner to pay attention to how chain of custody can impact on his job.
What is Chain of Custody?
The chain of custody refers to the process of maintaining and chronologically documenting the handling of evidence throughout a criminal investigation. It involves keeping a detailed log showing who collected, handled, transferred, or analysed evidence during an investigation. Since evidence is vital to all criminal proceedings, it does not only help to support a prosecutor’s case but very importantly, helps the criminal justice system to determine the truth of a case. Though this definition of chain of custody generally applies to all evidence that is intended to be used in evidence during a trial, the same principle applies to digital evidence. The procedure for establishing a proper chain of custody starts with the crime scene. Digital evidence recovered by first responders or investigators therefore must be properly accounted for from the point of seizure and handled by authorized persons through to the forensic examiner who creates images off them for analysis, documentation and report, which prosecutors rely on to prosecution to the point they are admitted in evidence.
What the law says about chain of custody?
Laws in different jurisdictions may be worded differently or have other elements included in the description or definition of what the chain of custody is but here is a sample excerpt of what South Carolina’s statue defines chain of custody to mean:
“Police must establish a complete chain of custody as far as practicable. It basically means where multiple people handle the evidence, both their identity and what they did with it must not be left to guess.”
It is important to maintain the chain of custody to preserve the integrity of the evidence and prevent it from contamination. This determines the admissibility of the evidence however weighty the relevance of the evidence appears to have in a case. If not preserved, the evidence presented in court might be challenged and ruled inadmissible.
Procedure to maintain a proper chain of custody of Digital Evidence
These procedures should include entries of:
- Location of digital evidence
- Time and date of digital evidence recovery
- Description of digital evidence
- Condition/ State of digital evidence
- Unique markings on digital evidence (product, model & configuration)
- Tagging & bagging of digital evidence
- Identity of the reporting officer
- Case identifier or submission number
- Case investigator
- Identity of the submitting officer
- Date of receipt
- Descriptive list of items submitted for examination, including serial number, make, and model
- Identity and signature of the examiner
- Brief description of steps taken during examination, such as string searches, graphics image searches, and recovering erased files
- Receipt date, time & Identity of receiving officer
- Registration/ documentation of device with Custodian
Several factors can break the chain of custody including:
- Investigators waiting too long to collect evidence
- Improper storage of digital evidence
- Mislabelled digital evidence
- Alteration of digital evidence
- Unauthorized person accesses evidence
What happens when the chain of custody is broken?
The court will dismiss the evidence and if this is the material evidence on which the case is hinged, the defendant can be discharged, or an earlier conviction or Judgement can be appealed and reversed. Below are excerpts of a lost case due to broken chain of custody.
- (state v hatcher) https://law.justia.com/cases/south-carolina/supreme-court/2011/26950.html