Authority Verification and Validation

One of the most important concepts is the verification of authority within the chain of evidence/continuity. A process or separate record should be able to demonstrate who created the initial record and any persons or processes that have since accessed or changed the initial record. Furthermore, the processes that do this must be validated and tested to ensure completeness of record and also integrity of process and the record.

The record itself should be stored in a system that makes it difficult to modify, change, delete, or even view a record without causing a logging or recording of this activity. This can be achieved by stringent file locking; that is, when a file is rewritten to disk a record is produced that stores the new filename. As mentioned before, modern network operating systems have the capability of tracking documents and changes and they also have well-established methods for stringent file locking. It is imperative that the systems that create, store, and maintain the records are not able to change or modify the audit trails; these should be stored securely on the originating device and also on a separate logging system/device. These methods of time stamping, auditing, and control are well established for systems that are connected to the network. However, much of the initial acquisition of potential evidence is undertaken off site.