Document Chain of Custody for All Collected Evidence
Maintain a rigorous chain of custody for all collected evidence. Hash all evidence files, document collection timestamps and methods, and maintain evidence logs suitable for potential legal proceedings.
Actions
- 1
For each evidence item collected, record: item description, source system, collection method, collector name, date/time (UTC), and storage location.
- 2
Hash all evidence files immediately upon collection using SHA-256: `sha256sum /case/evidence/* > /case/evidence_hashes.sha256` (Linux) or `Get-FileHash -Algorithm SHA256 -Path C:\case\evidence\* | Export-Csv C:\case\evidence_hashes.csv` (PowerShell).
- 3
Store evidence on write-protected media or in a secured evidence repository with access logging. Document any transfers between storage locations.
- 4
Create forensic images using write-blockers where possible. For disk images, use `dc3dd` or FTK Imager with verification: `dc3dd if=/dev/sda of=/case/evidence/disk.dd hash=sha256 log=/case/evidence/disk.log`.
- 5
Maintain an evidence log spreadsheet with columns: Evidence ID, Description, Source, Collection Time (UTC), Collector, SHA-256 Hash, Storage Location, Access Log.
Queries
Get-ChildItem -Path C:\case\evidence -Recurse | Get-FileHash -Algorithm SHA256 | Select-Object Hash, Path, @{Name="SizeKB";Expression={(Get-Item $_.Path).Length/1KB}} | Format-Table -AutoSize // PowerShell: Hash all evidenceindex=wineventlog sourcetype=WinEventLog:Security EventCode=4663 ObjectName="*evidence*" OR ObjectName="*case*" earliest=T_START latest=T_END | stats count by SubjectUserName, ObjectName, AccessMask, ComputerName | sort -count
Notes
Chain of custody documentation is essential even if legal action seems unlikely at this stage. Investigations frequently escalate to legal matters weeks or months later.
Never modify original evidence files. Always work on copies and document the copy creation process.