This is the third and final segment of our interview with HAYSTACKID CTO Jefferey Stevens on modern chain of custody management. In the first part, we discussed some of the basics, while the second segment took a deep dive into third party responsibilities and the technologies used to handle the chain today. In today’s piece, Jeff takes us through some of the underlying factors impacting the chain of custody.
HAYSTACKID: Because the Internet of Things is becoming so big, do you think that will present new challenges, or won’t make much of a difference in chain of custody?
Jeff: So, the chain of custody on them – again, regardless of what it is – the chain of custody is identical no matter what the item is. Of course, there are obvious differences between retaining the actual TV that has that evidence on it and maybe an image of a cellphone, but those are largely physical. Management, tracking, and monitoring practices remain the same regardless of what an evidentiary item might be.
However, the collection piece is where we’re noticing the biggest issues and challenges when it comes to the IoT.
And what types of challenges are you seeing on that front?
Well its novelty is the real challenge. When new technologies are in their infancy, we’ll need to find advanced methods to collect.
Keep in mind here that collection is always a battle between the vendors that you’re trying to collect from, and the software companies that provide the collection tools. There’s a back and forth between the various parties involved. You can think of collection as an ethical hack because, you take Apple for example, they don’t want you to be able to extract all of this information off of their phones.
And that is because they want to provide their customers, or the consumer at large, with the perception of privacy. What you do on the phone is secure on the phone, and no one can see it or get it. So, there’s a battle between Apple and let’s say Cellebrite, which provides the software that lets you collect from an iPhone. When Cellebrite finds a way to do a collection and extract information, Apple will figure out how they found the way and then patch that hole.
Then Cellebrite obviously has to find a new way to do it because now the old way doesn’t work. That’s why the newest model of a phone or newest operating system version is the one that we’ll have the most issue with when it comes to collection. When it’s a brand-new device – such as one that falls under the umbrella of the IoT – we have to get creative in the collection and extraction process. Eventually we find a new way, of course, but that will then be thwarted when the next version of a device or operating system comes in to play.
That’s kind of wild to me. I remember in the San Bernardino case, the FBI wanted to break into the perpetrator’s phone, and I thought it was more Apple trying to defend its customers from law enforcement. But it does tie into general collections?
Well, in a way, we are similar law enforcement when we’re coming in to collect your data. You as a custodian of that data on your personal cellphone may not want your employer knowing what you’ve been doing. But you’re required to give up your cellphone, so you kind of just kind of sit and wonder what they will find and what they won’t.
Let’s take my company cellphone as an example. I’m getting sued by another business, and as an executive, they want copies of my phone and those of other executives. I’m not going to want to give it to them but I’ll be ordered to. Apple, for example, is trying to appeal to most people who tend to want to have that sense that everything that occurs on the cellphone is private.
Obviously, our reservations or frustrations that come up when we’re forced to give up our phones might be warranted, but they do not matter when a court is demanding we provide the evidence at hand. At the same time, Apple wants to patch holes that allow data and metadata to be extracted regardless, instead allowing users to give up the information they choose.
So, in the eyes of device manufacturers and software developers, there are two parties: The owner and everyone else. They want to make it so that the owner is the only one who has control over the device, apps, and relevant data, and that the external parties – be it law enforcement, third party collectors, or otherwise – are blocked.
In a case like that, are there instances that the court demands you reveal the data?
Yes, especially if it’s a company device. If it’s a BYOD type of situation, sometimes you can get away with cherry picking what’s on there, such as what’s company data and not considered personal data. If it’s a company device and there’s a policy that says all activity on the device is company property, then you pretty much have to hand it over.
Then, your attorney can make claims and make cases for personal contents of that being excluded from production, but it would have to go on the log and people would have to know it was there and the reason that it was considered personal, almost like a privileged log.
Do you think that there will be a time in which chain of custody processes can be fully automated?
Well, I guess it depends what you mean by automated. I consider a lot of what we’re doing to be automated in terms of computer tracking and monitoring, but it still requires manual input. Only after that manual input can you get to the automated stage, but I don’t think you’ll ever fully automate the chain of custody process.
Once the input is there, though, you can put readers on doors and RFID tag each evidentiary item so that you can track the flow of it automatically. Those types of automated elements would track and report when an item was taken out, manipulated, shared, or went through some other form of movement.
Have the ways in which the business automates some of these processes changed in the past five years?
Well, we’ve been very consistent with our systems since the beginning. We went for the most advanced system on day one, but there were simpler systems that now have come up to ours in terms of automation, functionality, and more. So, I know the industry as a whole is getting better and more automated using systems that are easier to use and more detailed when it comes to chain of custody.
As I’ve been suggesting, we all understood the importance of immaculate chain of custody management from the moment we launched this business – from the first piece of evidence we ever collected on. As such, we have been handling it with the best possible systems, techniques, and technologies available.
Do you have any nightmare stories about chain of custody experiences you’ve had?
Not personally, but what can keep you up at night when it comes to chain of custody is if you don’t track it properly, you’ll have spoliation concerns. What’s even scarier to me is when you know you’ve sent a device back and the client thinks you haven’t, and if you don’t have it tracked properly and you don’t have a disposition receipt and a transfer receipt showing when and who you gave that device to, matters can get choppy.
That’s something that we’ve experienced – a client says that we never returned the device. But we’ve always been able to show the chain and say “on this date at this time it was given back to this person and here’s their signature showing that they took possession of it.” It can lead to some uncomfortable situations, but we have a perfect track record of upholding that chain of custody, which in turn helps to quickly reconcile such issues.
And that would tie back into why it’s so important for you as a vendor to accurately track – and keep hard evidence that proves – the chain of custody?
Absolutely. Virtually any break in the chain will increase risk for our clients and ourselves, so we take these matters extremely seriously. Our strong track record is why we continue to be a go-to third party for chain of custody management and other litigation processes.
We thank Jeff for his time and helpful commentary on the chain of custody. Come back soon for more insights from the leaders of HAYSTACKID!