I’m not very big into forensics any more, but occasionally I’ll get asked to take on a case or two, and whenever I do, the one thing that people always manage to seem to get wrong is the chain of custody.
Now for those of you who have no idea what I’m talking about here, here is the blurb from Wikipedia on Chain Of Custody.
“Chain of custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been planted fraudulently to make someone appear guilty.”
I have seen so many cases through the years, where a single has just gone and asked a user to please shutdown their PC, and then taken it away from them, jumped in a cab, and as it was late, taken the PC home with them for the night. Then the next morning, they’ll walk into my office and ask me to do forensics on the host, as the user in question has been doing x,y and z wrong on company property and they want to fire them and prosecute. It’s very hard trying to explain to senior management, that while, I can do the forensics for you, and I’m sure that I’ll find something, can you please just prove to me that you didn’t put it there to frame the person? This usually results with the same old conversation, that kind of goes along these lines.
Manager: “Of course I didn’t put it there! I’m a senior manager, why would I do that, what do I stand to gain?”
Me: “Well, it could be that you just don’t like this person, or on a personal level, they’ve done something to upset you”
Manager: “Well, I’m telling you that I didn’t put anything on his PC, and I’m a senior manager! So get started with the forensics asap, and let me know!”
Me: “You seem very defensive, it sounds like you may be hiding something?”
Manager: “I am not hiding anything, I just want you to prove that he was doing something wrong so that I can fire him and then get legal to prosecute!”
Me: “Okay, I’ll do what I’ve been asked. Just remember though, I’m a IT Security guy, and you sound guilty to me, even though you may not be, imagine what a lawyer would do with you? We have forensics procedures, that are visible to the entire company in regards to bringing in user’s PC’s, next time can you please take the time to read these?”
The senior manager then usually storms out of the office.
Following proper procedures for forensics purposes is of the utmost importance, as if you do need to lay charges you need to be able to prove that you did everything by the book. If you don’t have detailed procedures for your in-house forensics, maybe now is the time to start thinking about writing some…