If you’re handling evidence, then you’ll need to follow a strict chain of custody. In this video, you’ll learn about chain of custody and how it can assist with the resolution of security incidents.
<< Previous Video: Tracking Man-Hours and ExpensesNext: Big Data Analysis >>
In many situations where you are collecting evidence, you have to maintain a chain of custody. That means that the integrity of what was gathered at the crime scene or the incident scene is something that you can later on look at and verify that what you gathered during that initial phase is exactly what you’re looking at later. It’s important internally of course, and incredibly important when you get into legalities and being able to prosecute people for bad things that they’ve done to your resources or to your environment.
So anyone who contacts, runs into this evidence, that touches it, moves it, transports it, does anything with it, generally has to be part of the chain of custody. The idea here is we’re preventing any of this from being tampered. Many of these evidence bags have a section at the top where you can seal it. There is no way to get into this bag unless you tear this bag apart. And that again, now you sign off on it. Yes, I opened the bag. If you now need to reseal it, you have to use a separate bag. And normally you seal everything– the original bag and your evidence along with that bag.
You’re going to label everything. You’re going to catalog everything. You’re going to take pictures of as much as possible. You’re going to seal it and probably store it away for at least for a temporary amount of time. As I mentioned earlier, these things can tend to go on a number of days, a number of weeks, a number of years, if this is going into our legal system. So that you need to be able to pull this out a year later and determine has this been tampered with, is this exactly the same as what I put in this box a year ago. You have to maintain that chain of custody to be able to do that.
Category: CompTIA Security+ SY0-401