Chain of Custody: What Corporate Legal Teams Need To Know

In digital investigations, the term chain of custody is nearly impossible to avoid. A chain of custody is sometimes called the paper trail, audit trail, or forensic link. Regardless of the name, a chain of custody is essential to show the validity of an investigation. In this article, we take a look at what these chains are, why they matter, and how to maintain them. 

In this article: 

What is a chain of custody?
What is meant by chain of custody in a digital forensic investigation?
What is an example of a chain of custody?
Why is chain of custody important in digital investigations?
How can the chain of custody be assured?
How eDiscovery tools help keep the chain of custody 

What is a chain of custody? 

A chain of custody in the context of a digital investigation records what happens to the evidence collected by investigators. It is, in effect, an auditable log that is kept and amended anytime any processing of the evidence occurs. 

Chain of custody definition:

In criminal and civil law, the term "chain of custody" refers to the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. It is used to prove that an item has been properly handled through an unbroken chain of custody and can be legally accepted as evidence in court.

Here, processing is quite broad, comparable to the way it is defined in the General Data Protection Directive (GDPR). Article 4 of GDPR defines processing as: any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” 

The everyday use of digital evidence in legal cases now means that the chain of custody must be captured and maintained when gathering and handling electronic evidence. For any given case, the chain should document the end-to-end sequence of work undertaken. It should include who does the work, when they do it, and which tools or platforms are used in the process. In the modern context, the locational aspect can also be tracked, specifically to establish storage locations. 


What is meant by chain of custody in a digital forensic investigation? 

A chain of custody documents the collection, sequence of control, transfer, and analysis of evidence during an investigation. It details who handled the evidence, as well as the date and time it was collected or transferred. The overarching goal is to enable the digital investigators to prove the results of their efforts are reliable. A comprehensive and detailed chain of custody demonstrates the evidence has not been tampered with. 

The term itself obviously predates modern digital investigations. Today, the chain is a collection of audit logs that details what happened with the Electronically Stored Information (ESI) in a case. The chain answers the question: what happens with the information after collection from sources. Such sources include cloud applications, smart devices, hard drives, flash drives, etc. 


What is an example of a chain of custody? 

The journey of a scrap of ESI that is evidence can differ depending on the length of the investigation and the tools used. Roughly speaking though, a journey may look like this: 

  1. The ESI is collected from a custodian’s system to a platform used for investigations
  2. The ESI is part of a larger batch of potential evidence that is filtered and culled
  3. Having passed stage 2, the ESI is reviewed by a reviewer and deemed relevant
  4. Having been deemed relevant, the ESI is then checked to see if anything in it needs to be redacted.
  5. Now part of the evidence dataset, the ESI may be analyzed, produced, or presented.

.At each stage, a record is kept of what specifically is done, by who (or what), and to what end. That record can then be provided alongside either the evidentiary dataset or the investigation’s results. It serves to validate the efforts of the investigation. 

To achieve its stated goal of validating the ESI evidence, the log should be system-generated wherever possible. Automated record-keeping is preferred especially in a low-trust exchange of information. 

In cases where the automated keeping of records is impossible or too limited, this information can be provided through forms. These forms answer the key questions that a critical recipient might have regarding evidence handling: 

  • What is the evidence? For ESI, this may include the filename, md5 hash, etc.
  • How did you get it? For ESI, what were the means of data collection?
  • When was it collected? Date, Time
  • Who has handled it? Include persons as well as tools.
  • Where was it stored? For ESI this is mostly a formality, but it is not unwise to include some of the security details of the storage location.
  • How and why was it moved. In the case of ESI, these are typically easily tracked system actions.
  • Who had access? List of persons and tools. 

Most of this information is relatively easy to track. eDiscovery platforms, for example, automatically keep an auditable log for every piece of evidence. 


Why is chain of custody important in digital investigations? 

As stated earlier, depending on what type of digital investigation you’re dealing with, a log is either nice to have or absolutely essential. Oftentimes, the reason for a digital investigation is external - litigation, regulatory requests, information requests, etc. In such cases, the external party initializing the matter will want to ensure the evidence and/or results are valid. In such a low-trust environment, providing chain of custody information allows them to check the process through which the evidence was obtained. 

Even if there is no external party, it is generally a good practice to provide chain of custody information. Chain of custody information may help to identify opportunities to optimize or improve the investigative process, for example. For follow-up investigations or future investigations on the same subject, the chain of custody logs may need to be consulted in order to inform decisions. 


How can the chain of custody be assured? 

It’s important to remember that digital investigations aren’t easy to predict. Maintaining some level of readiness is key to ensuring that when the wheels start turning, the chain of evidence is recorded. Ensure the organization's incident response plan is suitable for response to an insider threat as well as an external data breach. This is often not the case, leading to incident response plans written with only external threats in mind. By explicitly including internal affairs, the incident response plan can cover appropriate steps to address both. 

Once a draft incident response policy is put in place, simulate an internal investigation. By testing the plan and ensuring key stakeholders know how an investigation would likely play out. Such dry runs also allow the investigators an opportunity to get the lay of the land in terms of information governance. This may speed up the initial scoping phase of a real investigation when the time comes. 

Finally, proper information governance as a matter of course, and well-defined data preservation and retention protocols will help to keep an investigation organized. In short, having solid, realistic, and well-tested policies in place helps to ensure a context is provided in which chain of custody can be properly tracked. 


How eDiscovery tools help keep the chain of custody 

When it comes to keeping track of the chain of custody, eDiscovery tools offer tremendous value. As mentioned above a few times, these tools automatically maintain a record of what happens to the ESI. What steps are taken, when they are taken, and what user is performing the actions. As a starting point, these tools offer a wealth of information that can be used as a solid foundation from which a comprehensive chain of custody can be built.