Page 657 - StudyBook.pdf
P. 657
Operational and Organizational Security: Incident Response • Chapter 11 641
it open.The bag should then be marked or a tag should be affixed to it, showing
the person who initially took it into custody.The tag should provide such informa-
tion as a number to identify the evidence, a case number (which shows what case
the evidence is associated with), the date and time, and the name or badge number
of the person taking it into custody.A tag may also be affixed to the object, pro-
viding the same or similar information to what is detailed on the bag. However,
this should only be done if attaching a tag to the item does not compromise the
evidence in any manner.
Information on the tag is also written in an evidence log, which is a document
that inventories all evidence collected in a case. In addition to the data available on
the tag, the evidence log includes a description of each piece of evidence, serial
numbers, identifying marks or numbers, and other information that is required by
policy or local law.
The evidence log also details the chain of custody.This document is used to
describe who had possession of the evidence after it was initially tagged, transported,
and locked in storage room.To obtain possession of the evidence, a person needs to
sign it in and out. Information is added to a chain of custody log to show who had
possession of the evidence, when, and for how long.The chain of custody log speci-
fies the person’s name, department, date, time, and other pertinent information.
In many cases, the investigator will follow the evidence from the crime scene to
court, documenting who else had possession along the way. Each time possession is
transferred to another person it is written in the log. For example, the log would
show the investigator had initial custody, while the next line in the log shows a
computer forensic examiner took possession on a particular date and time. Once
the examination is complete, the next line in the log would show that the investi-
gator again took custody. Even though custody is transferred back to the investi-
gator, this is indicated in the log so there is no confusion over who was responsible
at any time.
Preservation of Evidence
If data and equipment are to be used as evidence, it is important to ensure that
their integrity has not been compromised. Preservation of data involves practices
that protect data and equipment from harm, so that original evidence is preserved
in a state as close as possible to when it was initially acquired. If data is lost, altered,
or damaged, it may not be admissible in court.Worse yet, the credibility of how
evidence was collected and examined may be called into question, making other
pieces of evidence inadmissible as well.
www.syngress.com
