Information security organizations usually have very detailed plans to prevent incidents like security breaches or employee misuse of resources. However, they also need to be prepared for the possibility that an incident could occur that will have significant legal implications or lead to a criminal investigation. In this type of case, data stored in the organization's systems may be critical evidence that could make or break a legal case.
Converting digital information into usable legal evidence presents some unique challenges. For example, imagine if critical evidence resides only on a machine's RAM memory: it could easily be lost if the machine is powered off. An operating system's normal operations could alter the attributes of an important file unless proper precautions are taken. The simple act of opening a file can change its last access attribute, rendering it unusable as legal evidence.
So how do forensic investigations work?
Computer forensics basically deals with identifying, collecting, analyzing and protecting information residing on computer systems that could be used as evidence in legal procedures or even a trial. Computer forensics specialists have a number of tools at their disposal for dealing with many of the different challenges posed by the proper handling of digital evidence. A typical forensic investigation involves the following steps:
- Identification: the first step of an investigation is to identify the location of the relevant data that can be used as evidence. These days many devices could contain information besides computers, such as smartphones, USB drives and even videogame consoles.
- Collection: Once the location of the data has been identified, an investigator has to then apply the appropriate collection technique or tool. For example, the most common technique for computer hard drives involves the use of imaging software that can capture every sector of a drive, including unallocated or residual data (such as data remaining from deleted files). Usually multiple copies are made and at least one is kept for control purposes in case a working copy becomes damaged during analysis.
- Analysis: Depending on the case and the type of data and its location, there can be several procedures that can be used to analyze the collected data. A common objective in the analysis is to create a timeline of events. For example, the analysis of a breach can lead to the construction of a timeline that describes the chain of events that led to the incident: a spear-phishing e-mail led a user to a malicious website that exploited a vulnerability in his machine that in turn allowed the attacker access to the corporate network. The analysis of evidence must be thoroughly documented since the evidence and the process to obtain it are usually required in legal procedures.
- Protection: this is probably one of the most critical aspects of a forensic investigation. Take for instance the previous example of how opening a file can change its attributes: recklessly opening files can alter their attributes and their integrity can be questioned. The chain of custody is essential for dealing with any type of evidence, and it refers to the proper handling of evidence and a formal documentation of everything (and everyone) involved in the investigation or handling of said evidence. Any break in the chain (for example, a period of time where the location of the evidence cannot be accounted for) can cast doubts on the integrity of the evidence or its usability in a legal procedure.
What can an organization do to prepare?
The role computer forensics can play in an incident should be taken into account in your security incident management and response plans. Since there is an important legal factor involved, be sure to first consult with your organization's lawyers for guidance on the applicable laws and regulations.
When an organization needs to perform a computer forensic investigation, they typically rely on their internal staff, hire external specialists or a combination of both. Be aware that depending on the incident or legal jurisdiction, it may be mandatory that the investigation be performed by a law enforcement agency. Using internal staff or external consultants have different advantages and disadvantages for an organization:
- Internal staff: these days there are a great deal of resources for training forensic professionals such as those from SANS, among many others. Having someone on staff with knowledge on the tools and procedures in forensic investigations could be invaluable when building or improving incident response programs. Trained staff members can provide a fast way to get started with an initial assessment. However, depending on the type of incident, an internal investigation might not the most effective or appropriate strategy. In some jurisdictions, they must be properly licensed or registered with a local law enforcement agency.
- External specialists: these experts usually have extensive experience in handling digital evidence and may have the required licenses to operate in your area. They may also have a higher number of technical tools and resources required for many types of investigations. The cost associated with these experts however, could be very high. As noted before, make sure to check with your legal counsel first.
Perhaps the most important step an organization can do to prepare is to decide and properly document the method or procedures to follow in the incident response plans. Organizations that wait until an incident occurs to make these decisions could find themselves at a disadvantage in any number of legal situations.
I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, focusing on multiple areas including log management and security incident investigation and response.