Chain Of Custody

To be able to make a correct securing of a proof, it requires that you have the right workflow. Here you will learn more about Chain Of Custody (COC). The most important thing is that effects and data integrity can be demonstrated in the process. So if there is to be a lawsuit, then there can be no doubt about what has been done.

TIP: Doubts will always be seen in a lawsuit. That is the most important task of the defense. The more reason you've been here, the more you minimize the prosecutor can doubt your conduct!

The more thorough you have been here, the more you minimize the prosecutor can doubt your conduct! `

Data collection and security workflow.

When collecting data and effects for study, then documents, documents, documents!

It's super important you describe

  • Time
  • Location
  • Who was present (In the case of personnel matters, that HR was also present)
  • How many effects were collected
  • What data was collected and how Description of the procedure
  • How was data secured? with or without write protection and why?
  • Who is responsible for the effects until they are stored in the forensic room or the safe.
  • A description / list of handovers between colleagues, so as to preserve who has had hands on the effects (this is the heart of COC right here)

DISCLAIMER - The above list is not inexhaustible, I may have overlooked areas!

When the proof changes hands

Example of what it looks like. It can be said to be automated.

There is a signature for the handover and what effects it is about.

The above is please borrowed here

Under transport

For at sikre effekters fysiske integritet, så kræver det at man ved vigtige sager kan transportere effekterne korrekt. Så man kan påvise at der ikke er "pillet" ved effekten.

Such bags can be purchased. An example is [miladan.dk] (https://miladan.dk/product/ds-crime/) or [Scenesafe] (https://scenesafe.co.uk/)

Write protection

In order to be able to secure correctly, it is important to be able to be write-protected correctly. So that you do not write data to the disk you are securing. This contaminates the evidence.

Write protection can be achieved in several ways. Below are a few examples of how to achieve write protection for your task.

Software Software write protection, it can see via a live boot image, such as caine or paladin. It is intended that the system is installed on a USB and thereby you can boot your PC from this USB and achieve write protection. It costs nothing to download and use.

Software write protection can also be achieved by software you install on your PC. An example of this is Safe block (Link here). Which, however, costs some money. It allows you to write-protect all the devices you connect to the system. Which means you have sata and USB in one function. It gets a little cheaper in purchasing, compared to hardware equipment.

The website [digitalforensics.com] (https://www.digitalforensics.com/blog/software-write-blockers-overview/) has made a good list of equipment.

Hardware

Hardware write protection is an electronic device that is inserted between the hard disk and the computer and thereby achieves write protection.

It is often a device that works via the USB port. It is quite simple to use and there is no speed reduction if you use USB 3.x

They can be used for all operating systems and secure via FTK (win 10) and DD (Linux / Mac). It is a one-time investment you have to make.

Below are 2 examples of write protection from Weibetech and Coolgear. It is 2 pages of the same case which is write protection.

Weibetech is a little more delicious finish and with function as invention of serial number and product name. Where Coolgear is completely basic, with buttons for write protection.

Weibetech FUD 5.5 costs around 3,000 to 4,000 Danish kroner

Coolgear SATA / IDE writeblock costs approx. 750.- incl VAT and freight from the USA. (Has been removed from the supplier's website. It is not known if there will be any replacement)

The top of the pop here at the time of writing is Tableau from guidance software. It has created a lineup of different solutions where adapter boxes can be connected with their own cable. The price is here on the friendly side of 8,000 Danish kroner.

There are prices for every taste. It can be a good investment if one needs data secure media like hard drives. If you can make a combination of hardware and software so that you can perform different tasks, then you are better off.

Remember, this is what should fit the detop YOUR task to be purchased for 🙂

Coolgear is the slightly discount version of a write protector. It works fine and is cheap (and unfortunately discontinued)