I’ll start this section off the way anybody who doesn’t have a law degree
should: Don’t take this as legal advice.The law is dynamic, and different con-
siderations apply depending on where one lives, who one does business with,
and on the situational details. Also, state courts disagree on what is and what
isn’t admissible regarding digitized evidence. For example, digital photos have
often been disallowed.This area of the law is undergoing very rapid change.
Chain-of-custody is a subject that commonly comes up when talking about
ESM, but is rarely applied. Chain-of-custody has to do with evidence integrity
and processing. Interestingly, when most organizations talk about chain-of-cus-
tody, it’s in regard to the forensic analysis of computer systems, hard drives,
memory resident information, and so forth as it applies to litigation. It takes the
form of searching for speciﬁc incriminating bits of information.
Consequently, with ESMs, event collection, event processing, and event
storage must be done carefully so as not to compromise a case in such a way
as to lead to acquittal. An audit trail must also be produced to demonstrate
that from the time the data was collected to the time it was presented, it was
handled properly. However, when discussing litigation-quality data, it doesn’t
come down to event information as much as to what ﬁles are within the sus-
While most organizations—because of the possible negative publicity—
haven’t been enthusiastic about taking cyber criminals to court, I think this is
slowly changing, and that in the future, we’ll see more of these matters liti-
gated. Litigation-quality data is important evidence, so ESMs need to employ
chain-of-custody best practices now.
For more information from a legal perspective, see Appendix A.
Monitoring and Disclosure
There are several aspects to monitoring and disclosure.There are the federal
statutes, and there are the state provisions—which can sometimes be more
restrictive than the federal—and then there are special user contracts that give
an organization rights that extend beyond the laws.There are several federal
statutes that govern the rules of procedure, including the Wiretap Act, Pen
172 Chapter 13 • Establishing Chain-of-Custody Best Practices with ESM
424_Wtr_Clr_13.qxd 7/27/06 9:43 AM Page 172