Page022

Chain of Custody

In addition to the use of integrity hashing algorithms and checksums, another means to help express the reliability of evidence is by maintaining chain of custody documentation. Chain of custody requires that once evidence is acquired, full documentation be maintained regarding the who, what, when, and where related to the handling of said evidence. Initials and/or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form.

The goal is to show that throughout the evidence lifecycle it is both known and documented how the evidence was handled. This also supports evidence integrity: no reasonable potential exists for another party to have altered the evidence.

While neither integrity checksums nor a chain of custody form is required in order for evidence to be admissible in a court of law, they both support the reliability of digital evidence. Use of integrity checksums and chain of custody by forensics investigators is best practice.

Reasonable Searches

The Fourth Amendment to the United States Constitution protects citizens from unreasonable search and seizure by the government. In all cases involving seized evidence, if a court determines the evidence was obtained illegally, then it will be inadmissible in court. In most circumstances in order for law enforcement to search a private citizen’s property both probable cause and a search warrant issued by a judge are required. The search warrant will specify the area that will be searched and what law enforcement is searching for.

There are circumstances that do not require a search warrant, such as if the property is in plain sight or at public checkpoints. One important exception to the requirement for a search warrant in computer crimes is that of exigent circumstances. Exigent circumstances are those in which there is an immediate threat to human life or of evidence being destroyed. A court of law will later decide whether the circumstances were such that seizure without a warrant was indeed justified.

Search warrants only apply to law enforcement and those who are acting under the color of law enforcement. If private citizens carry out actions or investigations on behalf of law enforcement, then these individuals are acting under the color of law and can be considered as agents of law enforcement. An example of acting under the color of law would be when law enforcement becomes involved in a corporate case and corporate security professionals are seizing data under direct supervision of law enforcement. If a person is acting under the color of law, then they must be cognizant of the Fourth Amendment rights related to unreasonable searches and seizures. A person acting under the color of law who deprives someone of his or her constitutionally protected rights can be found guilty of having committed a crime under Title 18. U. S. C. Section 242—Deprivation of Rights Under Color of Law.

A search warrant is not required if law enforcement is not involved in the case. However, organizations should exercise care in ensuring that employees are made aware in advance that their actions are monitored, and that their equipment, and perhaps even personal belongings, are subject to search. Certainly, these notifications should only be made if the organization’s security policy warrants them. Further, corporate policy regarding search and seizure must take into account the various privacy laws in the applicable jurisdiction.

Note
Due to the issues unique to investigations being carried out by, or on behalf of, law enforcement, an organization will need to make an informed decision about whether, or when, law enforcement will be brought in to assist with investigations.