The data collection process is an important part of digital forensics. In this video, you’ll learn about legal hold, chain of custody, event reporting, e-discovery, and more.
As security professionals, we are often responsible for collecting data when a security event occurs. This process of digital forensics is not only important to understand what happened during the security event but also to understand how we can protect ourselves in the future and be able to use this information in any type of legal proceeding. The specifics on how to collect this data and store this information is a bit outside the scope of the Security+ exam, but there is an RFC, number 3227, which is the guidelines for evidence collection and archiving. If you wanted to read through a set of best practices, they’re all documented in this RFC.
The IT security industry has created a number of best practices for digital forensics, so it’s important to understand what those best practices might be for the acquisition, analysis, and reporting of this data. Because of how this data may be used in the future, it’s incredibly important to follow these sets of best practices when we’re collecting data today. It’s very possible that the data you’re collecting today will be used in legal proceedings that occur years from now. So it’s important that you follow the best practices for this data collection and be able to take extensive notes and information on how this data was obtained.
One type of data acquisition request is called a legal hold. This is a process usually initiated by a lawyer or some other type of legal entity, and they will inform you in a document of the type of data that needs to be stored and how much of that data needs to be available. These requests are usually sent to the data custodian, who obviously has access to all of the data associated with this particular request. The custodian will be responsible for evaluating the legal hold and understanding where to start with acquiring that data.
In most cases, an organization will have a separate area where all of this ESI, or electronically stored information, will be held. All of the data that is described in the legal hold is acquired and stored in this repository. And this may be a bit more involved than simply copying a file from one place to the other. The information you need to acquire may be part of a much larger database or may be stored in a format that needs to be modified before storing it as part of the legal hold. For example, an email client might store data into a proprietary format, and you may need to convert that back to the text format of email to be able to store it in a form necessary for this legal hold.
It’s also important that all of this information be properly preserved. This is data that is being requested by the courts, and you are responsible for making sure that data is safe and is able to be provided to the court when requested.
One of the most important concepts in this type of data collection is that the information remains in its pristine or unmodified form during the duration of this analysis. This means, when the data is first acquired, there needs to be a process in place to ensure the integrity of that data going forward. And of course, there will most likely be multiple individuals who need to gain access to this information as this particular event proceeds. To better understand exactly who accesses this data and to confirm that the data has not changed during this process, we need to put in place a chain of custody.
In the physical world, we would take evidence and place it into a bag that could be sealed. If anyone then accesses that evidence inside of the bag, they would need to document that on the bag itself. In the digital world, we can use hashes and digital signatures to maintain the integrity of the data and understand exactly who accesses that data at any particular time. This allows us to understand exactly how this data has been stored during a particular time frame. We know who accessed the data. And we can confirm the data that we’re looking at in the future is exactly the same data that we originally collected.
There may be times with a legal hold when you know exactly what type of data you should be collecting and how that data should be stored. But in the case of a broader security event, you may need to collect a lot of different types of data from different systems. And in those particular cases, you will need to have a chain of custody for every bit of data that you’ve collected.
The acquisition of this data is commonly the first step, and we may need to obtain this data from many different types of sources. For example, the data might be stored on disk or in memory of a system, it might be part of the firmware, or it might be files that are stored as part of the file system.
We may also find that this is an attack that took place over a number of different systems, so we may need to collect data from multiple devices. We may need to gather information from servers that are on the network. There might be data stored in network devices. There might be logs on a firewall that we will also need to acquire.
If this is a virtual system, we may want to take a full copy of everything associated with that VM. For example, you could obtain a snapshot of that system, and that contains all of the files and all of the information about that virtual machine. And some of the most interesting information you’ll acquire may not be in the most obvious places. For example, there’s data that’s inside of log files inside of a system. There may be data that’s stored in a recycle bin or some temporary storage area. There might be browser bookmarks or saved logins and other temporary files that can gather more details about this particular event.
When dealing with this type of data, it’s not only important to acquire the data, but it’s also important to document how that data was acquired. We often create detailed reports on the data acquisition process, not only to use internally for understanding how this data was acquired, but in the future if this is used for any type of legal proceeding, we’ll need a lot more information on how this particular data was acquired and how it’s stored.
This reporting process is going to give us the documentation that we need. We often start with a summary or an overview of the entire event and the process that led us to begin acquiring this data. There then needs to be detailed documentation that describes all of the steps that it took to get the data from its original source to the data that was acquired. This allows a third party to look over the process later and understand all of the integrity checks that were put in place so they can feel comfortable that the data they’re looking at now is a proper representation of the original data.
You might also be required to create an analysis of the data that was acquired. This is usually a factual description of the structure of the data and how this data can be used or understood by a third party. And if we’re using this data to provide insight into the security event, we may want to create a conclusion. We may analyze the data, have an understanding of how this data relates to the security event, and then make conclusions as to what happened with this data during this particular event.
Acquiring data is obviously an important step in this forensics process, but we also have to think about how we’re going to store this data. And the preservation of this data becomes especially important, especially when these types of events turn into legal proceedings that can occur even years down the road.
Since we are referring to a digital representation of this data, it’s very easy to make copies from the original media and then use the copies in our analysis. This not only ensures that we have a backup of the data. It also prevents us from making any changes to the original data source. This is especially important with mobile devices, which can be easily erased from a remote location. So you want to be sure to make copies of those mobile devices and work from the copies of that data.
For both our mobile devices and our desktop operating systems, being able to collect data in a live form is a very important. Skill this can be especially important on systems that have some type of encryption technologies that automatically lock themselves down when you power off the system. So if you are in a situation where you are acquiring data, you may want to find ways to do that while the system is still running.
And as we’ve already mentioned, this information might be used years down the road in legal proceedings. So we want to be sure to follow the best practices for acquisition and the best practices for preserving this data during that time frame.
This forensics process might also involve e-discovery. This is the process of collecting, preparing, reviewing, interpreting, and producing electronic documents. As a security professional, you may find yourself being asked to gather large amounts of data and provide that data in a form that may be used by a third party. This e-discovery process is all about acquiring data. It doesn’t have any requirement that you provide analysis of the data. It’s simply listing out the type of data that needs to be acquired and putting that into your hands to properly acquire it.
This e-discovery process often works in conjunction with a formal forensics process. So you might be asked to collect an image of a particular drive and provide that drive to a digital forensics professional. Creating the image of that drive is the only thing required by the e-discovery process. Once that image is handed over to the forensics team, they might look at the data on the drive and make determinations of whether the data is still on that drive or whether the data may have been deleted. And at that point, they can go through the processes and procedures for undeleting or recovering that data if required.