Chain of Custody Part 1

00:00

Hello. My name is David,

00:03

and welcome to you managing. And it

00:06

over Matthew managing an incident. So we just finished up the first steps in as the response in an institute on one of the things we talked about was identifying, reserving, collecting habits. Um,

00:22

because it's gonna be necessary for your announcements about internally and maybe even

00:27

externally if both worsen it were a regulatory body may possibly get involved. So

00:37

dealing with

00:40

I kind of stumbled saying this, some people do take it, take some offensive this, but I'm gonna say it anyway. In the civilian I he wore often times

00:52

the chain of custody and evidence are thought up when an incident occurs, the only thing that is thought of his recovery and remediation, they skip over those initial steps in the incident response process and move directly into

01:10

you're continue mentor remediation

01:12

on and sad to say, that is changing a CZ. People become more aware incidence and especially as breaches get larger and bigger and more publicized, more people and I fear becoming aware of me not just jump immediately that however, however

01:33

Jim patient is there.

01:34

So you as innocent respondent Nate to keep that in mind as well. Don't let yourself get pressured into skipping this step of viewing with Evans.

01:44

Now, after the initial shock, we don't panic. Button get pushed. We saw people screaming the yelling in the hallway, uh, cowering under their desks, sucking their thumb in fetal position where they found out to be possibly ranged.

01:59

But once the incident response process is start, one of the very first things that we need to start doing in this process is identify possible evidence. Of course, that

02:12

is a corollary to the entire thing. If you get a say in alert for possible their long in multiple Bill Mauldin attempts on you started researching that and you begin C I p addresses ranges that have nothing to do. Business

02:28

Ugo Threat Intelligence on those two virus turnovers. San's I. C. S

02:32

and they're coming back to them. Hacking groups. You've got a problem now you've already identified your exchange server would be impossible Social evidence or Officer six. By just depending on how you read that

02:46

or if a usual contacts out test and says, Hey, I keep getting these pop ups on my system. I don't understand what's going on. Sometimes my mouse moves by itself.

02:55

He does,

02:57

doesn't reply. He s paying and boards that over the hero on stock analysts who looks at it and see some really strange points and then Fords it onto that here to slash re analysts, You got an end user system that's gonna need analyzed. But once you've made that identification,

03:15

you have to keep it in the front of your mind

03:19

that even if there is the remotest possibility of criminal action, were possibly internal action against an impolite, and you should complete the chain of custody to cover yourself in the entire process.

03:36

What is the Jane cost? Simply put, it's a paper trip tracking the evidence.

03:42

You need your Caesar recovered. I anybody touches it. Anybody who handles it, anybody who takes possession of it, their name should be on that chain of custody.

03:53

Ah, lot of industry regulations actually require Jean custody for just practically

04:00

any incident that would occur hip being one example that any legal action could require James Pastilles.

04:09

Any employee

04:11

disciplinary actions could require

04:15

a chain of custody, say an employee. I was serving bad things on the Internet through the company network and using a couple just down the investigation proceeds,

04:27

the Human Resources Board decides that this person's fire's a fire his person. And then that person files a wrongful termination suit against the company.

04:36

You could very well have to get testify in court. He did the forensic analysis of shiing or say even longer analysis.

04:46

Do you have a chain of custody to document the system who have it where it was store a dates and times of when it was access and then put back? Because if you don't, that evidence could be excluded in court and the entire case could be lost.

05:06

Worst case scenario. Um, I pass by in many, many criminal cases in civil cases recording digital evidence. And that is one of the go tubes

05:21

for defense terms. Is this chain out house They will look that thing over with a fine thio

05:29

looking for gaps in times, dates, missing people. Um, we had one case. It wasn't a digital case. I in both drugs. But the defense attorney subpoenaed every single person on the chain of custody to a jury trial

05:47

when he came in

05:49

his first thing that morning was he got out his listen. Witnesses. He started going down and calling out means just Smith, Jane Doe,

05:59

advisor.

06:01

Then Underhill, a Zen. Each person said they were there. He said, Your excuse, your excused, your excuse years. It was every single name that was on the chain of custody. Oh, he was trying to do is get one person on the chain of custody not to show up the court.

06:19

And then he would be able to exclude the Alex when everybody showed up.

06:26

You haven't seen me was going to be admitted.

06:28

No purpose and even pursuing jury child, that at that point he wanted to get a plea bargain pregnant. So they are extremely important to document the evidence. And what is going on with? So now, while we're here, let's go out here into

06:45

the world and take a look at the sample.

06:48

Jane in custody, They're not truly difficult, So don't Don't overblow them in your mind. Please. Now we would do search warrants.

07:00

One of the things that we would do is labeled each one with a number. So room first room, we went in to get a label put on the door at the letter a on mention bees. Edie on down the alphabet,

07:15

whether in room description, kitchen, living room, dining back from whatever might happen to be. And then these forms in and of themselves contain it'd entry log. So if an investigator way into over, he had to sign on this form. But the time in that he went into the room

07:34

the time you left the room. And if he are took in any evidence being seized,

07:39

he had to identify why evidence he sees from that room. This may seem a little overwhelming to some people,

07:48

but it didn't protect us in several complaints when defendants and so and so stole something during the execution of surf or whatever

08:01

on we had these forms that we could bring out and say that investigator never even entered that room. According to this form on. One thing you'll find out in court cases is if it's written down and documented like this,

08:13

this pretty much held to be true.

08:18

However, if you have to go, just be a word of mouth, Then comes a little trickier because I don't know about you, but I can't remember every single person they've come into a room.

08:28

So if they can put one person on the stand and says, Hey, do you remember it? Jane Smith came into the room during the execution of Search one. No, I I really cannot say I remember seeing that person here in the room or not. There's room for evidence of how so This kind of form

08:48

can l come

08:50

now? They're not necessary. All the times that you were working in an office environment on your searching cubicle, of course you're just in the cubicle, but you still want to keep along who was there on what they do while they were there in order to help

09:07

protect yourself and the evidence in case off court.

09:11

Now, this is a digital evidence. Jane, Dustin, for some places have different forms for physical evidence, visual evidence,

09:20

um, bodily fluids, all kinds of stuff. I committed place. So since we're focused on its response is basically visual evidence. This is just an example that a case number, depending upon what format your company decides to use force. However many pages were needed to cover the chain of custody form

09:39

I identification of the computer sell a CZ best you can. I know many computers don't have, ah, visible serial number. A little number that you need to make a good description of it.

09:52

I, the important parts of who obtained it,

09:54

the date time and if anybody who they got that from it is imaged. Then of course, you put your passion where it was stored and you did the imaging and all that. And then any other time that piece of evidence is removed or touched by somebody else, this

10:13

section of warm that gets filled in

10:16

to ensure that it is adequately That's a real brief and simple introduction to you. Chain of custody. Like I said, it's not too overblown or too complicated. I'll put up a copy of the chain of custody on, uh,

10:33

lesson science so that you can access it and modified everyone. Every questions hit me up, Davey. 135 homes. I'm very