CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Cloud Chain of Custody

by · June 16, 2022

This post is focused on the Chain of Custody in general and some of the implications of the Cloud. If you are looking for CoC scenarios and how they affect the Cloud, the following post will discuss handling the Chain of Custody scenario for Microsoft 365, Azure, and AWS.

In traditional digital forensics, from various standpoints, a chain of custody exists for physical evidence such as PC or media and its associated data and software. For the Cloud cases, software and data are the only evidence. As such, pristine copies of the data and associated integrity information like data (e.g., email, files, databases) and even MD5 checksums must be carefully managed. Since the chain of custody is the legal equivalent of secure provenance, transfers of custodianship could be documented by a digital provenance system.

Chain of Custody is the logical sequence that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence in legal cases. Each step in the chain is critical if it breaks. The evidence may be rendered inadmissible. Thus, preserving the chain of custody is about following the correct and consistent procedure and ensuring the quality of evidence.

Let’s review the general information on the Chain of Custody and then continue to the Cloud CoC.

Post Contents Show

Chain of Custody in a Nutshell

In practice, a chain of custody is a chronological paper trail documenting when, how, and by whom individual physical or electronic evidence items, such as cell phone logs, were collected, handled, analyzed, or otherwise controlled during an investigation.

To convict a defendant of a crime, the evidence against them must have been handled meticulously to prevent tampering or contamination. Under the law, an item will not be accepted as evidence during the trial. The jury will not see it unless the chain of custody is an unbroken and properly documented trail without gaps or discrepancies.

In court, the prosecution presents the chain of custody documentation to prove that the item of evidence is related to the alleged crime and that it had owned by the defendant. To establish reasonable doubt of guilt, the defense looks for holes or acts of mishandling in the chain of custody to show, for example, that the item may have been fraudulently “planted” to make the accused person appear guilty.

Cloud chain of custody refers to establishing and maintaining a secure and verifiable record of the custody of digital evidence stored in the cloud. It is essential for ensuring the integrity and admissibility of digital evidence in legal proceedings.

Cloud chain of custody involves documenting the transfer and handling of digital evidence as it moves from one location or system to another, including the cloud. This documentation should include the date, time, location, and identities of the individuals handling the evidence.

The following are some best practices for establishing and maintaining a cloud chain of custody:

  1. Use secure methods for transferring and storing digital evidence in the cloud, such as encryption and access controls.
  2. Establish policies and procedures for handling digital evidence in the cloud, including access, authentication, and audit logging guidelines.
  3. Maintain detailed documentation of all activities related to the custody of digital evidence, including any changes or modifications made to the evidence.
  4. Use tools and technologies to help automate maintaining a cloud chain of custody, such as digital signatures and time-stamping.
  5. Ensure that all individuals who handle digital evidence in the cloud are trained on the proper procedures for maintaining a chain of custody and are aware of the legal implications of mishandling digital evidence.

Overall, a robust and well-documented cloud chain of custody is critical for ensuring the integrity and admissibility of digital evidence in legal proceedings, and organizations should take the necessary steps to establish and maintain such a system.

Let’s take it to the digital world with the forensics stuff and see how similar it is.

Chain of Custody in Forensics

One of the most crucial concepts in Digital Forensics is the Chain of Custody. The chain of custody in DFIR, especially in digital cybersecurity forensics, is also known as the paper trail, forensic linkage, or chronological documentation of the evidence. The purpose of the Chain of Custody is to:

  • Indicates the collection, sequence of control, transfer, and analysis.
  • Demonstrate trust to the courts and the client that the evidence has not been tampered with.
  • Document details of each person who handled the evidence, the date and time it was collected, and the purpose of the transfer.

Digital evidence is obtained from artifacts such as identity, devices, hard-drive, images, data, and other objects.

The big question is, what about the Cloud and its data? Can we behave and go through the same Chain of Custody process for the Cloud? What are the limitations, and how can we fill the gaps? It will be described later in this post.

In forensic science, a chain of custody refers to the process of establishing and maintaining a secure and verifiable record of the custody of physical evidence from the time it is collected until it is presented in court. It is a critical aspect of forensic investigations because it ensures the integrity and admissibility of the evidence in legal proceedings.

The chain of custody process involves documenting the transfer and handling of physical evidence as it moves from one location to another. This documentation should include information such as the date, time, location, and identities of the individuals who have handled the evidence.

The following are some best practices for establishing and maintaining a chain of custody in forensic investigations:

  1. Use appropriate tools and techniques for collecting, packaging, and storing physical evidence, such as gloves, tweezers, and evidence bags.
  2. Label each item of evidence with a unique identifier and document its location, date, time, and the name of the person who collected it.
  3. Maintain detailed documentation of all activities related to the custody of physical evidence, including any changes or modifications made to the evidence.
  4. Use tools and technologies that can help automate the process of maintaining a chain of custody, such as barcodes or RFID tags.
  5. Ensure that all individuals who handle physical evidence are trained on the proper procedures for maintaining a chain of custody and are aware of the legal implications of mishandling evidence.

Overall, a robust and well-documented chain of custody is critical for ensuring the integrity and admissibility of physical evidence in forensic investigations and court proceedings. Forensic scientists and investigators should take the necessary steps to establish and maintain such a system to ensure the credibility of their findings.

Chain of Custody Maintenance

The chain of custody is established whenever an investigator takes custody of evidence at a crime scene. The chain is maintained when evidence is received from another person, investigator, or incident response team member.

Facts to know about the CoC process:

  • Document everything things and every step in the process.
  • Preserve the integrity of the evidence.
  • Prevent the evidence from contamination, which can alter the state of the evidence.
  • Sometimes there is a case where you obtained metadata for a piece of evidence but could not extract helpful information from it.

In some cases, the chain of custody helps to show where possible evidence might be, where it came from, who created it, and the type of equipment used. This will help you generate an exemplar and compare it to the evidence to confirm its properties.

Importance to the process and the court to ensure the evidence is preserved because if not preserved, the evidence submitted in the court might be challenged and ruled inadmissible.

Chain of Custody Process

To preserve digital evidence, the chain of custody should span from the first step of data collection to examination, analysis, reporting, and presentation time to the Courts. This is very important to avoid the possibility of any suggestion that the evidence has been compromised in any way.

The stages of the chain of custody:

  1. Data Collection – this is where the chain of custody process is initiated. It involves identifying, labeling, recording, and acquiring data from all the possible relevant sources that preserve the integrity of the data and evidence collected.
  2. Examining – the chain of custody information is documented during this process, outlining the forensic process undertaken. Capturing screenshots throughout the process to show the completed tasks and uncovered evidence is crucial.
  3. Analysis – provides the result of the examination stage. In the Analysis stage, legally justifiable methods and techniques are used to derive useful information to address questions posed in the particular case.
  4. Reporting – is the documentation phase of the Examination and Analysis stage. Reporting includes the following:
    • Issues identified.
    • Vulnerabilities identified.
    • Explanation of the various tools used.
    • Statement regarding Chain of Custody.
    • A description of the analysis of various data sources.
    • Recommendation for additional forensics measures that can be taken.

The Chain of Custody Form

You’ll need a form listing how the evidence was handled at every step to prove a chain of custody. The form should answer the following questions:

  • What is the evidence?
  • How did you get it?
  • When was it collected?
  • Who has to handle it?
  • Why did that person handle it?
  • Where was it stored?
  • How do you transport it?
  • How was it tracked?
  • How was it stored?
  • Who has access to the evidence?

The Chain of Custody form must be kept up-to-date. The chain of custody form must be updated with accurate information whenever the best evidence is handled.

Build a Process

The procedure to establish the Chain of Custody is a series of steps that must be followed to assure the authenticity of the chain of custody. It’s important to note that the more information Forensic expert obtains concerning the evidence, the more authentic is the created chain of custody.

You should ensure that the following procedure is followed according to the chain of custody for electronic devices:

  • Save the original artifacts and material.
  • Inject a bit-for-bit clone of digital evidence content into forensic computers. Perform a hash test analysis to authenticate the working clone.
  • Take photos of the physical or screenshot for cloud or software data evidence.
  • Document the date, time, and any other information on the evidence.

Assure of the Chain of Custody

Considerations are involved when dealing with digital evidence and Chain of Custody. We shall discuss the most common and globally accepted and practiced best practices.

  1. Never work with the Original Evidence: The most significant consideration that must be taken care of while dealing with digital evidence is that the forensic expert must make a full copy of the evidence for forensic analysis. This cannot be overlooked as when errors are made to working copies or comparisons need to be done, then, in that case, we need an original copy.
  2. Ensuring storage media is sterilized: It is essential to ensure that the examiner’s storage device is forensically clean when acquiring the evidence. Suppose the examiner’s storage media is infected with malware. In that case, malware can escape into the machine being examined, and the evidence will eventually get compromised.
  3. Document any extra scope: During the examination process, it is essential to document all such information beyond the scope of the current legal authority and later brought to the attention of the case agent. A comprehensive report must contain the following sections:
    • Results.
    • Case identifier.
    • Date of report.
    • Date of receipt.
    • Case investigator.
    • Identity of the submitter.
    • Identity of the reporting agency.
    • Identity and signature of the examiner.
    • A descriptive list of items submitted for examination.
    • Brief description of steps taken during the examination.
  4. Consider the safety of the personnel at the scene. Ensuring the crime scene is fully secure before and during the search is vital. In some cases, the examiner may only be able to do the following while onsite:
    • Identify proprietary software.
    • Determine if a network is present.
    • Identify the number and type of devices.
    • Determine the operating system in question.
    • Interview the system administrator and users.
    • Identify and document the types and volume of media: This includes removable media.
    • Document the information about the location from which the media was removed.
    • Identify offsite storage areas or remote computing locations.

The Digital Evidence and Digital Chain of Custody are the backbones of any action taken by digital forensic specialists.

The Microsoft Cloud’s

Is Microsoft 365 now a one-stop shop if you have compliance or corporate governance remit? What about Azure? Can the VMs be part of the Coc, and which actions or tools will be part of the process? Let’s put light on the Coc with Microsoft 365 and Azure.

Azure and Microsoft 365 platforms are widely adopted across the financial industry as clients use new compliance and security features.

Microsoft 365 CoC

In a nutshell, I can say that the Shared Responsibilities Model affects the Chain of Custody and how we prepare and act in security incidents.

There are two sets of data in Microsoft’s 365: First, data generated directly on the 365 platforms, including email, Teams messaging, OneDrive for Business, and SharePoint. The second will be the data brought into the platform using Microsoft 365 third-party data. This data may come from various sources, including Storage Box, Slack, Zoom, Social Media, and other connected platforms.

There is massive efficiency in getting all potentially e-discoverable content onto Microsoft 365. However, when a regulator or opposing counsel challenges the authenticity of the data alleging that it has been altered, an institution must be prepared to provide evidence of its Chain of Custody.

There are several ways in which in-house counsel may prove the integrity of the evidence. First, it may have a hash code calculated at the time of collection. This hash code may be re-calculated based on the evidence, and if the hash codes match in value, then the courts will accept the evidence. Another option is to have the original files preserved in non-erasable format, and, again, if the evidence is challenged, the evidence may be compared to the original content.

Defensible productions are critical to performing any regulatory or legal production, and ‘best practices always include verifying the software tools used to bring in third-party content. Testing will allow the institution to respond to an evidence challenge in court.

Chain of custody is a critical element of defensible productions. Microsoft 365 has several features in DataParser software that provide integrity assurance, including hash codes and preserving input files to Azure Blob immutable storage, and provide expert witness support to the DataParser should an evidentiary challenge arise as to the Chain of Custody of content processed by the DataParser.

When an organization responds to a legal investigation, the workflow around identifying, preserving, and collecting potentially relevant content is based on the people in the organization who are the custodians of relevant data. In eDiscovery, these individuals are called data custodians (or just custodians) and are defined as persons having administrative control of a document or electronic file. For example, the custodian of an email message could be the mailbox owner containing the relevant message.

Chain of custody in Microsoft 365 refers to maintaining a secure and verifiable record of custody for digital evidence stored or processed within the Microsoft 365 environment. This includes email messages, documents, and other types of data that are generated or stored within Microsoft 365 applications.

To establish a chain of custody in Microsoft 365, several best practices should be followed:

  1. Use Microsoft 365’s built-in security features, such as access controls and data loss prevention policies, to protect data from unauthorized access or modification.
  2. Enable auditing and logging features in Microsoft 365 to track all activities related to handling digital evidence within the environment.
  3. Establish policies and procedures for handling digital evidence in Microsoft 365, including access, authentication, and audit logging guidelines.
  4. Use tools and technologies that can help automate the process of maintaining a chain of custody, such as Microsoft’s eDiscovery tools.
  5. Ensure that all individuals who handle digital evidence in Microsoft 365 are trained on the proper procedures for maintaining a chain of custody and are aware of the legal implications of mishandling digital evidence.

Microsoft 365 also provides a chain of custody feature called Advanced eDiscovery, which is designed specifically for the legal industry. Advanced eDiscovery allows organizations to collect, process, and review data forensically soundly, and provides detailed reports and audit logs to maintain a complete and accurate chain of custody.

Overall, maintaining a strong chain of custody in Microsoft 365 is critical for ensuring the integrity and admissibility of digital evidence in legal proceedings, and organizations should take the necessary steps to establish and maintain such a system.

Azure CoC

Digital forensics is a science that addresses the recovery and investigation of digital data to support criminal investigations or civil proceedings. Computer forensics is a branch of digital forensics that captures and analyzes data from computers, virtual machines (VMs), and digital storage media.

Companies must guarantee that digital evidence they provide in response to legal requests demonstrates a valid Chain of Custody (CoC) throughout the evidence acquisition, preservation, and access process. To ensure a valid CoC, digital evidence storage must demonstrate adequate access control, data protection and integrity, monitoring and alerting, and logging and auditing.

Azure Regulatory Compliance

One of the requirements when validating a CoC solution is compliance with security standards and regulations. All the components included in the above architecture are standard Azure services built upon trust, security, and compliance.

Azure has many compliance certifications for global regions and countries and critical industries like healthcare, government, finance, and education. Updated audit reports with information about standards compliance for the services adopted in this solution can be found in Microsoft Compliance Guide.

As an example, the report Cohasset Assessment – Microsoft Azure WORM Storage gives details about Microsoft Azure Storage’s compliance with the following requirements:

Securities and Exchange Commission (SEC) in 17 CFR § 240.17a-4(f), which regulates exchange members, brokers, or dealers Financial Industry Regulatory Authority (FINRA) Rule 4511(c), which refers to the format and media requirements of SEC Rule 17a-4(f) Commodity Futures Trading Commission (CFTC) in regulation 17 CFR § 1.31(c)-(d), which regulates commodity futures trading It is Cohasset’s opinion that Microsoft Azure Storage, with the Immutable Storage for Azure Blobs, feature, and Policy Lock option, retains time-based Blobs (records) in a non-erasable and non-rewritable format and meets relevant storage requirements.

Azure chain-of-custody

In Azure, the Chain of Custody (CoC) is a feature designed to provide a secure and verifiable record of the transfer and handling of data in Azure. The CoC feature is particularly important for organizations requiring proof of data security and governance for regulatory compliance or legal reasons.

The Azure CoC feature allows you to track the transfer of data between Azure services and the control plane. The control plane refers to the Azure infrastructure that is responsible for managing and securing resources in Azure. With the CoC feature, you can track who accessed your data, when they accessed it, and what they did with it.

The following are some key features of the Azure Chain of Custody:

  1. Transparency: The CoC provides a transparent record of all activities related to the transfer and handling of data in Azure.
  2. Security: The CoC provides a secure and tamper-evident record of data access and transfer, which helps to protect against unauthorized access or modification.
  3. Compliance: The CoC feature can help organizations meet regulatory compliance requirements, such as the General Data Protection Regulation (GDPR), which requires organizations to clearly understand where their data is stored and how it is processed.
  4. Auditability: The CoC feature provides an audit trail of data access and transfer, which can be used to track and investigate any security incidents or data breaches.

Overall, the Azure Chain of Custody is a valuable feature for organizations that require a secure and verifiable record of data transfer and handling in Azure. By using the CoC feature, organizations can improve data security, compliance, and audibility and gain greater visibility and control over their data in the cloud.

Conclusions

Cloud security is discussed, but the incident response and forensics planning must be parallel. Moving data and services to the Cloud are already underway, and research and development in the forensic research community must keep pace. The forensic acquisition is a renewed challenge, one unsuited for today’s tools, which may be addressed by a combination of technological and legal approaches.

References

Computer forensics chain of custody in Azure

Work with custodians’ Data Sources in eDiscovery

Standards and Guidelines – Forensic Science Communications

Computer forensics: Chain of custody

More Security Posts in MISCONFIG

Microsoft Sentinel for SecOps and Hunting Queries

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: