Module 26: Chain of Custody and Non-Repudiation

Chain of custody and non-repudiation questions bridge the gap between technical controls and legal requirements. The exam expects you to understand that evidence handling in cloud environments must meet legal standards, not just technical ones.

Chain of Custody

Chain of custody is the documented, unbroken history of who handled a piece of evidence, when, for what purpose, and what actions were taken. It establishes the integrity and authenticity of evidence from collection through presentation in legal proceedings.

Chain of Custody in Cloud

Cloud environments make chain of custody significantly more complex:

• No physical access: Traditional forensics involves seizing physical hardware. In cloud, the customer cannot physically access the provider's infrastructure. Evidence collection must happen logically through APIs, snapshots, and log exports.
• Multi-tenancy: Evidence may reside on shared infrastructure. Extracting one tenant's data without compromising another tenant's privacy requires provider cooperation and careful scoping.
• Data volatility: Cloud data changes rapidly. VM instances are created and destroyed. Log data rotates. Snapshots expire. Evidence must be collected and preserved before it disappears.
• Jurisdiction: Evidence may be physically located in a different jurisdiction than the legal proceeding. Cross-border evidence collection may require legal processes (Mutual Legal Assistance Treaties, CLOUD Act provisions).

Maintaining Chain of Custody

The exam expects you to apply traditional chain of custody principles to cloud evidence:

1. Identify: Determine what evidence exists and where (requires data mapping).
2. Preserve: Create forensic copies (snapshots, images) before any analysis. Use write-blocking equivalent: read-only access to evidence stores.
3. Collect: Extract evidence using documented, repeatable procedures. Record hashes of all collected data to verify integrity.
4. Document: Log every action taken on the evidence: who, when, what, why. This documentation IS the chain of custody.
5. Secure: Store evidence in tamper-evident, access-controlled locations with integrity verification.

Exam trap: In cloud forensics, creating a snapshot of a VM is not sufficient chain of custody. You must also record the hash of the snapshot, document who created it, when, and why, store it in a secure location with access controls, and verify its integrity before use.

Non-Repudiation

Non-repudiation ensures that an entity cannot deny having performed an action. It provides proof that a specific identity was responsible for a specific event, in a way that cannot be credibly disputed.

Non-Repudiation Mechanisms

• Digital signatures: Cryptographically binding a document or transaction to a specific private key (and therefore a specific identity). The most common non-repudiation mechanism.
• Audit logs with integrity protection: Immutable logs that record actions attributed to authenticated identities with timestamps.
• Timestamps from trusted time sources: Cryptographic timestamps from trusted third parties that prove an event occurred at a specific time.
• Transaction receipts: Signed acknowledgments of transactions between parties.

Non-Repudiation in Cloud

Cloud APIs are typically authenticated with access keys or tokens. Actions performed through authenticated APIs are attributable to the key owner. Combined with immutable audit logs, this provides non-repudiation: "Access key X was used to delete resource Y at time Z, and the key is assigned to user A."

The weakness: if access keys are shared or compromised, non-repudiation fails. The system shows the key was used, but the actual person may not be the key owner. This is why the exam emphasizes individual accounts, key rotation, and MFA.

Key Takeaways

Chain of custody must be maintained for cloud evidence: identify, preserve, collect, document, secure. Cloud forensics uses logical collection (snapshots, APIs) instead of physical seizure. Hash verification ensures evidence integrity. Non-repudiation binds actions to identities through digital signatures and authenticated audit logs. Shared credentials destroy non-repudiation. Document everything.