At this stage of implementing a digital forensic program, organizations will have a grasp on the totality of digital evidence available for proactive collection and have determined which of it, based on the business risk scenarios discussed in Chapter 7, “Defining Business Risk Scenarios,” can be gathered within the scope justified through the completion of a cost-benefit analysis.
With the organization’s collection requirements defined, steps must now be taken to implement a series of controls to guarantee that secure preservation of digital evidence is maintained when it is gathered from relevant data sources. These steps are important for organizations to establish that data has been preserved as authentic records and will not be disputed when admitted to a court of law as digital evidence.
Essentially, admissibility is the determination of whether information that is presented before the trier of fact (i.e., judge, jury) is worthy to be accepted in the court of law as evidence. Generally, for digital evidence to be deemed legally admissible it must be proven to have relevance (i.e., material, factual) and not be overshadowed by invalidating considerations (i.e., unfairly prejudicial, hearsay).
Within the legal system, there is a set of rules that are used as precedence for governing whether, when, how, and for what purpose digital evidence can be placed before a trier of fact. Traditionally, the legal system viewed digital evidence as being hearsay because its authenticity could not be proven, beyond a reasonable doubt, to be factual. However, exceptions do exist under the Federal Rules of Evidence 803(6) where digital evidence can be admitted into a legal proceeding only if it demonstrates “records of regularly conducted activity” as a business record, such as an act, event, condition, opinion, or diagnosis.
For digital evidence to qualify under this exception organizations must demonstrate that their business records are authentic, reliable, and trustworthy. As stated in the Federal Rules of Evidence, to attain these qualifying properties organizations must be able to demonstrate that their business records:
• Were created as a regular practice of that activity
• Were created at or near the time by—or from information transmitted by—someone with knowledge
• Have been preserved in the course of a regularly conducted activity of a business, organization, occupation, or calling
• Are being presented by the custodian, another qualified witness, by a certification that complies with either Rule 902(11) or Rule 902(12), or with a statute granting certification
• Do not show that the source of information or method or circumstances of its preparation indicate a lack of trustworthiness
Furthermore, even if a business record qualifies under these exceptions, organizations must still determine if the business record falls within the context of being either of the following:
• Technology-generated data that has been created and is being maintained because of programmatic processes or algorithms (e.g., log files). These records fall within the rules of hearsay exception on the basis that the data is proven to be authentic because of properly functioning programmatic processes or algorithms.
• Technology-stored data that has been created and is being maintained because of user input and interactions (e.g., word processor document). These records fall within the rules of hearsay except on the basis that author of the data is reliable, is trustworthy, and has not altered it.
Even if a business record meets the criteria for being admissible as digital evidence, there is the potential that it will be challenged during legal proceedings. The basis for these contests is directed at the authenticity of the data and whether it has been altered or damaged either after it was created or because of interactions and exchanges with the data.
To reduce such opposition, the Federal Rules of Evidence (FRE) 1002 described the need for proving, beyond a reasonable doubt, the trustworthiness of digital evidence through the production of the authentic and original business record. Meeting this rule requires that organizations demonstrate their due diligence in preserving the authenticity of the original data source through the implementation of safeguards, precautions, and controls to guarantee that business records can be admitted as digital evidence during legal proceedings.
Collecting business records is not as straightforward as it seems. As an example, where organizations operate in multiple jurisdictions and countries, they are bound in each location to multiple factors that determine how they can effectively preserve their business records.
First and foremost, organizations need to answer two preliminary questions before determining how they will guarantee the authenticity of their business records.
Can digital evidence be gathered without interfering with business operations and function?
The overall strategy of forensics readiness, summarized as “the ability to maximize potential use of digital evidence while minimizing investigative costs,” includes an objective to gather admissible digital evidence without interrupting business operations and functions.
Typically, forensics investigations are performed in reaction to an event and require the assistance of several support resources to gather relevant digital evidence. In some instances, this reactive approach commonly results in roadblocks where business records are not readily available which requires support resources to be removed from the day-to-day business operations to assist. Where gathering business records has been identified as beneficial to forensic readiness, organizations need to assess the work effort required of resources to implement the proactive collection requirements while not impeding the day-to-day operations.
Can digital evidence be gathered legally?
Following along with the overall strategy of forensics readiness noted above, another objective of gathering admissible digital evidence is to do so in a manner that does not violate any laws or regulations. This determination should not be done without obtaining legal advice to ensure that the evidence collection requirements are met and upheld. In some countries, there are relevant laws around data protection, privacy, and human rights that will dictate what business records can be collected and, if they can be collected, where or how they are stored. For organizations to ensure that they demonstrate a reasonable assurance, the collection of all business records must adhere to all applicable laws or regulations.
Having answered these questions and knowing the constraints around what, how, and where business records can be gathered, organizations can now implement strategies to ensure they are compliant with applicable laws and regulations. As these strategies are being identified and developed, it is important to keep in mind that they should encompass a series of complimentary administrative, physical, and technical security controls.
Before any type of technical or physical security controls can be implemented, there must first and foremost be a foundational governance structure in place. This governance structure is established in the form of administrative controls that include the creation and approval of organizational policies, standards, and guidelines that support the preservation of the authenticity and integrity of digital evidence.
These documents are created with the intent of building a formal blueprint that describes the goals for preserving digital evidence. They are designed to provide generalized direction that allows organizations to consider any subsequent physical or technical security controls that are required to safeguard their digital evidence.
Building off policy documentation, guidelines can now be created as documents that provide recommendations for how to implement the generalized direction set previously. The context of these documents is intended to be subjective such that organizations will use the recommendations as a way of gathering requirements for how to preserve the authenticity and integrity of their digital evidence.
Following the interpretation of the guidelines recommendations, standard documents are created to outline the minimum level of technical and physical security controls necessary to preserve digital evidence. These documents should contain the exact configurations, architectures, and specifications for implementing technical and physical security controls in support of policies and guidelines.
The previously noted administrative controls do not have direct oversight of interactions with collected digital evidence. Through the implementation of standard operating procedures (SOP), the exchanges and interfaces between administrators, operators, and investigators and digital evidence are documented.
For further information about how these administrative controls support the overall evidence management lifecycle, including specific examples of governance documentation, refer to Chapter 3, “Digital Evidence Management.”
Stated previously in this chapter, even if a business record meets the criteria for being admissible during a legal proceeding, organizations will still be faced with the challenge of proving it has not been altered or damaged after it was created or because of interactions and exchanges with it.
To mitigate the potential for the authenticity of business records being challenged in a court of law, organizations should implement several technical controls to guarantee that business records can be admitted as digital evidence. Understanding that every organization’s business environment is different, at a minimum the following technical controls must be in place to ensure secure preservation of business records as digital evidence.
Organizations can select any different type of electronic storage medium to preserve their collected digital evidence, such as hard drives or backup tapes. Regardless of how the information is being stored, organizations must consider the data-at-rest implications by ensuring the preserved digital evidence is not exposed if unauthorized access to the storage medium is gained. Using cryptography, inactive data can be protected through one of the following implementations:
• Full-disk encryption (FDE) applies cryptographic algorithms to the physical storage medium, regardless of its content, to encrypt all information
• Encrypted file system (EFS) applies cryptographic algorithms at the file system level to encrypt logical data sets
The use of disk encryption does not replace the need for file encryption in all situations. In some instances, the two can be used in conjunctions with each other to provide a more layered defense and guarantee the authenticity and integrity of digital evidence.
All types of digital data, whether technology-generated or technology-stored, are prone to issues of trustworthiness where the content and context of the information cannot be easily validated and is often challenged for its authenticity. These issues of data integrity and authenticity are some of the contributors that render business records inadmissible as digital evidence in a court of law.
However, organizations can get the upper hand on the matter of data integrity and authenticity using solutions such as file integrity monitoring (FIM). With these technologies, validation of both system and data integrity can be achieved by authenticating specific data properties of the current data state against the known-good state of the data. Examples of data properties that can be used in as part of this verification and validation include:
• Subject permissions and entitlements
• Actual data content of files
• Metadata attributes (e.g., size, creation date/time)
• Cryptographic values (i.e., Message Digest Algorithm family [MD5], Secure Hashing Algorithm family [SHA])
Implementation of integrity monitoring is an essential security control to guarantee the authenticity and integrity of business records as digital evidence. In addition to the use of integrity monitoring as means of maintaining integrity and proving authenticity of data, these solutions have also been established as a requirement for several regulatory compliance objectives, including:
• Payment Card Industry Data Security Standard (PCI DSS)—Requirement 11.5
• Sarbanes–Oxley Act (SOX)—Section 404
• Federal Information Security Management Act (FISMA)—National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev3
• Health Insurance Portability and Accountability Act (HIPAA) of 1996—NIST SP800-66
The online reference to the above regulatory objectives can be found in the “Resources” section at the end of this book.
Every interaction with and exchange of digital information introduces the potential of that data being modified, whether knowingly or unintentionally. Proving the authenticity of digital information to the original source and maintaining that level of integrity throughout a forensics investigation is critical for it to be admissible as digital evidence.
Cryptography supports many information security–centric services—such as authentication and non-repudiation—that are fundamental to the digital forensic science discipline and digital evidence management, as discussed in Chapter 3, “Digital Evidence Management.” Examples of common cryptographic algorithms that are used in digital forensics as part of evidence management are as follows:
• The Message Digest Algorithm family (e.g., MD5) is commonly used during a forensics investigation to generate a unique cryptographic identifier of files, data streams, and other digital evidence. However, in 2010 researchers could generate collisions where the same 128 bit hexadecimal value could be generated for two distinctively different pieces of digital information.
• The Secure Hashing Algorithm family (e.g., SHA-2) is also used during forensics investigations to generate a unique cryptographic identifier for digital evidence. From the collisions identified within specific versions of the Message Digest Algorithm family, specifically MD5, the SHA family of hash functions has become popular as a means of establishing the integrity and authenticity of digital evidence.
• Cyclic redundancy checks (CRC) are commonly used during the forensic duplication of digital evidence to detect modifications to the underlying data. Using these calculations allows forensics investigators to use the duplicate data during analysis instead of risking potential contamination of the original evidence source.
When implemented, cryptography provides organizations with assurances that the integrity of collected business records can be proven when authenticated to the original data source.
Technology-generated data stored on local systems, such as security or audit log files, is inevitably more vulnerable to being (1) manipulated to conceal activities or events or (2) planted to incriminate other individuals. These data integrity issues lessen the credibility of the information and render it inadmissible as evidence in a court of law.
As a best practice, remote logging capabilities should be leveraged to redirect the logging of technology-generated data off local systems and into a centralized remote logging infrastructure, such as a data warehouse discussed in discussed in Addendum C, “Cost-Benefit Analysis.”
Enforcing this safeguard will reduce the likelihood of data tampering on local systems and maintain the integrity of technology-generated data as admissible digital evidence.
Where remote logging capabilities exist, organizations must consider the data-in-transit implications for collected digital evidence. Regardless of whether information is travelling across a public or private network, there is a need to ensure the secure delivery of digital evidence to maintain its authenticity and integrity.
Network communications are, in general, insecure where information travelling across them can readily be accessed or modified by unauthorized subjects if appropriate controls are not in place. Knowing this, organizations should be concerned with the confidentiality and integrity of digital evidence as it is being collected into their remote logging solution(s). As a countermeasure, organizations should implement an encrypted communication channel using, for example, internet protocol security (IPsec) to mitigate the risk of data-in-transit security concerns.
Generally, physical security controls are designed to control and protect an organization’s physical assets (i.e., building, systems, etc.) by reducing the risk of damage or loss. As organizations design their approach to secure preservation of digital evidence, they must consider the costs of building, operating, and maintaining physical security controls that work in conjunction with their administrative and technical security controls.
While physical security controls may not always have the same direct interaction with digital evidence that technical controls have, they provide an additional layer of defense to safeguard the physical medium (e.g., tapes, hard drives) where digital evidence is stored. Physical security controls indirectly contribute to preserving the authenticity and integrity of digital evidence as implemented in one of the following categories:
The goal of these physical security controls is to convince potential intruders/attacks that the likelihood of success if low because of strong defenses. Typically, the implementation of deterrent security controls is found in the combined use of physical barriers (e.g., walls), surveillance (e.g., Closed Caption Television [CCTV]), and lighting (e.g., spot lights).
Crime Prevention through Environmental Design (CPTED) CPTED is an approach to planning and developing physical security controls that use natural or environmental surroundings to reduce the opportunities for crime. As part of a comprehensive approach to guaranteeing the authenticity and integrity of digital evidence, examples of CPTED controls that can be implemented include:
• Natural surveillance such as implementing lighting design to illuminate points of interest that do not generate glare or blind-spots
• Natural access controls such as multi-level fencing to control access and enhance visibility
• Natural territorial reinforcements such as restricting activities to defined areas using signage
Generally, detective controls are intended to discover and interrupt potential intruders before an incident or event occurs. Optimally, these controls should be implemented to reveal the presence of potential intruders/attacks while they are collecting information about how they can gain access to the physical medium where digital evidence is being stored.
While it also plays a part in the deterrence of potential intruders/attacks, the use of CCTV is one of the most common physical controls for discovering an incident and/or event. Additionally, physical alarm systems and sensors can be used in combination with other types of controls (e.g., barriers, guards) to trigger a response when a breach has been detected.
Identical to the use of authentication and authorization mechanisms to control logical access to systems and data, the same type of restrictive security controls must be used to deny physical access to the organization’s assets. The primary objective of these physical controls is to deny potential intruders/attackers the ability to cause damage to systems and information.
Within the context of preserving authenticity and integrity, examples of physical controls that can be used to deny access to collected digital evidence include:
• Constructing secure storage facilities, such as lockers and restricted areas, that have true floor-to-ceiling walls
• Entrances that are constructed of material resistant to tampering and have internally facing hinges
• Mechanisms to control and restrict access to secure lockers and restricted areas, such as lock and key, biometric scanner, or card/badge readers
Where the implementation of physical security controls is unable to deter or detect potential intruders/attackers, such as having obtained a key that provides access into the secure storage area, additional controls must ensure that their ability to easily gain access to digital evidence is delayed.
Typically, these types of controls are the last line of defense when all previous implementation (deter, detect, delay) have failed to deliver the level of protection that they were intended for. Examples of how these security controls provide the last line of defense in physical protecting digital evidence include:
• Placing secure lockers inside restricted areas that are located away from the exterior of the building and require multiple checkpoints to gain access
• Requiring security guards to conduct searches and inspection of people, parcels, and vehicles as they leave buildings
Implementing physical safeguards provides organizations with a layer of security controls complementary to their administrative and technical controls. Not only do these physical security controls help to guarantee the authenticity and integrity of collected digital evidence, but they also support data protection requirements as part of the overall evidence management lifecycle.
For business records to be admissible in legal proceedings, organizations must prove their authenticity by meeting specific criteria that direct rules for digital evidence. Through a layered implementation of safeguards, precautions, and controls that encompass the administrative, technical, and physical requirements for ensuring secure evidence preservation, organizations can guarantee that their business records can be admitted as digital evidence during legal proceedings.