Posted on: July 01, 2015in Blog
How to Document Your Chain of Custody and Why It's Important
The collection process is the crux of any investigation, and the most important step in any collection is documentation. Proper documentation and the ability to validate the findings are essential when a matter goes to trial, especially when the duration of a case lasts for months or years. Evidence that was located during the beginning of a case may become critical later on. If the chain of custody and evidence was properly documented, it will be easier to locate the necessary information.
For any internal investigation, it's imperative that your legal and IT departments collaborate effectively. Watch this On-Demand webinar for best practices and steps that can be taken to improve communication between the teams.
Additionally, evidence must be authenticated before it can be deemed admissible in court. To authenticate your evidence you must be able to prove your collection process was sound and void of tampering. The most effective way to do this is to maintain a documented chain of custody.
Why a Bulletproof Chain of Custody is Imperative
It is a common misconception among the legal community that self-collecting data will save time and costs from the collection process. However, qualified forensics consultants are trained to understand the intricacies and challenges associated with identifying, collecting, and preserving from all sources of ESI.
"By involving a neutral third-party expert, counsel can focus on preparing for litigation, while the expert can ascertain the data was collected properly and provide adequate documentation..."
By involving a neutral third-party expert, counsel can focus on preparing for litigation, while the expert can ascertain the data was collected properly and provide adequate documentation and testimony required for authenticating evidence.
It is possible to misinterpret data and results provided by forensic software, which is why it is imperative to document exactly where the data came from, in the event it needs to be revisited.
Take the Casey Anthony trial in 2011. The computer forensic examiner, John Bradley, testified at trial that he identified 84 searches for the word “chloroform.”
It turns out “two software programs were used for conducting computer analysis of searches completed during the Anthony trial. The results produced by CacheBack returned results of 84 visits. The second program, Net Analysis, returned results of one visit.”
Bradley said "I gave the police everything they needed to present a new report. I did the work myself and copied out the entire database in a spreadsheet to make sure there was no issue. Then I turned it over to them. The No. 1 principle for them is to validate the data, and they had the tools and resources to do it. They chose not to."
If Casey Anthony had been found guilty at trial this may have been ground for a mistrial.
What Information Should be Included in a Chain of Custody Document?
EDRM.net states "Chain of custody refers to the chronological documentation and/or paper trail showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct..." [emphasis added]
It is important to not only document what is being obtained, but who is doing the collection, when it was collected, and other details that validate the evidence. The chain of custody documentation provides information regarding the collection, transportation, storage, and general handling of the electronic evidence.
A typical chain of custody document may include:
- Date and time of collection
- Location of collection
- Name of investigator(s)
- Name or owner of the media or computer
- Reason for collection
- Matter name or case number
- Type of media
- Serial number of media if available
- Make and model of hard drive or other media
- Storage capacity of device or hard drive
- Method of capture (tools used)
- Physical description of computer and whether it was on or off
- Name of the image file or resulting files that were collected
- Hash value(s) of source hard drive or files
- Hash value(s) of resulting image files for verification
- Any comments or issues encountered
- Signature(s) of persons giving and taking possession of evidence
Documenting as many details as possible throughout the entire process leaves less room for scrutiny about the collection process.
A party's ability to present evidence in a case rests heavily on their ability to prove their collection process was sound. If a misstep occurred and was not properly documented, it can invalidate evidence, which can ultimately change the entire outcome of a case.
- 8 Best Practices for Handling Electronic Evidence
- What You Need to Know About Identifying, Collecting, and Preserving ESI
- Around the World in 8 Days: A Remote Collection Success Story
- How to Determine if Your Evidence is Admissible in Court
Properly maintaining and documenting chain of custody is an important part of a sound collection process. The computer forensic Services Group at D4 can assist legal teams with the determination and implementation of the right collection method, while maintaining proper documentation and employing other best practices.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted August 10, 2017
Webinar Q&A Featuring Panelists from Office 365 and X1
Posted August 02, 2017
PREX17 | 6th Annual Conference on Preservation Excellence
Posted August 02, 2017
ILTACON 2017 | D4 Booth #238 and Executive Roundtables
Posted July 28, 2017
Far East Review: Experts Weigh In on China & Japan's Growing eDiscovery Markets
Posted July 26, 2017
Office 365 Feature Comparisons to Consider Before You Choose a License
Posted July 13, 2017
How to Use Office 365 and X1 Discovery to Achieve Your Team's eDiscovery Goals [Webinar]
Posted July 12, 2017
Microsoft Office 365 is Disrupting the eDiscovery Industry in a Major and Permanent Fashion
Posted July 06, 2017
China's Cybersecurity Strategy: 5 Updates You Need to Know
Posted July 05, 2017
3 Workflows to Enhance Your Document Review Process
Posted June 28, 2017
Should you be using TAR? Judge Peck recommends you do