Previous article in series – Digital Forensics: Evidence Management
Chain of custody of evidence refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. Chain of custody should clearly depict how the evidence was collected, analyzed, and preserved so it can be presented as admissible evidence in court.
In traditional forensic procedures, it is “easy” to maintain an accurate history of time, location, and persons accessing the target computer, hard disk, etc. of a potential suspect. On the other hand, in a cloud, we do not even know where a VM is physically located. Also, investigators can acquire a VM image from any workstation connected to the internet. The investigator’s location and a VM’s physical location can be in different time zones. Hence, maintaining a proper chain of custody is much more challenging in the cloud.
The issue is one of certification rather than replication, because ensuring the chain of custody for digital content does not involve an additional act of copying or physical transformation. It simply requires that any change in safeguarding the digital object must be authenticated and recorded in order for it to be introduced as evidence at a later date.
However, this problem cannot be solved by digital means alone. It requires activity outside the digital realm that documents when a change of custody has taken place—or certifies it has not.