The Perils of Chain of Custody in the Increasingly Sophisticated World of Connected Devices

Written by Brendan Sullivan

For the legal discovery world, the functions of asset tracking and chain of custody are becoming increasingly intertwined, but these two functions can hide the real asset and the real risk of spoliation. I’m not talking about the physical asset, I’m talking about the data of course. Chain of Custody is not a recent practice, in fact, it has been around since the early 20th Century when the police and law enforcement needed a systematic approach to maintain the integrity of evidence from the time it was collected to when it was presented in court.

In terms of basic requirement, not a great deal has changed in the last 100 years or so. There is still a fundamental need to preserve, seal, identify and track the asset throughout its lifecycle. Historically, this has predominantly been achieved through a chain of custody document that formally transferred custodianship from one individual to another. However, in today’s connected world, this process is becoming far more complex – and the risk of spoliation has increased significantly as a result.

In the earlier days of IT, whether dealing with computers or backup media, asset identification was relatively straight forward. Once a device or media was air-gapped (disconnected from the internet) the preservation largely took care of itself. I would always say that a backup tape holds a perfect piece of forensically sound evidence because it did not require any kind of forensic image creation. Instead, it is always a snapshot of data at a moment in time, and, critically, segments of data or metadata cannot be altered without rewriting the whole media as data cannot be appended on a tape – integrity was inherent to the medium.

Computers were also relatively easy to manage from a chain of custody perspective, though they carried greater spoliation risk if the imaging was delayed or improperly performed. Even then, ownership of the data itself could be ambiguous, depending on how IT administrators assigned or reassigned devices. It was not uncommon for computers to be passed from one individual to another, blurring the line between physical custody and data ownership. But the technical risks were still far more contained than they are today.

Modern devices can materially change state simply by being powered on, unlocked or moved between network environments. Devices may remain accessible to users, administrators, employers, company managed platforms or cloud services even after physical possession has transferred, hence creating hidden vectors for spoliation outside of the  examiner’s control.

Now, with smartphones, tablets and modern laptops there are significantly more considerations and precautions required. Location and movement have become integral components of the chain of custody, necessitating active tracking rather than passive documentation and sealed containers. If devices are or remain powered on, automatic backups or OS updates can run and modify file level metadata while a device is under the physical control of a custodian who has technically “taken custody”. Additional changes may also be triggered such as inadvertent or momentary connections to the outside world, as well as routine system background maintenance, which can result in the overwriting or purging of artifacts and log files.

Data associated with a physical device may be distributed across multiple cloud services and accounts – think about a laptop or cell phone and the data that is typically accessed on each: Google Drive, iCloud Photos, OneDrive, Yahoo mail, Gmail, Microsoft mail, CRM platforms, social media accounts, etc. It could be argued that chain of custody must extend beyond the hardware to include associated cloud repositories and artifacts.

Encryption is also a key consideration to be aware of. Early encryption methodologies were mostly gatekeeper type technology where the correctly entered passphrase or PIN gave access to the entire active user space. More recent encryption operates very differently. Now, the passphrase or PIN often encrypts at the OS level, and without decryption, often enforced with AES 256, the data is effectively inaccessible or unrecoverable without the correct codes.

It is this modern, privacy-driven application of encryption that is increasingly disrupting traditional chain of custody and asset tracking processes, and is starting to have an effect on both inadvertent and intentional spoliation. The challenges arise from a combination of strong encryption, multi factor authentication (MFA), employer controlled mobile device management (MDM), and the extensive capabilities retained by individual users through applications, both user-installed from third party providers and native to the device itself. As a result, long standing practices such as the custodian bringing their device to a law firm or leaving it in an office to await collection by a forensic examiner can be inherently problematic. During this interim period, the device may continue to change state in ways that are difficult to detect, document or later defend. The longer this interim period persists, the greater the accumulation of undocumented changes, compounding both evidentiary risk and defensibility concerns.

Let’s examine some potential pitfalls that can result in data spoliation:

• Biometric locks, rotating credentials and passcode retry limits introduce time-sensitive risks that can affect evidentiary access or trigger data protection mechanisms such as automatic factory resets, if mishandled. These can result in permanent data destruction, and hence, serious spoliation problems.
• A user’s old personal Windows laptop is received, and it is encrypted with BitLocker. Due to privacy constraints, a full forensic image of the device is not permitted. Instead, only a targeted logical acquisition of specific data is authorized. The laptop has not been powered on by the user for an extended time as they are using a new device. To perform the acquisition, the forensic examiner powers on the device and, once the device boots into Windows, the user’s password is entered permitting the examiner to gain access to the user’s Windows profile, and the specific folder that requires preservation. Due to the considerable time that had passed since the laptop was last powered on, automatic system updates and background processes are triggered, resulting in the modification of file and system level metadata. While such changes may be explainable, they are nonetheless undesirable and introduce avoidable spoliation risk and an accompanying story of why it happened.
• A company owned iPhone is received. It is managed via the company’s MDM tools, a fact that was not known or disclosed at the time of custody transfer. One of the company’s MDM policies is to automatically perform a factory reset in the event the device is stolen, lost or not connected to the internet for 6 months. Although custody of the device is taken, the actual acquisition is not yet approved so the device is securely stored. Some time passes and then authorization is received to perform data extraction from the device for preservation. The device’s battery is dead so it is connected to a power source to charge. Upon initial charging, the device briefly connects to the cellular network, allowing sufficient connectivity for the MDM to trigger a remote wipe before the device can be placed into Airplane Mode.

While these situations can be rare, there is little doubt that modern mobile devices, frequently connected to the internet and protected by increasingly sophisticated encryption, pose a significantly higher risk of both inadvertent and intentional spoliation. Traditional asset tracking and chain of custody protocols are no longer adequate for all circumstances. To minimize the possible risks, the following best practice processes are highly recommended:

• Enhanced Chain of Custody Documents
  Ensure documentation includes detailed descriptions (e.g. OS versions, MDM details) especially with regards to data privacy safeguards; specific precautions taken to prevent network connectivity or data alteration while the device is in custody; device handling steps such as enabling Airplane mode, disabling WiFi and Bluetooth, powering off the device, etc. If the passcode to unlock the device is entered incorrectly, record the details and the consequent device behavior.
• Integration of Chain of Custody with asset tracking systems
  Chain of custody records should be directly linked to asset tracking systems that capture not only the current custodian of a device, but also a historical record of its physical location and movement throughout the period of custody where potential data connection trigger risks may have been possible.
• Defined Preparation Procedures for Mobile Devices
  Establish and enforce standardized preparation processes for mobile devices especially, that reduce, and where possible eliminate, the risk of inadvertent internet connectivity prior to forensic preservation or examination.
• Implement Faraday Protection Measures
  Employ Faraday bags, and when appropriate Faraday cages, to isolate devices from all incoming and outgoing electromagnetic signals, including cellular, WiFi, Bluetooth, GPS. Powering on dormant devices should only occur within such controlled environments to prevent unintended “phone home” activity, remote access or automatic data erasure.
• Now more than ever, COC records should document not only the actions performed when taking custody of a device, but also those intentionally avoided, e.g. the device was not powered on, or the device was not unlocked.
• Equally important is documenting on the COC the exact state in which the device was received: powered on, powered off, unlocked, in sleep mode, etc. This clearly establishes preservation intent and evidentiary integrity.

As devices become more connected, autonomous and security driven, traditional notions of Chain of Custody must evolve beyond simple possession. Effective evidentiary preservation and tracking now requires a holistic approach that accounts for device state, connectivity and data accessibility, remote access, and cloud dependencies. By modernizing chain of custody practices to reflect these realities, organizations can significantly reduce the risk of both inadvertent and intentional spoliation. This will better ensure the defensibility and integrity of digital evidence in an increasingly complex world.