Chain of Custody: An Interview with HAYSTACKID CTO Jeff Stevens – Pt. 2

In the first segment of this three-part series, Chief Technology Officer Jefferey Stevens explained some of the chain of custody basics, as well as the way it has evolved over the past two decades. We left off with a brief note on how third parties are beginning to impact chain of custody management in the digital era, and pick up now with HAYSTACKID’s role in and approach to the chain.

AYSTACKID: What are HAYSTACKID’s responsibilities within the chain of custody?

Jeff: We’re the official holder. You know, that audit company that comes in and counts the balance, gets everything in order in a defensible fashion, keeps evidence and custodians on the right track. We’re an independent third party that wants to see our client win, but we’re not going to go out of bounds or risk our reputation to do it.

By committing to the utmost integrity in our collections procedures and all processes throughout the chain of custody, we take away the ability for one side to say that the other side has done something wrong.

In certain cases, we’ve been appointed by the court to be an independent third party and work on behalf of both sides, and in other cases we just represented one defendant or plaintiff, and they had their own expert. The court-appointed cases tend to land us in a “who has better credentials” type of situation – since we’re working for both, at least one will tend to scrutinize our qualifications and track record.

However, because we have been doing this for so long on a very high level, we have become masters of the responsibilities and tasks involved, regardless of whether we are acting in a court-appointed fashion or for only one party.

What makes HAYSTACKID’s approach to chain of custody management different from other vendors?

Well, we take it extremely seriously, from collections all the way down to our tracking and reporting of the chain of custody. The more detail we can provide regarding the who, what, when, where, and why elements of the chain of custody, the more we can extinguish any bit of concern or doubt among the parties involved.

Knowing that, we, as a company, really go above and beyond the call of duty to keep our practices and processes 100-percent defensible and above the table.

We have an online system that starts tracking when drives are picked up. The new custodian can log on immediately, indicating that they have possession of that drive, and that begins our control and monitoring of the device. The chain could be as simple as we’re giving it back in a few hours once we’ve imaged it, and in other cases we’ll retain control of those devices for four or five years, and sometimes even longer.

We still have hundreds of devices that we’ve possessed for years, so there can be a big difference in the lengths of chain of custody. The online system tracks all movement of devices regardless of how long those assets are in our possession.

Those movements can be when devices change hands from one employee to another, if they travel from one location to another, get taken out of the safe and why they were taken out of the safe, or other actions. The tracking and monitoring components ensure that we can defend our preservation of the evidence every single time in court.

So, if you keep a device for an extended period of time, something on it might become pertinent in a suit a few years down the road. Therefore, you must be tracking, for all those years, exactly what has transpired with the device, correct?

Exactly, you never know where that smoking gun is going to come from. It could be on someone’s cellphone, it could be a simple text message, it could be a full story put together from the metadata of a document – like who opened it when, what edits were made, and if the chain of custody broke down. If matters go awry and the chain of custody does break down, a judge might not feel that the evidence is a safe representation of what transpired, meaning it might no longer be admissible.

And it could be the most important piece of evidence for your client, or the most important evidence against your client, so every piece, every step in the chain of custody, and every evidentiary item that we take possession of is just as important as every other. You never know where it’s going to be – that document that makes or breaks the case. This is really why we take chain of custody management so seriously.

Can you take me through some of the technological aspects of chain of custody?

Absolutely. As I mentioned, we use this highly advanced online system. The beautiful thing about the system itself is, because it’s online, it’s expandable and extremely accessible among people who have the right credentials. Since we operate with multiple locations, it was really the only option that would work for us.

Obviously, we have to set up the appropriate people with access and security permissions, then set up the various locations that are able to have evidence stored there. Once that’s done, the system kicks in and handles the tracking and monitoring.

In terms of the types of devices being collected and entering the chain of custody, cellphones are definitely becoming more important in a greater number of cases. I will say that we rarely retain possession of the cellphone since people are so reliant upon them. Instead, a lot of what we retain is our forensic extraction of it, not the actual physical device.

Is that an imaging type of scenario?

Right, we take a picture of everything on there and retain the images, then give the device back to the custodian. Those images become the evidence and we need to ensure the chain of custody every step of the way going forward.

And have you experienced any challenges unique to cellphones?

In terms of chain of custody, no. The data on them is a lot different, and that can present a lot more challenges in certain stages of collection and management, but with respect to chain of custody, an item is an item. It can be a cellphone, it can be a picture of a cellphone, it can be a 200-pound server, it might be a small tablet – it all gets treated the same way.

Do you feel like chain of custody management is becoming easier because of new technologies?

I do, you know technology can and does solve a lot of problems. Things like RFID chips, increasingly intuitive and user-friendly online systems – myriad technologies are making it easier and more efficient to track each piece of evidence. That positive trend is something I really expect to continue, especially with all of the innovations taking shape in identity and access management technology.

Come back soon for the third and final segment of our interview with CTO Jeff Stevens!”