You are a digital forensics intern at Azorian Computer Forensics, a privately owned forensics investigations
and data recovery firm in the Denver, Colorado area. Azorian has been called to a client’s site to work on a
security incident involving five laptop computers. You are assisting Pat, one of Azorian's lead investigators. Pat
is working with the client's IT security staff team leader, Marta, and an IT staff member, Suhkrit, to seize and
process the five computers. Marta is overseeing the process, whereas Suhkrit is directly involved in handling
the computers.
The computers must be removed from the employees' work areas and moved to a secure location within the
client's premises. From there, you will assist Pat in preparing the computers for transporting them to the
Azorian facility.
BACKGROUND
Chain of Custody
Evidence is always in the custody of someone or in secure storage. The chain of custody form documents who
has the evidence in their possession at any given time. Whenever evidence is transferred from one person to
another or one place to another, the chain of custody must be updated.
A chain of custody document shows:
What was collected (description, serial numbers, and so on)
Who obtained the evidence
Where and when it was obtained
Who secured it
Who had control or possession of it
The chain of custody requires that every transfer of evidence be provable that nobody else could have
accessed that evidence. It is best to keep the number of transfers as low as possible.
Sample Solution