in this lesson, we'll talk about chain of custody, why it's required for enterprise security and how it's a useful. During legal proceedings,
we'll discuss what has to be recorded within a chain of custody,
how chain of custody effects, evidence, integrity
and the negative effects and incomplete chain of custody may have on the credibility of digital evidence.
Now that we've established a case complete with an easily identifiable case name,
what's the next step in the case management process?
The answer is creating a chain of custody for all. Case evidence is the first step. In any case, after establishing the case in the first place,
a chain of custody is a document or documents, which show every time, possession or control, often evidence item changes.
Chain of custody must answer the following questions about any given evidence item.
What is the evidence? How did you get it?
When was it collected?
Who has handled it?
Why did that person handle it? And where was it stored?
Thanks to Andrea, for tuna at Andrea, for tuna dot or for the list,
there's a chain of custody template attached to this lesson. As a supplemental resource. Let's take a look at this document now.
A typical chain of custody consists off
the stakeholder for whom the investigation is being conducted.
A project code or case name.
The Responsible Party, which is usually the party performing the collection.
The date and time that the evidence item was received or released.
The name and signature off the releasing party and the receiving party.
The evidence item number for each evidence item being either received or release,
as well as a description of each evidence item, which could include things like
the make and model, the serial number. The condition. So anything related to Marc's scratches, the condition in which the item was received,
or the user or owner off the evidence item,
plus any further comments.
So why is a chain of custody important for security case management?
evidence integrity is Priority one. When conducting an investigation,
even at the outset of an enterprise security case, when it may not yet be known, the full nature or extent often event or incident
evidence integrity must be maintained
very often. An event which seems only slightly suspicious or even benign, can result in litigation or otherwise end up in court
evidence without a well maintained chain of custody has compromised integrity. Therefore, any findings resulting from analysis off that evidence inherently less credible or potentially not credible at all
evidence and findings, which have little to no credibility, have very little value.
So maintaining evidence, integrity and well documented chain of custody off paramount importance in all security cases,
what are two things which should be recorded in a chain of custody?
As discussed earlier? There are many things which can be recorded, such as the Stakeholder Project code in case name, the responsible party,
dates and times received and released, etcetera.
In this lesson, we talked about chain of custody.
Why it's imperative during all enterprise security cases and how it is useful during legal activity,
we covered what must be recorded within a chain of custody, how chain of custody effects, evidence integrity,
as well as the negative effects a broken chain of custody can have on the credibility of digital evidence.