Today it’s not if your organization will have an electronic incident it’s when will that incident occur. Regardless of the type of incident there is a high likelihood your organization will need to collect digital evidence and build some form of a case file. However, it is often in the first moments after an incident is detected that crucial mistakes are made by the organization.
Most organizations are not able to justify having a fulltime forensic examiner on staff. The result of this is when incidents do occur the first responders often have not been properly trained on sound evidence collection procedures. This post is going to cover some of the basic steps and precautions that first responders should follow to ensure they aren’t permanently damaging, altering or destroying critical digital evidence.
Physical evidence
More times than not the organization’s IT staff is called upon as the first responders. While these individuals have a deep understanding of the internal technical details of the organizations electronic systems they often do not realize the importance of the physical world surrounding the systems. When first arriving at the scene care should be taken by all to not alter the physical environment. Extensive photographs of the cubical, room, etc should be taken to document the location of all items in the environment.
Once the collection of items begins, proper protection should be taken to preserve physical evidence such as fingerprints on keyboards as well as protect the responders from any harmful substances in the area. Additionally, proper storage containers used to collect physical evidence ensuring there is no opportunity for contamination as the evidence is transported.
Volatile storage evidence
The proliferation of Web 2.0 applications has greatly complicated the collection of digital evidence as many times the information is either scattered in render scraps across a massive hard drive or only stored in a systems volatile RAM while the application is being accessed. Therefore, when the system is powered off the data is lost forever unless it can be captured while the system is still live.
A number of forensic tool vendors have developed solutions to aid in the capture of volatile information from systems. e-fense Live Response USB key allows first responders to acquire a comprehensive copy of all critical system settings and memory contents from a live system. Guidance Software’s enCase Enterprise application has a privileged read-only process running on your organizations systems that can be used to transfer volatile information from a system to a central repository without alerting the user of the system or requiring physical access to the device.
Critical business system
Finally I want to discuss how to handle a critical business system being involved in an incident. Obviously these systems usually cannot be taken off-line and sent to a forensics lab for processing. They tend to be multi-user systems with a high volume of traffic and activity. This means that the system state is changing quickly and potential evidence may be lost if not captured in a timely manner. The challenge is how to make an image of the system while it’s still online and constantly changing.
Again, there are many vendors with different tools available that can do network-based image transfers of live systems including Access Data, Guidance Software or even the open source dd utility piped over a netcat tunnel (for those who aren’t looking to spend a lot of money). While this may not be as ideal as a standalone drive imaging process given the restrictions of dealing with these critical systems this is the best option available and any image (even a smeared one) is better than none.
In the end organizations should be prepared to handle incidents when they occur. By acquiring a few key tools, having documented and proper incident response procedures and providing those who will be initial responders with some basic training can be the difference in success or failure of building sound evidence backed cases.