Forensics & IR
Chain of Custody
Also known as: CoC, Evidence custody chain
Definition
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
Examples
- A signed CoC form tracking a seized laptop from acquisition to courtroom production.
- A SHA-256 hash log demonstrating that a disk image was not altered between collection and analysis.
Related terms
Digital Forensics
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.
Evidence Acquisition
Evidence Acquisition — definition coming soon.
Preservation of Evidence
Preservation of Evidence — definition coming soon.
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
Write Blocker
A hardware or software tool that permits read access to a storage device while preventing any write operations that could alter evidence.
DFIR (Digital Forensics and Incident Response)
A combined discipline that fuses digital forensic investigation with incident response to detect, contain, eradicate, and learn from cyber incidents.