Digital Forensics

1. Chain of Custody in
Digital Forensics

2. Chain of Custody
• the process of documenting and handling digital
evidence to ensure its integrity, authenticity, and
admissibility in legal proceedings.
• It establishes a clear and traceable record of who collected,
handled, transferred, analyzed, and stored the evidence
from the moment of acquisition until its presentation in
court.

3. • Maintaining a proper chain of custody is critical in digital forensics to:
1.Ensure Evidence Integrity – Prevent tampering, alteration, or
corruption of data.
2.Establish Authenticity (originality or truthfulness)– Prove that the
evidence is what it claims to be.
3.Meet Legal Admissibility Standards – Ensure that courts accept the
digital evidence as credible.
4.Prevent Challenges in Court – Avoid claims that evidence was
mishandled or manipulated.
5.Support Investigative Accountability – Keep a verifiable record of
actions taken on the evidence.
Importance

4. Workplace Harassment Case (Social
Media & Digital Communication)
• Admissible Evidence:
• Screenshots of threatening messages, verified through
forensic analysis.
• Official emails retrieved from the company’s server with IT
department logs.
• Inadmissible Evidence:
• Social media posts deleted and reconstructed without
verification.
• A secretly recorded video violating privacy laws.

5. Fraud Case (Financial Cybercrime)
• Admissible Evidence:
• Bank transaction logs obtained through legal subpoenas
(order).
• Metadata from digital invoices proving they were altered
after issuance.
• Inadmissible Evidence:
• Financial records obtained through illegal hacking.
• Screenshots of bank statements without forensic
verification.

6. Criminal Case (Hacking &
Cybercrime)
• Admissible Evidence:
• A forensic image of a suspect’s hard drive, properly collected
and verified with a hash value.
• Server logs showing unauthorized access, obtained with a valid
search warrant.
• Inadmissible Evidence:
• Emails hacked from a suspect’s account without legal
authorization.
• Evidence collected by law enforcement without a warrant or
probable cause.

7. Steps in the Chain of Custody Process
• Identification and Collection
• Documentation
• Preservation
• Storage and Security
• Transfer and Handling
• Analysis
• Presentation in Court

8. Identification and Collection
• Locate and identify potential digital evidence (e.g.,
hard drives, USBs, cloud data, network logs).
• Use forensic tools to extract the evidence while
preserving its state.

9. Documentation
• Record all details about the evidence, including:
Source (where it was found)
• Time and date of collection
• Who collected it
• How it was collected
• Assign a unique identifier or case number to the
evidence.

10. Preservation
• Create forensic images (bit-by-bit copies) to avoid modifying
original data.
• Store the evidence in secure, tamper-proof containers or
digital vaults.
• Apply hash values (MD5, SHA-1, SHA-256) to verify data
integrity.

11. Storage and Security
• Maintain strict control over access to evidence.
• Use logs, seals, and access control to prevent
unauthorized modifications.
• Store physical devices in locked evidence rooms
and digital copies in encrypted locations.

12. Transfer and Handling
• If evidence is moved, document who, when, where,
and why.
• Ensure that evidence is handled only by authorized
personnel. Update logs each time evidence is
accessed.

13. Analysis
• Perform forensic examinations on copies (never the
original).
• Use forensic tools (e.g., Autopsy, EnCase, FTK,
Wireshark) to extract useful data. Document all
findings in detail.

14. Presentation in Court
• Provide logs, reports, and expert testimony about
the evidence. Verify the authenticity and explain
forensic methods used.
• Ensure the chain of custody is unbroken and
documented.

15. Best Practices for Chain of Custody in
Digital Forensics
• Use Standardized Forms: Maintain consistent records for every piece of
evidence.
• Employ Hashing Techniques: Use cryptographic hashes to detect any
changes.
• Ensure Secure Storage: Store evidence in tamper-proof and access-
controlled locations.
• Restrict Access: Limit handling to authorized personnel with proper
credentials.
• Use Forensic Imaging: Work on copies to preserve the original evidence.
• Audit and Review Regularly: Periodically check chain of custody logs for
inconsistencies.

16. Consequences of a Broken Chain of
Custody
• Be deemed inadmissible in court.
• Lose credibility due to doubts about its authenticity.
• Be challenged for possible tampering or
contamination.
• Lead to case dismissal or failure in prosecution.

17. Case study: Corporate Data Breach
Investigation
• A multinational company suspects an internal data
breach where confidential financial records were
leaked to a competitor.
• The IT security team identifies unauthorized data
access and notifies the digital forensics team.

18. Stages of Chain of Custody in Digital
Forensics
• 1. Identification
• Objective: Recognizing potential sources of digital evidence.
• Actions Taken:
• The IT security team notices unusual access patterns on
the company's financial servers.
• Logs indicate unauthorized access from an employee’s
workstation after hours.
• Suspicious email communications with attachments sent
to an external recipient are identified.

19. Stages of Chain of Custody in Digital
Forensics
• 2. Collection
• Objective: Securely gather digital evidence without altering its integrity.
• Actions Taken:
• The forensic team creates a forensic image (bit-by-bit copy) of the
suspect’s computer hard drive.
• Logs, emails, and network activity records are extracted from
company servers.
• A copy of the employee’s USB drive (suspected for data transfer) is
made.
• All evidence is tagged with unique identifiers, date, time, and the
identity of the collector.

20. • 3. Preservation
• Objective: Store evidence securely to prevent tampering or corruption.
• Actions Taken:
• Original devices (laptop, USB drive) are placed in tamper-proof bags
and sealed.
• Hash values (MD5, SHA-256) are generated for all forensic images to
ensure integrity.
• Digital evidence is stored in a secure forensic lab with restricted
access.
• A chain of custody log is maintained, recording every person who
accesses the evidence.
Stages of Chain of Custody in Digital
Forensics

21. • Analysis
• Objective: Extract, examine, and interpret digital evidence to
uncover relevant findings.
• Actions Taken:
• Forensic software tools (e.g., Autopsy, EnCase, FTK) are used to
analyze disk images.
• Deleted files are recovered, revealing a confidential financial
report copied to a USB.
• Email metadata confirms the document was sent to an external
competitor.
• Internet browsing history shows visits to file-sharing services.
Stages of Chain of Custody in Digital
Forensics

22. • 5. Documentation
• Objective: Maintain a detailed record of all findings and
actions.
• Actions Taken:
• A report is prepared detailing the evidence collected,
analysis process, and findings.
• Screenshots and logs are attached as supporting
evidence.
• Chain of custody records, including access logs and hash
verification, are included.
Stages of Chain of Custody in Digital
Forensics

23. • 6. Presentation
• Objective: Present findings in a legal or disciplinary setting.
• Actions Taken:
• The forensic investigator testifies in court, explaining how evidence
was collected and analyzed.
• The chain of custody log is presented to demonstrate the integrity
of the evidence.
• Digital artifacts such as email records, file transfer logs, and
recovered documents are shown.
• The court validates the evidence, leading to legal action against the
employee.
Stages of Chain of Custody in Digital
Forensics

24. Case Scenario: Insider Trading in a
Financial Firm
• A major investment firm notices unusual stock trades
happening just before major financial announcements. The
regulatory body suspects an internal employee might be
leaking sensitive stock price information to external traders
for illegal profit.
• A forensic investigation is launched to identify the
perpetrator.

25. Identification
• 1. Identification (Recognizing Digital Evidence)
• Objective: Identify potential sources of digital evidence that
may reveal insider trading activities.
• Actions Taken:
• The IT team detects unusual logins to the company’s internal
financial database after office hours.
• Emails flagged by the company’s Data Loss Prevention (DLP)
system show confidential financial reports being shared.
• The network administrator finds encrypted chat messages
between an employee and an external recipient.

26. Identification
• Potential Digital Evidence Identified:
• Employee’s work laptop and email logs
• Company network logs showing data access patterns
• Chat application messages suspected of carrying sensitive
information
• USB devices connected to the suspect’s workstation

27. 2. Collection (Gathering Evidence
Securely)
• Objective: Collect digital evidence without altering or corrupting
it. Actions Taken: Forensic Imaging: A bit-by-bit forensic image
of the employee’s laptop is taken using tools like FTK Imager.
• Email Logs: Copies of the suspect’s sent and received emails are
retrieved from the company’s Microsoft Exchange server.
• Network Logs: A forensic capture of the company’s firewall logs
shows data transfers to an external IP address.
• USB Devices: The suspect’s USB drive is collected, labeled, and
sealed in an evidence bag.
• Chat Application Logs: The encrypted chat messages are
exported for decryption and analysis.

28. Preservation (Securing Evidence)
• Objective: Protect evidence from tampering or loss. Actions
Taken: Chain of Custody Log: A record is maintained listing
every person handling the evidence, the date/time, and the
purpose of access.
• Storage: The original devices (laptop, USB) are stored in a
temperature-controlled evidence locker.
• Hash Values: MD5 and SHA-256 hash values are generated
for the forensic images of the laptop and USB drive to
ensure integrity.
• Write Blockers: Digital forensic tools are used to prevent
modification of original evidence while conducting the
analysis.

29. Analysis (Extracting and Interpreting
Evidence)
• Objective: Examine digital evidence to uncover
incriminating activities. Actions Taken: Email Analysis:
• The employee’s email history reveals attachments with
confidential stock forecasts sent to an external trader’s email.
• File Recovery:
• Deleted files are recovered, showing financial reports
downloaded from the internal database.
• USB Analysis:
• The forensic image of the USB shows it contained confidential
spreadsheets before being wiped.

30. • Chat Log Decryption: Decryption of the chat application
reveals discussions about stock trades and financial
predictions, confirming insider trading.
• Network Logs: Analysis shows data exfiltration from the
employee’s machine to a foreign IP address, where the
external trader operates.
Analysis (Extracting and Interpreting
Evidence)

31. Documentation (Maintaining a
Record)
• Objective: Ensure detailed documentation of findings for
legal proceedings. Actions Taken: A formal forensic report
is compiled, including:
• Evidence summary (emails, network logs, chat messages, and
USB files)
• Analysis methodology and tools used
• Chain of custody logs to demonstrate integrity
• Screenshots and timestamps proving data leaks
• All digital evidence is cataloged and backed up securely.

32. Presentation (Legal Proceedings)
• Objective: Present findings in court to prove the crime.
• Actions Taken:
• The forensic investigator testifies in court, explaining:
• How the employee accessed confidential data
• How the evidence was collected and preserved
• The chain of custody log, proving evidence integrity
• The prosecution presents digital artifacts, including
emails, chat logs, and file transfer records.
• Hash values are verified in court to confirm that the
forensic images match the original evidence.

33. • Verdict:
• The court finds the employee guilty of insider trading,
leading to:
• Criminal charges for financial fraud
• Job termination and fines imposed by financial regulators
Presentation (Legal Proceedings)