BIPI
BIPI

Evidence Preservation: What Holds Up and What Gets Laughed Out of Court

Cybersecurity

DFIR work has to survive cross-examination. We cover the chain of custody documentation, hashing discipline, and cloud log preservation steps that separate a defensible case from a story the defense lawyer dismantles in ten minutes.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 11, 2024 · 8 min read

#dfir#evidence#chain-of-custody

Evidence that cannot be authenticated is not evidence. We have seen six-figure investigations collapse because the responder copied a log file to their laptop, edited it in Notepad to make it readable, and saved it back. The hash changed. The defense walked. The pattern is preventable.

Chain of custody is paperwork, not vibes

Every piece of evidence needs a custody record. Who collected it, when, from what source, using what tool, with what hash. Every handoff gets a new line: from whom, to whom, when, for what purpose, with the receiving party signing. The form is boring. It is also the document a judge will read when deciding whether your evidence is admissible. Pre-print the forms or use a dedicated tool, do not invent the format during an incident.

  • Collection record: source identifier, tool, tool version, operator, timestamp (UTC), SHA-256
  • Storage record: container, location, access control, when sealed, who sealed it
  • Transfer record: every movement, with both signatures and reason
  • Analysis record: who analyzed, what working copy was used, what was preserved

Hashing: SHA-256 or you are not serious

MD5 collisions have been practical since 2008. SHA-1 collisions have been practical since 2017. Use SHA-256 for everything. Hash the source before collection if possible. Hash the output container. Hash again at every transfer. Store the hashes separately from the evidence so a single point of compromise does not undermine both. Hashing is also the answer when opposing counsel asks how you know the file you analyzed is the file you collected.

Write-blocking and the imaging workflow

Physical evidence acquisition uses a hardware write-blocker (Tableau, WiebeTech). The blocker sits between the source drive and the workstation so the imaging tool cannot modify the source. dd, dc3dd, ewfacquire, FTK Imager, all valid. The choice matters less than the discipline. Verify the image hash matches the source hash. Document the blocker model and serial number in the chain of custody. If you imaged without a blocker, say so and explain why.

Cloud evidence: the part everyone forgets

Cloud logs vanish on a retention schedule. CloudTrail data events default to 90 days. Azure sign-in logs default to 30. Workspace audit logs default to 6 months. The first hour of any cloud incident has to include an explicit preservation step. Enable a legal hold on the relevant S3 bucket, copy the logs to a versioned bucket with object lock, and document the time of preservation in your chain of custody. AWS, Azure, and GCP all have documented procedures, run them before the retention clock kills your evidence.

  1. Identify all relevant cloud log sources within the first hour of declaring the incident
  2. Apply S3 Object Lock or equivalent immutability to the destination bucket
  3. Export logs from the providers via their native export APIs, not screen scraping
  4. Hash the exports and document the time of preservation in UTC
  5. Apply a litigation hold in the identity provider to preserve user activity logs

Notes from depositions we have sat through

The questions that destroyed cases were always procedural, never technical. How do you know this is the same file? Why did you not use a write-blocker? Why is this hash different from the one in your report? Why did the timestamps shift when you opened the file in Excel? Who else had access to this evidence between collection and analysis? Practice answering these in mock cross-examination. Your forensic chops do not matter if the procedural answer is weak.

A forensic analyst who cannot defend their methodology is a witness for the opposing side. The technical work is half the job.

What gets you laughed out of court

  • Opening evidence files in Microsoft Office (changes timestamps, sometimes modifies content)
  • Storing evidence on a shared network drive with no access logging
  • Using MD5 in a chain of custody document signed in 2024
  • Forgetting that the analyst's own laptop is now in the chain and subject to discovery
  • Producing a report that says 'the attacker' instead of 'an entity using this account'

Build the muscle in peacetime

Run a quarterly evidence-handling drill the same way you run a tabletop. Acquire a sample image, write the chain of custody, hash everything, transfer to a teammate, hash again, write the report. The drill is dull. It is also the reason your evidence will survive contact with a competent defense lawyer.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.