Back to course

Chain of Custody in Forensics

Cyber Security Mastery: From Zero to Hero

Maintaining Integrity of Evidence

The Chain of Custody is a strict documentation process that tracks evidence from the moment it is collected until it is presented in court. It ensures that the evidence has not been tampered with or replaced.

Requirements for Chain of Custody

  1. Acquisition: Detailed logs of who collected the evidence, when, and where.
  2. Hashing: Calculating the cryptographic hash (e.g., SHA-256) of the original data and the forensic image immediately after acquisition. If the hash changes later, the evidence has been altered and is inadmissible.
  3. Transfer and Storage: Documenting every person who handles the evidence, the secure storage location, and the reason for access.
  4. Analysis: Recording every analytical step taken on a copy of the evidence, never the original.

Forensic Mantra: If it’s not documented, it didn't happen.