Legal Hold and Chain of Custody
Digital forensics is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of information and maintaining a strict chain of custody. The legal and procedural framework governing evidence collection is as important as the technical methodology — improperly handled evidence may be inadmissible in court and fail to support prosecution or civil claims.
RFC 3227: Best Practices for Evidence Collection
RFC 3227 (Guidelines for Evidence Collection and Archiving) provides the foundational best practices for digital evidence handling. Its core principles: collect evidence in order of volatility (most volatile first, least volatile last), avoid modifying evidence, document everything, and maintain a complete chain of custody. RFC 3227 is the recognized international guidance for how digital evidence must be handled to be admissible and defensible.
Legal Hold
A legal hold (also called a litigation hold or preservation order) is an obligation to preserve potentially relevant electronically stored information (ESI) when litigation is anticipated or ongoing. Legal holds are a pre-forensics requirement: evidence must be preserved before forensic analysis begins, and the scope of preservation is determined by legal counsel, not the technical team.
- Who initiates: Legal counsel identifies the need for a legal hold based on anticipated litigation, regulatory investigation, or legal obligation. Legal, not IT, makes this determination.
- Who is a custodian: A custodian is any individual who has possession, custody, or control of potentially relevant information. Custodians are notified of the hold and are legally obligated to preserve relevant data.
- Custodian obligations: Custodians must immediately stop any data deletion or modification that would affect relevant evidence, preserve all relevant ESI in a separate repository or protected state, and maintain this obligation ongoing until the hold is formally lifted by legal counsel.
- Scope: Legal holds cover all potentially relevant ESI, including email, documents, instant messages, system logs, database records, and any other digital information related to the matter.
- ESI repository: Relevant data is typically moved to or flagged in a separate repository to prevent accidental deletion or modification by normal business processes.
Chain of Custody
Chain of custody is the documented, unbroken record of every person who handled a piece of evidence, every location it was stored, and every action taken on it from initial collection through presentation in legal proceedings. A broken chain of custody renders evidence inadmissible.
- Cryptographic hashes: Before any analysis begins, a cryptographic hash (typically SHA-256) is computed for every piece of evidence. After analysis, the hash is recomputed and compared. Identical hashes prove the evidence was not modified. Hash values are recorded in the chain of custody documentation.
- Digital signatures: Digital signatures on evidence packages authenticate who created and transmitted the package, providing non-repudiation for chain of custody records.
- Labeling and cataloging: Every piece of evidence receives a unique identifier, a label describing what it is and when/where it was collected, and an entry in the evidence log.
- Tagging: Physical tags attached to storage media or devices indicate case number, evidence number, collector name, collection date/time, and location.
- Sealing: Evidence is sealed in tamper-evident packaging. Breaking or absence of the seal indicates tampering.
- Secure storage: Evidence is stored in a locked location with access restricted to authorized personnel. Every access is logged.
Evidence Acquisition and Preservation
The Forensic Process: Acquisition → Analysis → Reporting
Digital forensic investigations follow a structured sequence. Acquisition is the collection of evidence from digital sources. Analysis is the examination of acquired evidence to identify artifacts relevant to the investigation. Reporting is the documentation of findings in a form suitable for legal proceedings, management, or regulatory bodies. Each phase must be completed with documented methodology.
Types of Acquisitions
| Acquisition Type | What It Captures | Volatility |
|---|---|---|
| Disk image | Bit-for-bit copy of storage media including deleted files and unallocated space | Low (persists without power) |
| RAM / memory image | Entire contents of system memory: running processes, injected code, encryption keys, network connections, credentials in use | Highest (lost on reboot or power loss) |
| Firmware image | Contents of device firmware (UEFI/BIOS level); can reveal rootkits that persist below the OS | Low to medium |
| OS files | Operating system configuration, registry hives, event logs, user account data | Low |
| VM snapshots | Complete state of a virtual machine at a point in time, including RAM state and disk | Low (once saved) |
| Artifacts | Browser history, bookmarks, saved logins, recycle bin contents, temp files, recently accessed files, prefetch data | Low to medium |
Volatility Order for Collection
RFC 3227 establishes that evidence must be collected in order from most volatile to least volatile, because more volatile evidence disappears first:
- RAM / live memory (lost on power loss or reboot)
- Network connections and routing tables (current state)
- Running processes
- Disk contents
- Firmware
- Removable media and external storage
- Backups (least volatile)
Preservation Principles
- Always work from copies: Analysis is performed on forensic copies (disk images), never on original evidence. This prevents accidental modification of evidence and ensures the original is always available for verification.
- Live collection for encrypted or volatile systems: If a system uses full-disk encryption and is currently running (decrypted), shutting it down to image the disk will produce an encrypted (unreadable) image. In this case, live collection from the running system is the only option to obtain readable data. Similarly, RAM must be imaged while the system is live.
- Mobile device considerations: Mobile devices are especially susceptible to remote wipes (attacker or policy-driven). A device should be placed in airplane mode or a Faraday bag immediately to prevent remote wipe commands from reaching it. Work from the preserved state, not the live device.
- Write blockers: Hardware write blockers are connected between the evidence drive and the forensic workstation to ensure no data is written to the evidence drive during imaging, preventing accidental modification.
Forensic Reporting and E-Discovery
The Forensic Report
A forensic report documents the complete investigation for audiences who were not present during the technical work: legal counsel, executives, judges, regulators, and opposing counsel in litigation. The report must be reproducible — another forensic analyst following the same methodology should reach the same conclusions.
A complete forensic report contains four components:
- Summary: A non-technical executive summary describing what happened, what was found, and the significance of the findings. Written for decision-makers who may not have technical backgrounds. This is the section most audiences read first and sometimes exclusively.
- Detailed acquisition method: Precise documentation of every tool used, every setting applied, every evidence item collected, and every hash value computed. Another forensic analyst must be able to verify the work independently using this documentation.
- Findings and analysis: The technical evidence: artifacts found, timeline of events, attacker tools and techniques identified, files accessed, accounts used, data exfiltrated. Each finding is linked to the specific evidence item that supports it.
- Conclusion: What the findings collectively indicate about the incident: who likely did what, when, and how. Conclusions must be supported by the findings and must acknowledge uncertainty where evidence is incomplete.
E-Discovery
E-discovery (electronic discovery) is the process by which electronically stored information is collected, processed, reviewed, and produced in response to legal proceedings. E-discovery is a legal process, not a forensic investigation, though the two frequently operate simultaneously.
- Purpose: E-discovery gathers electronic documents (emails, spreadsheets, databases, instant messages, social media, metadata) that are relevant to litigation and must be disclosed to opposing parties under rules of civil procedure.
- Phases: Collection (identify and preserve relevant ESI) → Processing (filter, deduplicate, prepare for review) → Review (attorneys examine documents for relevance and privilege) → Production (provide relevant, non-privileged documents to opposing counsel).
- No analysis required: E-discovery does not require forensic analysis of how events occurred or who performed an action. It is about collecting and producing documents, not reconstructing attacks. This distinguishes it from digital forensics.
- Relationship to forensics: In a security incident involving litigation, forensics and e-discovery may occur simultaneously. Forensics reconstructs the attack; e-discovery collects documents for legal production. They use similar data sources but serve different purposes and are governed by different legal obligations.
| Characteristic | Digital Forensics | E-Discovery |
|---|---|---|
| Purpose | Reconstruct events; identify who did what and how | Collect and produce ESI for legal proceedings |
| Driven by | Security team, law enforcement | Legal counsel, litigation requirements |
| Requires analysis | Yes — artifacts examined, timeline built | No — documents collected and reviewed for relevance |
| Output | Forensic report with findings and conclusions | Document production to opposing counsel |
| Legal trigger | Security incident, law enforcement request | Litigation hold, court order, regulatory request |
Legal Considerations in Forensics
Forensic investigations intersect with legal requirements at multiple points. Evidence collected for use in criminal or civil proceedings must comply with applicable laws (Fourth Amendment search and seizure requirements in US law, privacy regulations in various jurisdictions). Evidence obtained without proper authorization may be inadmissible. Forensic investigators must understand the legal framework applicable to their investigation before collecting evidence — particularly when evidence involves employee personal data, communications, or data in cloud environments operated by third parties.