As the third stage, organizations must produce a collection requirements statement that effectively outlines to business risk stakeholders what their responsibilities are—throughout the enterprise—for operating and monitoring systems where digital evidence will be sourced from.
However, in addition to the need for defining business risk scenarios and identifying data sources, before an organization can establish a statement around the proactive gathering of digital evidence they should ensure that a thorough assessment is performed to ensure the requirements for collecting any digital evidence are justified and authorized.
Deciding on what the organization’s requirements are for proactively gathering digital evidence requires some preliminary activities to be completed before work can begin on creating an overall statement describing exactly what these requirements are. The moderating factor in producing a requirements statement is a cost-benefit analysis (CBA). Refer to Addendum C, “Cost-Benefit Analysis,” for further discussion about how to perform a cost-benefit analysis in support of producing the digital evidence collection requirements statement.
Similar to how a CBA is used to determine if implementing a forensics readiness program is valuable to an organization, as discussed in Chapter 1, “Understanding Digital Forensics,” this time around it is used to help organizations determine factors such as how much it will cost to gather the digital evidence and what benefit there is in collecting it. To determine if creating a requirements statement to gather digital evidence is beneficial, organizations must answer several questions that focus on whether it can be done in a cost-effective manner.
Question #1: Can a forensics investigation proceed at a cost in comparison to the cost of an incident?
To get an accurate comparison, organizations should factor in all monetary aspects associated with conducting an investigation in reaction to an incident against the resulting impact of an incident. As a starting point organizations can pull cost elements from their service catalog, discussed further in Addendum B, “Service Catalog,” to understand how administrative, technical, and physical security controls contribute to conducting a forensics investigation. Examples of cost elements that organizations must consider including as part of this comparison include ongoing maintenance of governance documentation (e.g., standard operating procedures (SOP)); resource allocation to facilitate both incident management and continuous improvement activities; and the operational costs of technologies used to manage the business risk. With this initial analysis complete, a secondary comparison must be completed, including all monetary aspects, tangible and intangible, associated with performing an investigation after proactively gathering the digital evidence versus the resulting impact of an incident. Using results from the two comparative analyses, organizations can determine the quantitative benefits of creating a requirements statement.
Question #2: Can digital evidence be gathered without interfering in business operations?
When conducted in reaction to an event, forensics investigations can require that organizations temporarily assigned several support resources to assist in the gathering of digital evidence. In some instances, the organization might realize that their ability to effectively and efficiently gather digital evidence in reaction to an incident is challenged by some type of roadblock (e.g., restoration time delay). Where potential digital evidence can be proactively gathered, organizations can benefit from having digital evidence readily available when needed and not having to allocate resources away from their day-to-day business operations to assist. This improvement in operational efficiencies can reduce the need for resources to be temporarily removed from their normal duties and avoid any lost productivity or degradation in service availability.
Question #3: Can a forensics investigation minimize the negative impact to business operations?
The potential for an incident to result in the loss or degradation of day-to-day business operations is a realistic scenario that most organizations face. In reaction to these events, the organization’s ability to manage the incident directly depends on their capability to quickly gather and process digital evidence to understand the content and context of the incident. Having digital evidence gathered and made readily available, not only can the organization improve on the amount of time needed to investigate but they can also have the ability to conduct proactive investigations. In addition to supporting forensics investigations, the capability to perform proactive investigations in support of security control assessments or user behavior analytics can reduce the likelihood of an event resulting in impact or interruption to the business.
Question #4: Can digital evidence make a positive impact on the likely success of legal actions?
Whether part of a forensics investigation, contract dispute, etc., producing digital evidence in support of legal matters requires that organizations ensure that electronically stored information (ESI) is admissible to the matter at hand. As discussed in Chapter 10, “Establishing Legal Admissibility,” the Federal Rules of Evidence 803(6) describes that ESI is admissible as digital evidence in a court of law if it demonstrates business “records of regularly conducted activity” such as an act, event, condition, opinion, or diagnosis. Determining the relevance and usefulness of ESI as digital evidence before creating a collection requirements statement ensures that organizations will not give way to over-collecting that results in unnecessary downstream processing and review expenses.
Question #5: Can digital evidence be gathered in a way that does not breach compliance with legal or regulatory requirements?
Laws and regulations can be imposed against organizations depending on several factors such as the industry they operate within (e.g., financial) or the countries where they conduct business (e.g., Unites States, India, Great Britain). Organizations must have a good understanding of how these governing laws and regulations influence the way they conduct their business operations. To provide reasonable assurance there is adherence to these requirements, organizations need to produce digital evidence of controls that demonstrates they are practicing a reasonable level of due care to ensure adherence. Consideration must be given to how background and foreground digital evidence, as discussed in Chapter 8, “Identify Potential Data Sources,” will be proactively gathered and preserved in accordance with the compliance requirements.
Assessing the quantitative and qualitative implications of creating a collection requirements statement in advance helps organizations to determine if proactively gathering digital evidence will reduce investigative costs, such as selecting storage options, purchasing technologies, and developing SOPs.
Traditionally, most digital evidence is gathered from sources that contain the actual data content used to describe the “who, where, what, when, and how” elements of a forensics investigation. In addition to the actual data content, there are several other factors that can be used to supplement the details about an event and influence its meaningfulness, usefulness, and relevance during a forensics investigation.
Originating from British law in the 18th century, the best evidence rule is a legal principle that holds the original copy of a document, including both real (or physical) and electronic evidence (or logical), as the superior evidence. In most cases, this means that the original (and verifiably authentic copy of a) document must be the one admitted into a court of law as evidence, unless it has otherwise proven to have been previously lost or destroyed. Additionally, the rule of best evidence states that secondary evidence, such as a bit-level forensics image, will not be legally admissible if an original, authentic exists and can be obtained. For example, the application of the best evidence rule can be equated to Federal Rules of Evidence (FRE) 1003 which states that “a duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate.”
Generally, the best evidence rule only applies when a party (e.g., the defending organization) wants to legally admit a specific document, where the original is no longer available, and wants to prove the contents as evidence. If the court rules that the producing party has demonstrated why the original document cannot be admitted, then the secondary evidence can be accepted as legally admissible.
When collecting digital evidence from multiple data sources, time synchronization is a huge concern. Essentially, the higher the number of devices that are connected to a networked environment, the less chance they will all hold the exact same time, which will create increased confusion when it comes to analyzing digital evidence from across these sources.
Using a centralized logging solution, such as an enterprise data warehouse (EDW), timestamps can be generated and recorded as data is collected. Additionally, using a consistent and verifiable timestamp unanimously across all distributed data sources will ensure that digital evidence collected will be much easier to correlate, corroborate, and associate during the analysis phase.
There are several mechanisms that can be used on various platforms but are still considered a de-centralized means of establishing time synchronization across distributed data sources. Alternatively, using the network time protocol (NTP) set to Greenwich Mean Time (GMT), with time zone offsets configured on the local systems, is the best practice for establishing consistent timestamps in support of a forensics investigation. While NTP addresses the issue of centralized time synchronization, it does not account for the accuracy of time being published to connected data sources.
Originally developed for military use, Global Positioning System (GPS) provides accurate data about current position, elevation, and time. GPS receivers have a high rate of accuracy and are relatively simple to install because they only need an antenna with unobstructed line of sight to several satellites for them to work correctly. Connecting a GPS receiver to the NTP device is a cost-effective way of ensuring accurate time signals are being received.
Although organizations might only conduct business in one time zone, an incident will most often produce digital evidence on data source that span several time zones. Having a centralized solution to provide distributed data sources with accurate time synchronization is not something that has traditionally been easy to challenge in a court of law.
On its own, the data content of digital evidence can be challenging for investigators to use because it lacks contextual awareness, a concept discussed further in Chapter 8, “Identify Potential Data Sources,” Metadata, which is essentially “data about data,” is used to add a supplemental layer of contextual information to data content. It gives digital evidence meaning and relevance by providing corroborating information about the data itself, revealing information that was hidden, deleted, or obscured, and helps to automate the correlation of data from various sources.
Primarily, metadata is used during an investigation to reduce the volume of digital evidence by adding meaning to information so that relevant information can be more accurately located. Additionally, metadata can also be used to provide forensics investigators with the ability to identify additional evidence, associate different pieces of evidence, distinguish different pieces of evidence, and provide location details. Some of the most common types of metadata used during a forensics investigation include:
• Date and time a file was modified, accessed, or created (MAC)
• Location a file is stored on an electronic storage medium
• Identity and profile information of user accounts
• Digital image properties such as number of colors or the originating camera model
• Document properties such as the author, last date saved, and print timestamp
Regardless of its application within digital forensics, metadata can be understood in the following distinct categories:
• Structural metadata is used to describe the organization and arrangement of information and objects such as database tables, columns, keys, and indexes.
• Guide metadata is used to assist with locating and identifying information and objects, such as a document title, author, or keywords.
However, because metadata is fundamentally just data it is also susceptible to the same evidence management requirements imposed on digital evidence, a concept that is discussed further in Chapter 3, “Digital Evidence Management.” Safeguards must be taken to ensure that the authenticity and integrity of metadata is upheld so that it can be used effectively during a forensics investigation and meets the legal requirements for admissibility in a court of law.
Nevertheless, because metadata is not generally accessible or visible there is a need for greater skills and the use of specialized tools to properly gather, process, and preserve it. An organization’s capability to use metadata to contextualize a forensics investigation will significantly reduce the amount of resources spent manually analyzing digital evidence by improving its meaningfulness, usefulness, and relevance.
The Pareto principle, also referred to as the “80/20 rule,” states that approximately 80% of all effects come from roughly 20% of the causes. As a rule of thumb, for example, this rule can be used as a representation of the information security industry, where 80% of security risks can be effectively managed by prioritizing the implementation of 20% of available security controls, reinforcing a very powerful point that distributions are very rarely equal in any scenario.
In 2002, Microsoft announced they had made initial progress on the Trustworthy Computing initiative which focused on improving the reliability, security, and privacy of their software.
As the initiative continued to develop over the year, Microsoft quickly realized that among all the bugs reported in their software a relatively small number of them resulted in some type of error.
Through further analysis, Microsoft learned that approximately 80% of the errors and crashes in their software were caused by 20% of all bugs detected.
A common challenge with any forensics investigation is to identify the cause of an event because the effect can very well be different depending on the context, such as the type of storage media it occurred on, the user/process that generated the event, etc. For example, one of the most common scenarios is when a user/process modifies a file which results in a change to its metadata properties, specifically, the file’s timestamp. While this scenario is common across most file systems, regardless of the underlying electronic storage medium, an event where a file has been deleted has a much different effect. Depending on the file system, and the way in which the file was deleted, the activities to identify and recover the data can vary in terms of complexity and effort (e.g., soft-delete vs hard-delete.)
It is not realistic for an organization to identify and understand every possible combination of cause and effect. Instead, by referring to the business risk scenarios outlined in Chapter 7, “Defining Business Risk Scenarios,” organizations can reduce the scope of which cause and effect events need to be considered based on their applicability to the organization and business risk scenarios. From narrowing the scope of cause and effect down to only those that are relevant to the organization, supplementary data sources can be identified and considered for inclusion in the collection requirements statement to enhance the analysis of digital evidence by further improving its contextual meaning and relevance.
Digital evidence, which is traditionally considered the primary records or indication of an event, gathered during a forensics investigation is used to indicate the details about what happened during an incident, including system, audit, or application logs; network traffic captures; or metadata.
For quite some time, the scope of a digital crime scene was somewhat limited to only the computer system(s) directly involved in the incident itself. However, today most organizations have environments that are made up of interconnected and distributed resource where events on one system are frequently related to events on other systems. This requires that the scope of an event be broadened outwards to include all systems that would be—in some form or another—involved in the incident.
With the expansion of the investigative scope, establishing a link between the primary evidence sources is needed so investigators can determine how, when, where, and by whom events occurred. To provide this additional layer of details, consideration needs to be given to other supporting data sources that can be used to establish the links between the content and context of digital evidence.
Under the chain-of-evidence methodology, illustrated in Figure 9.1, each set of discrete actions performed by a subject is placed into groups separated from each other based on the level of authority required to execute them. However, it is important that each group of actions in the various sources of digital evidence be linked to the adjacent action group to complete the entire chain of evidence link.
The ability to create a link between the various data sources is crucial for organizations to establish a complete chain of evidence and enhance their analytical capabilities by getting a better overall understanding of the incident. Using the chain-of-evidence model allows organizations to better plan for a complete trail of evidence across their entire environment. Following this model requires thinking in terms of gathering digital evidence in support of the entire chain of evidence instead of as individual data sources that may or may not be useful during the processing phase of the forensics investigations.
Figure 9.1 Chain-of-evidence model as applied to contextual awareness model.
Coupled together with how pervasive and distributed it has become in our personal lives, technology has also been so deeply embedded into business operations and functions that when it comes to investigating an incident, there is no shortage of digital evidence to be gathered and processed. However, when an incident does occur, organizations can be challenged with proving what happened because individual pieces of digital evidence on their own do not provide the context necessary to arrive at a conclusion.
With the aggregation of multiple data sources, there will most likely be some level of duplication in terms of information content. This duplication of information should not be viewed negatively, but should instead be taken advantage of to confirm the details of an incident during the forensics investigation.
From a digital forensics perspective, the strength of digital evidence collected will ultimately improve when it can be vetted by across data sources. Generally, the goal of every forensics investigation is to use digital evidence as a means of providing credible answers to substantiate an event and/or incident. Achieving this requires that the same or similar digital evidence from multiple sources be gathered and processed as an entire chain of evidence because there will most likely be indicators of the same incident found elsewhere.
Over time, the continued gathering of data across multiple sources can provide an amount of digital evidence sufficient to minimize the need for a complete forensic analysis of systems. By preserving digital evidence from multiple sources, it allows organizations to leverage a consistent toolset across the entire chain of evidence that can be used to support several investigative purposes such as incident response, digital forensics, and e-discovery.
Retention of different digital information types, regardless of whether they are preserved as digital evidence, has unique requirements for the length of time for which an organization must preserve it. In many instances, the length of time an organization must preserve digital information is stipulated by regulators or legal entities. Where this governance applies, organizations must ensure they formally document their preservation requirements in a data retention policy, as discuss further in Chapter 3, “Digital Evidence Management.”
Alternatively, if digital information is being preserved as digital evidence, organizations must ensure they safeguard it by implementing and following evidence management processes.
For example, a customary practice for many organizations is to retain in long-term storage digital information such as email messages and security logs (i.e., intrusion prevention systems (IPS), firewalls, etc.). Not only does retaining this digital information support regulatory or legal requirements, but it can also hold potential evidentiary value and might need to be recalled in support of a business risk scenario, as discussed in Chapter 7, “Defining Business Risk Scenarios.”
Organizations must carefully plan which type of electronic storage media will be used to support their long-term storage requirements. As an example, backups are commonly used for long-term storage; however, organizations should be diligent to ensure that the type of backup media used is not susceptible to losing information each time they are re-used. To determine the most appropriate electronic storage media, organizations should complete a cost-benefit analysis, as discussed in Addendum C, “Cost-Benefit Analysis,” to identify which solution best meets their needs.
The rapidly increasing size of electronic storage media is most certainly the biggest challenge facing organizations today. As storage capacity increases so does the volume of potential digital evidence that needs to be gathered, processed, and preserved in support of the business risk scenarios discussed in Chapter 7, “Defining Business Risk Scenarios.”
Even though there have been significant advancements in how forensics tools and techniques have helped to reduce the time required to work with digital evidence, there remains the underlying issue of how the organization can efficiently manage the data volumes that need to be gathered and processed during a forensics investigation.
Foremost, there is a need to design a storage solution that can easily adapt to the continuously growing volumes of data that need to be accessed in both real time and near real time. Using a storage solution such as an EDW allows organizations to store both structured and unstructured data in a scalable manner that can easily and dynamically adapt to changing storage capacity requirements.
Secondly, as data volumes continue to increase organizations can start to experience inefficiencies in their potential to effectively perform data mining and analytics. Integrating into the EDW solution, the use of cataloging and indexing of metadata properties allows organizations to quickly identify data and reduce the length of time it takes for data to be retrieved. Not only does the organization benefit from data being readily accessible because of cataloging and indexing, but the ease with which data processing can be performed will improve the overall evidence-based reporting during a forensics investigation.
It is important to keep in mind when working with digital information that there is always the potential to inadvertently change the original data source. Therefore, when implementing any type of digital evidence storage solution, it is important that the principles, methodologies, and techniques of digital forensics consistently be adhered to. Organizations must always ensure that their storage solutions adhere to the best practices for maintaining the integrity and authenticity of digital evidence and not risk the data being inadmissible in a court of law.
Refer to Addendum G, “Data Warehousing Introduction,” for further discussion on implementing a storage solution for proactively gathering digital evidence.
Having such a large amount of data located in a common centralized storage solution can become a problematic if adequate security controls are not enforced. Securing the data repository depends on the organization’s diligence and attention to compliance regulations, awareness of potential threats, and identification of both the risk and value of collected data.
There is a significant amount of preliminary work that needs to be completed before data gathering and storage can take place. Complementary to the architectural design work that takes place, organizations must incorporate current best practices and standards for implementing a data repository that will provide adequate security and reliability throughout the solution’s lifetime. This requires that ongoing assessments of the centralized storage solution be completed to identify and understand the risks associated with each aspect of its eventual implementation, including:
• Analyzing requirements specific to:
• The value of data being collected; and
• The architectural design
• Interpreting security and compliance standards and guidelines
• Assessing the effectiveness of security controls and designs
Analysis of security requirements begins with understanding the business needs and desires related to building the centralized storage solution. As described in the sections throughout this chapter, the capabilities and functionalities related to the storage solution have been identified, and now security controls, countermeasures, and data protection need to be established.
Generally, security requirements are complementary to the functional requirements whereby they address the need to ensure the protection of the system, its data, and its users. They are typically addressed separately and occur after the system’s functional requirements have been documented.
While security requirements can commonly be sourced from regulatory requirements, at a minimum organizations should adopt industry best practice standards as a measurement of due diligence to protect the storage solution. Understanding that there are many different controls that contribute to the protection of the system, its data, and its users, the following are examples of how industry best practices can be applied to the seven security principles:
• Confidentiality: Applying data classification labels as a mechanism for enforcing mandatory access control (MAC)
• Integrity: Generating cryptographic hash values, such as the Message Digest Algorithm family (e.g., MD5) or the Secure Hashing Algorithm family (e.g., SHA-2), for collected data stored in the centralized repository
• Availability: Requiring that backups be taken in support of disaster recovery capabilities
• Continuity: Building cold/warm/hot sites in support of business continuity capabilities
• Authentication: Leveraging existing centralized directory services for subject identification
• Authorization: Implementing role-based access controls (RBAC) to objects
• Non-repudiation: Using cryptographic certificates to associate the actions of or changes by a specific subject, or to establish the integrity and origin of information
Refer to Addendum H, “Requirements Analysis,” for further discussion about how to perform a requirements assessment for gathering digital evidence.
Developing a requirements statement for the collection of digital evidence requires organizations to conduct thorough planning and preparation. Not only does the storage solution need to be functionally assessed in terms of its architectural design, it is critical that further security assessments be completed to ensure the collected digital evidence is safeguarded from unauthorized access.