Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Preserving the Incident Data
Any evidence that can be used in a court of law must be preserved with extra care and security. The corporate security and legal departments for the incident-servicing enterprise should be consulted by the assigned geo-based security officers and the worldwide security manager to review the evidence.
When protecting data as evidence, the basic principle is do no harm. Organizations should seek advice on preserving the evidence from an experienced security expert, who might be the assigned geo-based security officer or somebody from outside of the VCSIRT. The last thing you want is to have to replace a confiscated system that was damaged either intentionally or by some unforeseen circumstances.
For example, in an incident in New England, handled by the Secret Services's NET regional task force (http://www.ectaskforce.org/), a disgruntled employee changed a router configuration to let illegal network traffic come through the firewall. The employee immediately left the company, suspecting apprehension. Before the company engaged local law enforcement and realized that the router changes were made with a malicious intent, the employee's computer was given to another employee who replaced him. The new employee not only changed the configuration of the computer, but also fixed the problem in the router before notifying an official of the company or a law enforcement officer. As a result, there was no trace of the actions taken earlier by the attacker.
In another case, a well intentioned technician inadvertently damaged evidence and compromised the chain of custody after the court had permitted expedited discovery on computerized files (see Gates Rubber v. Bando Chemical, 167 F.R.D. 90; 1996 U.S. Dist. LEXIS 12423).
The chain of custody typically involves the following key questions:
Who accessed and collected the data first?
How was the data accessed and collected (explaining the manual and automated methods used)?
Where was the data collected, including detailed location information?
Who took the actual possession of it (for example, the person who accessed it might be different from the person who took possession of it)?
How was the data stored and protected?
Who took the data out of storage? When and why was the data taken out of storage?
Where was it transported to next?
The following table contains an example of a recommended a chain of custody recording:
TABLE 1 Chain of Custody Recording
|
Item |
Date |
Time |
From Location |
To Location |
Name |
Reason |
|
Sun Ultra-10, serial: 235789 |
06/30/01 |
11:21:00 |
Office 127, ABC Corp., Industrial Park, YourCity, MyCountry |
|
Bledsoe |
I took the memory snapshot of this machine before shutting it down using the guidelines. Then, I image copied this web server. Two disks are tagged as "case01-1" and "case01-2." I locked these disks in the cabinet "A-1" in office 127. |
|
Sun Ultra-5, serial: 78901 |
07/03/01 |
14:55:00 |
Office 127, ABC Corp., Industrial Park, YourCity, MyCountry |
Office 1000, ABC Corp., Industrial Park, YourCity, MyCountry |
Brady |
I unlocked Office 127. Tagged and moved the machine and disk 01 to Carlson's office 1000 for further analysis and safekeeping. Rice locked Office 1000. |
|
Sun Fire 15K server, serial: 234567 |
07/07/01 |
23:10:00 |
Lab room 523, ABC Corp., Industrial Park, YourCity, MyCountry |
Lab room 601, ABC Corp., Industrial Park, YourCity, MyCountry |
Marino |
Tagged, moved, and locked up the machine and associated media (disk 1 and disk 2) for next month's government agency review of email archives. |
|
Toshiba laptop, serial: 124783 |
07/10/01 |
01:00:00 |
Home: 123 Ideal Rd., Hometown, HisState, MyCountry |
ABC Corporation, Industrial Park, YourCity, MyCountry |
McNabb |
Moved to office location from the home of employee (101010) for forensic analysis by Carlson tomorrow. |