How can you trust a forensic scientist to have maintained the chain of custody?
I have been reading about the chain of custody in cybersecurity-related forensics and I wonder how you can be so sure the forensic scientist made their job right and they are not a malicious actor.
I have a specific scenario in mind, let's say that you take an image from a compromised server to investigate, the obvious thing for me to do is generate a hash of the base system I'm trying to create the image from and then generate the hash for the image itself, and always be sure that both hashes match. Taking this into account, couldn't the forensic scientist modify the image, thus generating a different hash, and write that hash everywhere else on the documentation for the investigation?
I'll go one step further, if for any chance the source of truth was lost (in my example, the server), you have to either trust the forensic scientist or you don't, since you don't have the original to compute a hash from.
Am I missing something?
