Definitions[]
Authentication[]
| “ | Chain-of-custody authentication requires testimony of continuous possession by each individual having possession, together with testimony by each that the object remained in substantially the same condition during its presence in his possession. . . . In order to establish a valid chain of custody, the state must reasonably demonstrate that the evidence offered is the same as that seized and it is in substantially the same condition at the time of trial as it was at the time of seizure.[1] | ” |
Electronic evidence[]
When dealing with electronic evidence, two different chains of custody are involved: the physical item itself and its associated data. It is important for law enforcement to:
- Know the accreditation standards and laboratory policies, procedures, or other guidelines, if any, regarding chain of custody, both generally and for electronic evidence specifically. Determine whether they have been followed or whether a deviation has occurred.
- Understand the effect that all deviations may have on the case and be prepared to explain them. Also be aware that the policies, procedures, or other guidelines should be dynamic. The prosecution team must know which practices were applicable at the time the examination was conducted.
- Ask employees (e.g., information technology staff, security) of a victimized company a series of questions pertaining to the preliminary handling of any electronic evidence they have provided or will provide to law enforcement. Care should be taken, however, to avoid creating an unintended agency relationship between law enforcement and a private citizen employee who has or is considering handling potential electronic evidence.
One advantage of inquiring about these issues is to ensure the proper collection of electronic evidence when law enforcement becomes involved in a case. If the evidence is still on the original medium but the initial procedure used to gather the information was less than ideal, law enforcement may be in a position to resolve evidentiary issues even if they cannot perform their own collection process.
To reinforce adherence to traditional chain-of-custody procedures, law enforcement investigating a case should ask the following questions to determine how evidence was handled before they became involved.
1. What types of electronic evidence have been collected prior to the involvement of law enforcement? For example, in a cyberstalking case, does a hardcopy (printed) version of the e-mail exist? Is an electronic copy available? Does it contain full header information?
2. Who handled the evidence?
- a. Document the name and job function of each individual who handled the electronic evidence. Be aware that more than one person could be involved in this process.
- b. Identify everyone who had control of the electronic evidence after it was examined and before it was given to law enforcement.
3. How was the electronic evidence collected and stored?
- a. Identify all tools or methods used to collect the electronic evidence.
- b. Determine who had access to the electronic evidence after it was collected — anyone with access to the evidence should be considered part of the chain of custody. Account for all storage of data.
4. When was the evidence collected? Document the date and time when the evidence was gathered (including a reference to time zone if necessary). Careful documentation will enable the prosecutor and the prosecution witnesses to use a timeline to demonstrate the collection of evidence during its introduction and explanation at trial. Keep in mind that the collection of evidence might be an ongoing process.
5. Where was the evidence when it was collected? In addition to the traditional "where" questions (e.g., "in which room was the computer found?"), other issues related to electronic evidence can arise. Be aware that electronic evidence may exist in more than one location simultaneously (e.g., e-mail may be located on the sender's computer, the recipients' computers, and their respective ISPs). Consider the following questions:
- What kind of machine/device held the electronic evidence (is a serial number present)?
- Who had access to the machine/device?
- Who owned the machine/device?
- Was the machine/device shared?
- Was information retrieved from a network?
- Was information password protected?
- Who had access to the password-protected information?
- Is the data located at an off-site location?
General[]
Chain of custody is
| “ | [a] process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.[2] | ” |
| “ | [t]he protection of evidence by each responsible party to ensure it against loss, breakage, alteration or unauthorized handling. This protection also includes properly securing, identifying, and dating evidence. Individuals place their initials and date on the container when the evidence is stored in a container or on the evidence in such a way that no damage is incurred.[3] | ” |
Preservation[]
Chain of custody is
| “ | [a] process used to maintain and document the chronological history of the handling, including the transfer of ownership, of any arbitrary digital file from its creation to a final state version.[4] | ” |
References[]
- ↑ State v. Kottom, 2008 WL 4977337 (Minn. Ct. App. 2008) (full-text).
- ↑ NIST Special Publication 800-72, Glossary, at 57.
- ↑ DM3595-001, at 4.
- ↑ NDSA Glossary.