Incident management is becoming increasingly important within information security as the realization that even the most effective defense in depth doesn’t always prevent a breach from happening. The ISO27001 standard dedicates section A.16 of Annex A to a selection of seven controls designed to make incident management as good as it can be in the circumstances. One of these controls, A.16.1.7, deals with the collection of evidence, stating that “The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.”
An excellent demonstration of the principles and tools involved in such Digital Forensics was given recently by Russ May, Visiting Professor at Sunderland University in the UK at a meeting of the information security group ISACA and I will attempt to pass on some of the main points here.
The first thing to say is that this is a very specialist area and things have to be done in a certain way otherwise the evidence will be inadmissible in court. In ISO27001 terms this means that your procedures need to acknowledge that and take the initial steps to secure the scene and avoid making any basic errors. As far the control goes, it is perfectly acceptable within ISO27001 to then call in a specialist organization who will take over from there. The investigation of the evidence should then take place under the control of your incident management procedures (Annex A – A.16.1.1 Responsibility and procedures), often led by your legal team.
So what should the first responders know about securing the scene before the specialists arrive? Well, there are 4 principles that are generally accepted as good practice to ensure that evidence stays admissible.
Don’t change any data. If anyone does anything that results in the data on the relevant system being altered in any way then this will affect any subsequent court case. Examples could be as simple as waking up a laptop or logging on. So think before you touch anything.
(Really one for the specialists, this) Only access the original data in exceptional circumstances. The first thing a specialist will do is use some tools to take a bit copy of any data held in memory, whether it’s on a hard disk, flash memory or maybe a SIM card on a phone. All analysis then takes place on the copy and the original is never touched unless maybe time is of the essence and gaining information to prevent a further crime is more important than keeping the evidence admissible (this is rare).
Always keep an audit trail of what has been done. Forensic tools will do this automatically but this also applies to the first people on the scene. Taking photographs and videos is encouraged as long as you don’t touch anything to do it.
The person in charge must ensure that the guidelines are followed. Few excuses are accepted in court so training staff to respond appropriately is a must.
Obviously digital evidence comes in an increasing variety of forms, with mobiles phones and tablets now taking over from laptops as the major focus of investigations in criminal cases. The sheer volume and level of detail that can be extracted from many of these devices is remarkable even after they have been theoretically wiped by reset routines. Professor May gave an example of a wiped Blackberry purchased second-hand on eBay which was gave up a treasure trove of information about who the previous owner was, where he lived and, through GPS records stored on the phone, even where he had been. The moral is that wiping doesn’t get rid of the data.
The main point of this from an ISO27001 angle is to ensure that your procedures for the disposal of mobile devices and removable media (Annex A.6.2.1 Mobile device policy and A.8.3.2 Disposal of media) are effective enough to ensure that this type of data doesn’t end up in the wrong hands. The only way to ensure this unfortunately is complete destruction but given the relative cost of modern devices against the value of your organization’s data and reputation, this has to be the way to go.
Our thanks to Professor May and ISACA for this valuable update