This page is currently queued for revision.
#
Evidence*
#
Evidence Management
#
Evidence Collection
Evidence is only admissible if it has no probative value (that is, if it has no bearing on the case). Modified data is still admissible, as long as the modification process was documented and presented along with the evidence.
#
Chain of Evidence
The chain of evidence is a series of events that, when viewed in sequence, account for the actions of a person during a particular period of time or the location of a piece of evidence during a specified time period. The chain of evidence can be thought of as the details that are left behind to tell the story of what happened.
#
Chain of Custody
The chain of custody are the practice and methods of documenting control of evidence from the time it was collected until it is presented to the court.
All evidence needs to be tracked and monitored from the time it is recognized as evidence and acquired for that purpose. Clear documentation must record which people had access to the evidence, where the evidence was stored, what access controls were placed on the evidence, and what modifications or analysis was performed on the evidence from the moment it was collected until the time it reaches the court. The chain of custody should be maintained for digital evidence, including the physical medium as well as the data contained on it (bits).
The evidence custodian is the person designated to maintain the chain of custody for the duration of an investigation.
Everything should be recorded with detail:
- When an item is gathered
- When an item is stored
- When an item is removed
- When an item is transported
- Whenever any action, process, test, or other handling of an item is to be performed
- Whenever any action, process, test, or other handling of an item is performed
The reasons for this include:
- The documentation of evidence ensures that the evidence can be properly traced back to its origin.
- The analysis of evidence ensures that all the data contained in the evidence is identified.
- The preservation of evidence ensures that the evidence is stored properly and able to be retrieved when needed.
- The collection of evidence ensures that all the evidence needed is properly obtained.
The goals for this are:
- Be able to prove that evidence was secure and under the control of some particular party at all times
- Take steps to ensure that evidence is not damaged in transit or storage