Art of preserving digital evidence

In the face of data compromise, those first to the scene can make or break your case

By J. Andrew Valentine

So, you’ve been hacked. Your business – thousands of your customers’ personal records – has just been compromised. Obviously, there are questions that need to be answered. Questions like how did this happen? Who perpetrated the crime? And was the crime preventable?

Once you realise a security breach and data compromise has occurred  your immediate actions will largely help or hinder any computer forensics investigation that follows.

The success of a computer forensic investigation is determined by both the availability and preservation of digital evidence sources. Without any specific malicious intent, organisations suffering data compromise commonly tamper with evidence sources before engaging a formal forensic investigation, handing investigators an unnecessary handicap. 

The fleeting nature of digital evidence
A constant challenge facing computer forensic investigators is the inherent fragility of digital evidence. When handled improperly, digital evidence can easily be altered or even eliminated, creating a significant investigative handicap.

In the minutes and hours immediately following the discovery of a crime involving digital evidence, the actions taken by the first responders should ensure that evidence is preserved in a secure and forensically sound manner. 

Before the onset of a proper forensic investigation, evidence is often tainted by the actions taken by otherwise well-intentioned first responders on the scene. Essentially, the first people to discover the crime often “poke around” the system environment, attempting to determine what occurred. In so doing, these first responders can potentially alter the digital evidence, rendering it useless to an operational investigation. Consequently, it is important that prior to the onset of a proper forensic investigation, no actions are taken that could compromise valuable evidence sources.

Preparing for a computer forensics investigation
After discovering a network breach, data compromise or other computer related crime where digital evidence is involved, it is important to adhere to the following guidelines to ensure a forensic investigation. 

1. Be cautious of altering or deleting evidence

After realising they’re the victim of a network breach and subsequent data compromise, organisations, and, in particular, under-trained staff unfamiliar with proper evidence handling and preservation techniques, often perform rudimentary investigations internally. In these situations, evidence is not gathered in a forensically sound manner that will render it admissible in a courtroom. If your organisation is to undergo a computer forensic investigation, it is critical that you do not alter evidence before trained investigators arrive on the scene. Essentially, leave it to the experts.

2. Increase all available logging tools

During any computer forensic investigation, log data is critical in determining the nature of the crime that has occurred. Valuable log data helps forensic investigators determine not only the specific attack vectors an intruder may have exploited, but also the timeframe a network breach may have been going on for.

As a general rule, organisations should have all available logging tools enabled within their network environment, including router logs, firewall logs, intrusion detection logs and even Windows event logs.

Even in a situation where appropriate logging was not enabled when the crime occurred, it is still valuable to enable logging on network devices after the fact. Intruders often attempt to revisit networks they’ve already breached. By enabling all available logging tools, you will be able to gather further evidence if the intruder returns.

3. Know your network environment

Forensic investigators will require background information about any systems environment subject to a criminal act, be it perimeter breach or a data compromise. Organisations should be ready to provide investigators with knowledge and background information relative to all system components, both hardware and software, including software versions, hardware implementation dates, access control lists and firewall configurations. This information will create unique investigative vantage points and facilitate the efficient discovery of investigative findings. 

Leading up to a forensic investigation, you should re-familiarise yourself with your network environments and be ready to speak candidly with investigators on the scene.

4. If you’ve got failover redundancy, enable it 

In situations where an organisation’s network environment has built-in failover redundancy, any mirrored servers or systems will provide investigators with the best available digital evidence if they are taken offline immediately after the discovery that a crime has occurred.

Mirrored systems will be able to provide investigators with an accurate representation of the environment as a malicious intruder would have seen and interacted with during a network breach or data compromise.
5Hurry, do all of the above sooner rather than later 

As digital evidence is particularly fleeting, with every passing moment, valuable evidence is likely being deleted or overwritten. After discovering that a computer crime has been committed, you should immediately perform each of the above actions. Further, once the decision has been made, you should not delay scheduling a proper forensic investigation. The sooner an investigation begins, the more viable the digital evidence will be.

J. Andrew Valentine is a security consultant within Verizon Business Security Solutions’ Incident Response Unit

.