type: guide
title: "OPSEC — Data handling, evidence & chain of custody"
parent: "[[manual-paranoid-opsec]]"
source: "cyber-intelligence-toolkit/manuals/paranoid-opsec-manual.md"
tags:
  - topic/opsec
  - method/review
processed: true
status: seedling

OPSEC — Data handling, evidence & chain of custody

Sub-nota atomica del manual maestro manual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo.

9. Data Handling, Evidence & Chain of Custody

9.1 Core Principles

Integrity: preserve original data without alteration.
Authenticity: ensure evidence can be verified as genuine.
Confidentiality: prevent leaks during collection, transfer, or storage.
Auditability: maintain a complete record of actions taken.

9.2 Collection

Use forensically sound methods (write blockers, disk imaging tools).
Always work on copies; keep the original in secure storage.
Log every action: who collected, when, where, and how.
For OSINT captures:
- Record URLs, timestamps, and context.
- Take screenshots and video captures with hashes.
- Store original HTML and metadata where possible.

9.3 Storage

Encrypt all evidence at rest (AES-256, LUKS2, VeraCrypt, BitLocker).
Use redundant storage: at least 3 copies, including offline media.
Maintain hash manifests for every file (SHA-256 preferred).
Store master logs in tamper-evident formats (append-only, digitally signed).

9.4 Chain of Custody

Maintain a chain of custody log recording every handler, date, and action.
Use digital signatures (PGP, age) to authenticate transfers.
Label physical media with unique IDs and store in tamper-proof bags or cases.
Use hardware tokens or secure vaults for credential storage.

9.5 Transfer

Prefer physical transfer (encrypted external drives) over cloud uploads.
When digital transfer is unavoidable:
- Use end-to-end encrypted channels (OnionShare, Magic Wormhole, SecureDrop).
- Split large datasets into encrypted shards and send separately.
- Always verify hashes after transfer.

9.6 Verification & Validation

Verify evidence authenticity with cryptographic checksums.
Use multiple hashing algorithms (SHA-256 + BLAKE2b).
Cross-check timestamps with OSINT tools (Wayback Machine, archive.today).
Document validation results in case logs.

🔥 Extreme Practices (Optional)

Collect evidence only on air-gapped forensic workstations, never connected to the internet.
Transfer via one-way data diodes or write-once optical media.
Use plausible deniability containers (hidden VeraCrypt volumes, deniable LUKS headers) for the most sensitive datasets.
Store evidence in geographically distributed vaults, with key shares split across multiple trusted custodians (Shamir’s Secret Sharing).
Implement time-release encryption: evidence can only be decrypted after a defined period or quorum agreement.
Maintain parallel chains of custody: one real, one decoy, to mislead adversaries during audits.
After mission completion, conduct a forensic wipe of all temporary analysis environments and destroy intermediary drives physically.
Treat all evidence as toxic data: access only when strictly necessary, minimize copies, and assume adversaries may attempt supply-chain poisoning (inserting false data into your evidence pool).

Themes

tema-opsec-completo-analista