Proper handling of digital (electronic) evidence is critical. Learn what to do and more importantly what not to do.
In Minnesota, when the snow and cold finally abate, neighbors tend to congregate in one or the other's driveway and catch up on things. One of my neighbors is a police digital-forensic investigator in the white-collar crimes division. I always have lots of questions for him, but most of the time, all I get is, "Can't talk about it."
That was not the case this past weekend. I noticed that same neighbor walking back from the nearby playground with his daughter. I waved and asked how business was. He said, "Too good."
It seems bad guys are getting smart and using pwned business computers instead of their own for data storage and communications — keeping my neighbor very busy. To make matters worse, once management at victimized companies learn of the breach, there is a tendency to taint or even destroy evidence in their haste to stop the bad-guys' activities.
My neighbor said, "If there's even the slightest doubt about what to do, call local law enforcement or a certified digital-forensic scientist. Too many cases are lost due to improper handling of digital evidence."
He knows I write about computer security, and my neighbor added, "Is that enough of a hint?"
A guide for first responders
To seal the deal the very next day I came across the European Union Agency for Network and Information Security (ENISA) white paper Electronic evidence - a basic guide for First Responders. The paper's introduction mentions, "While the securing of digital evidence is ultimately a task and a responsibility of law enforcement, CERT [Community Emergency Response Team] staff can nevertheless contribute to that work by helping to preserve it during the detection of a cybercrime."
Even though this paper is aimed at CERT responders, it does not diminish its value to IT professionals responsible for the welfare of their employer's digital infrastructure. To verify that, I had my neighbor check out the paper. He smiled mentioning that I did indeed get the hint.
What is electronic (digital) evidence?
In the appendix of Forensic Examination of Digital Evidence: A Guide for Law Enforcement, the US Department of Justice defines digital evidence as "Information stored or transmitted in binary form that may be relied on in court."
The ENISA paper agrees, adding, "In general though, most definitions seem to summarize that digital evidence is digital data that can be used to help establish (or refute) whether a crime has been committed."
The paper then states that electronic-evidence gathering includes assessing the situation, identifying potential evidence, and recovering said evidence in accordance with local evidentiary procedures.
Those three steps are especially complicated today. With all the different "smart" devices, evidence is everywhere, and capturing evidence from a smartphone, for instance, requires a different process than harvesting data from a computer or even a smart refrigerator.
One area of special concern to my neighbor and ENISA is volatile data. It is troublesome when those in authority at the company, once learning there is something amiss, order the suspect device/s to be shut down to prevent any further damage.
My neighbor asked me to point out the pros and cons of shutting down equipment. Indeed, company management could stop criminal activity; however, they must understand destroying evidence and or impeding an investigation may create problems for the company.
Five principles for dealing with digital evidence
Next the ENISA paper identifies five principles that establish a basis for dealing with digital evidence. The descriptions are geared toward those who will do the actual data gathering, though understanding what is involved should benefit IT professionals responsible for safeguarding the data until investigators arrive.
- Data integrity: This is the number one principle and extremely important according to the paper. The integrity of the data must be maintained at all stages of the investigation. The paper adds, "No action taken [...] should change data which may subsequently be relied upon in court."
- Audit trail: This is all about Chain of Custody — digital or otherwise. "Documentation permeates all steps of investigative process, but is particularly important in the digital evidence seizure step," writes Eoghan Casey in Digital Evidence and Computer Crime. "It is necessary to record details of each piece of seized evidence to help establish its authenticity and initiate the chain of custody."
- Specialist support: The ENISA paper reinforces what my neighbor mentioned. If there is any doubt call in a specialist and make that decision as soon as possible. The paper expands on the earlier mention of added complexity caused by the variety of smart devices, cautioning that each device will need specific forensic know-how to recoup data.
- Appropriate training: In lieu of calling in specialists, IT departments could make a case for training. Having internal digital-forensic expertise can be useful for a multitude of reasons. For example, trying to retrieve important data from failed hard drives.
- Legality: It's tough to try to decipher and abide by local jurisdiction, precedence, governing bodies, ad infinitum. Everything can be done according to the book, and all for naught if this step is ignored. "It is important to find out which principles or rules are applicable," the paper's authors' admonish, and further suggest contacting law-enforcement personnel before an incident occurs to get familiar with said principles and rules.
My neighbor disagrees with ENISA on what is the most important principle. He feels calling the proper law-enforcement agency supersedes everything. He may be right.
- Download: Computer Crime Evidence-preservation Checklist (Tech Pro Research)
- Actionable information crucial part of IT security
- Ponemon report shows cybercrime is on the rise
- Real-life computer crimes investigation: It's not like on TV
- Interpol World 2015: Cybercrime increasingly challenging for law enforcement (ZDNet)
- Microsoft targets Asia as global hub of cybercrime and malware (CNET)
- Security and Privacy: New Challenges (ZDNet/TechRepublic special feature)
Note: TechRepublic, Tech Pro Research, CNET, and ZDNet are CBS Interactive properties.