Considering the safeguards and controls implemented to ensure collected digital evidence is legally admissible, organizations must now determine how they will sustain these requirements as their digital evidence is being handled by several individuals and technologies. Likewise, as digital evidence is being transferred from one storage facility to another, such as long-term or off-line storage, consideration must be given to ensure the data is securely preserved and readily available when needed for an investigation.
Establishing a governance framework over the handling and storage of digital evidence can be achieved by following the traditional approach of implementing complementary administrative, technical, and physical controls. Through the combination of these different controls in a layered fashion, organizations can ensure that their digital evidence will be handled correctly and stored securely.
Storage solutions such as an enterprise data warehouse (EDW), discussed further in Addendum G, “Data Warehousing Introduction,” provides a centralized repository for aggregating digital evidence from multiple data sources. While it can be complex to implement, when done correctly an EDW can generate significant benefits such as allowing digital evidence to be analyzed over a longer time for improved data mining and analytics.
However, as discussed previously in Chapter 10, there are several administrative, technical, and physical controls that must be implemented to ensure that digital evidence being collected into a storage solution, such as an EDW, will be legally admissible. Having identified safeguards required to maintain this legal admissibility, organizations must now determine how to expand these controls to ensure that their digital evidence is being handled correctly, throughout its entire lifecycle, and that its authenticity and integrity are maintained as it is transferred between different storage facilities.
Even though the modern threat landscape has changed, the delivery channels and attack vectors used by potential threat actors continue to count on the absence or weakness in a system’s or application’s access control mechanism(s). In the context of legal admissibility, the deficiencies in strong access controls are a blueprint for disaster when it comes to preserving the authenticity and integrity of digital evidence in secure storage.
One of the fundamental cornerstones in the information security discipline is the concept of applying the principle of least privilege access. Generally, implementing least privilege implies that subjects have access only to the objects that are necessary as part of normal business operations and functions. However, as illustrated in Figure 11.1, when privileges are assigned they are typically granted beyond the scope of what is necessary, thus permitting access that is otherwise not required.
Exercising rigid controls over subjects that have administrative access into storage solutions housing digital evidence is critical. Without enforcing the use of least privilege access to these secure storage facilities, organizations cannot demonstrate admissibility in a court of law because the potential for unauthorized subject access puts into question the authenticity and integrity of their digital evidence.
Outlined previously in Chapter 10, “Establishing Legal Admissibility,” cryptography supports several information security–centric services that are fundamental to the digital forensics discipline. Supporting several use cases for preserving digital evidence, examples of how cryptography can be
Figure 11.1 Privilege assignments.
applied were identified as data-at-rest controls, used to guarantee that unauthorized access to the storage medium does not expose the digital evidence (e.g., Full Disk encryption), or data-in-transit control, used for securing the transmission of digital evidence across any type of network infrastructure (e.g., internet protocol security [IPsec]).
Additionally, following along with the principles of least privilege access, digital evidence being stored should be readable only by those authorized. A simple way of achieving this is to use passcodes for protection of collected digital evidence; however, this control does not provide a guarantee that authenticity and integrity will be preserved. Alternatively, by using cryptography organizations can achieve a much stronger authentication mechanism to achieve a more effective data-in-use security control.
As digital evidence is being collected it should be encrypted using, for example, a secret key to help enforce the principle of least privilege and restrict access to only authorized subjects. As an example, while the application of an encrypted file system (EFS) contributes to the protection of data at rest, it also provides data-in-use controls where only those users in possession of the secret key can access and read the digital evidence.
Outlined previously in Chapter 10, “Establishing Legal Admissibility,” integrity monitoring is an essential security control to guarantee the authenticity and integrity of digital evidence. With the known-good state of digital evidence captured, ongoing verification and validation must be implemented to ensure that no alteration to preserved digital evidence has been made.
When digital evidence is being preserved in a storage solution, such as an EDW, integrity checks should be scheduled in alignment with the organization’s requirements for meeting regulatory compliance and to effectively demonstrate legal admissibility. However, if digital evidence has been transferred into off-line storage, such as backup tapes, routinely performing integrity checks cannot be easily achieved. In this situation, organizations must take an alternate approach to preserving the authenticity and integrity of their digital evidence as follows:
1. Prior to digital evidence being transferred to off-line storage, an integrity check must be completed by comparing the known-good state (set #1) to the current state of the digital evidence (set #2) through a cryptographic hash value such as the Message Digest Algorithm family (e.g., MD5) or the Secure Hashing Algorithm family (e.g., SHA-2).
2. Once the initial integrity checking is completed, set #2 of hash values must be maintained for the duration of the transfer process for use in subsequent integrity checking after digital evidence has been stored on the off-line storage.
3. After all digital evidence has been transferred to off-line storage, a new set of hash values (set #3) is produced and compared against set #2 to guarantee the authenticity and integrity of digital evidence has been preserved.
Outlined previously in Chapter 10, “Establishing Legal Admissibility,” physical security controls are designed to control and protect an organization’s physical assets (i.e., building, systems, etc.) by reducing the risk of damage or loss. While physical security controls may not always have the same direct interaction with digital evidence that technical controls have, they provide layers of defense that deter, detect, deny, and delay potential threat actors from accessing digital evidence preserved in any type of storage solution.
Where digital evidence is preserved in a storage solution such as an EDW, physical security controls are focused on reducing the risk of unauthorized access to the infrastructure housing the digital evidence. However, if digital evidence has been transferred into off-line storage, such as backup tapes, the scope of physical security controls extends beyond protecting only the infrastructure.
Digital evidence housed in off-line storage is subject to the same requirement for demonstrating authenticity and integrity for it to be admissible in a court of law. For example, the Good Practices Guide for Computer Based Electronic Evidence, developed by the Association of Chief of Police Officers (ACPO) in the United Kingdom, was created with four overarching principles that must be followed when handling evidence to maintain evidence authenticity:
• Principle #1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
• Principle #2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
• Principle #3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
• Principle #4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
When digital evidence has been transferred to off-line storage such as backup tape, a chain of custody for this new storage medium must be established to ensure its authenticity and integrity by tracking where it came from, where it went after seizure, and who handled it for what purpose. From this point forward, the chain of custody must accompany the off-line storage and be maintained throughout the lifetime of the evidence. A chain of custody template has been provided as a reference in the “Templates” section of this book.
Furthermore, tapes should be stored using physical security controls that are intended to deny or delay potential threat actors from accessing digital evidence. Achieving these layers of defenses can be accomplished by implementing the following physical security control:
• Off-line storage medium, such as backup tape, should be placed in an evidence bag that, at a minimum, supports the following characteristics:
• Bags contain a secure pouch to store the media and an externally accessible pouch for accompanying documentation.
• Proper labelling is affixed to correctly and efficiently identify the contents.
• Tamper proof tape or locking mechanism is used to seal evidence inside.
• Chain of custody is placed in the externally accessible pouch.
Physical access to digital evidence in off-line storage must also be controlled following the same security principles of least privilege access. Once digital evidence has been properly sealed in evidence bags, these bags should be placed in a secure locker, safe, or library for long-term retention. It is important that the chain of custody be updated to demonstrate ownership and location of the digital evidence.
Administrative Governance Foundations
Forensic viability can be accomplished only when digital evidence has been tracked and protected right from the time it was created and meets the requirements for legal admissibility throughout its entire lifecycle. Although technical and physical security controls have a more direct contribution to the secure handling and storage of digital evidence, they cannot be effective unless there is an organizational requirement to adhere to. Therefore, to guarantee that digital evidence is forensically viable, organizations must have an established governance framework in place to ensure the collection, preservation, and storage of digital evidence is done properly.
Ultimately, the objective of this governance framework is to established direction on how the organization will preserve the authenticity and
Figure 11.2 Information security management framework.
integrity of the digital evidence. Management, with involvement from key stakeholders such as legal, privacy, security, and human resources, must work together to define a series of documents that describe exactly how the organization will go about achieving these goals. Illustrated in Figure 11.2, and discussed further in Chapter 3, “Digital Evidence Management,” an information security management framework consists of a hierarchy of different types of documents that have direct influence and precedence over other documents.
Within the context of guaranteeing the forensic viability of digital evidence, governance documentation should be created to address the following areas:
• Provide continuous training and awareness regarding the governance framework to all stakeholders involved in the collection, preservation, and storage of digital evidence.
• As acknowledgement of their adherence to the governance framework, stakeholders should be required to sign the necessary document to indicate their understanding of and commitment to it. Management, legal, privacy, security, and human resources should all be involved to ensure that these signed documents can be legally enforced.
• Require enhanced background checks to be routinely conducted for personnel who have access to digital evidence.
• Document all operational aspects of the digital evidence storage solutions and facilities, including, normal operations and maintenance, scheduled backups, and error handling.
• Provide clear guidance and direction regarding the installation of or updates to hardware and software components.
• Ensure storage solutions are designed and built to meet the requirements and specifications of their intended business strategy or function.
• Enforce the principle of least privilege access and implement the use of multi-factor authentication mechanism, including:
• Something you have (e.g., smart card)
• Something you know (e.g., password)
• Something you are (e.g., fingerprint)
• Apply a layered defense-in-depth approach to physical security using a combination of controls that are designed to deter, detect, deny, and delay potential threat actors.
• Apply integrity monitoring and checks to ensure digital evidence has not been tampered with or modified from its known-good and authenticated state.
• Prohibit the alteration or deletion of original sources of data.
• Restrict the storage of, transmission of, and access to digital evidence without the use of cryptographic encryption.
• Enforce the principle of least privilege access to only authorized personnel.
• Ensure that the long-term storage of digital evidence uses any form of storage medium that is write once read many (WORM).
• Seal digital evidence in appropriate containers (e.g., evidence bag, safe) to preserve authenticity and integrity during long-term storage.
• Define the long-term retention and recovery strategies for digital evidence.
Incident and Investigative Response
• Require that each incident and investigation be tracked and reported separately.
• Ensure that digital evidence used is proven to be authentic to the original source.
• Require that routine audits or control assessments be conducted. Essentially, the culture and structure of each organization influence how these governance documents are created. Regardless of where (throughout the world) business is conducted or the size of the organization, there are five simple principles that should be followed as generic guidance for achieving a successful governance framework:
• Keep it simple. All documentation should be as clear and concise as possible. The information contained within each document should be stated as briefly as possible without omitting any critical pieces of information. Where documentation is drawn out and wordy, it is typically more difficult to understand, less likely to be read, and harder to interpret for implementation.
• Keep it understandable. Documentation should be developed in a language that is commonly known throughout the organization. Leveraging a taxonomy, as discussed in Addendum D, “Building a Taxonomy,” organizations can avoid the complication of using unrecognized terms and slangs.
• Keep it practicable. Regardless of how precise and clear the documentation might be, if it cannot be practiced then it is useless. An example of an unrealistic documentation would be a statement indicating that incident response personnel are to be available 24 hours a day, even though there is no adequate way to contact them when they are not in the office. For this reason, documentation that is not practicable is not effective and will be quickly ignored.
• Keep it cooperative. Good governance documentation is developed through the collaborative efforts of all relevant stakeholders, such as legal, privacy, security, and human resources. If key stakeholders have not been involved in the development of these documents, it is more likely that problems will arise during implementation.
• Keep it dynamic. Useful governance documents should be, by design, flexible enough to adapt to organizational changes and growth. It would be impractical to develop documentation that is focused on serving the current needs and desires of the organization without considering potential future circumstances.
Backup and Restoration Strategies
Even if digital evidence is put into off-line storage for long-term retention, there might come a time when it is needed in support of a business risk scenario, as discussed previously in Chapter 3, “Digital Evidence Management.”
Table 11.1 Recovery Time Objectives
RTO Value | Backup Solution Required |
<1 hour | near real-time data replication |
1–6 hours | data replication |
6–24 hours | data restoration from on-line backup media |
2–14 days | data restoration from off-line backup media |
When this time comes, it is critical that in addition to the integrity of digital evidence being authenticated, the data itself must also be restored and made readily available so that there is no delay in the investigative process.
The recovery time objective (RTO) that an organization accepts for restoring digital evidence from backups is what drives the type of backup strategy that will be implemented. RTO is commonly represented in units of time as minutes, hours, days, or longer depending on the needs for restoring digital evidence. When setting the RTO targets, it is important that organizations realize that lower values will result in more expensive backup solutions. Recognizing that every organization has different RTO targets for restoring digital evidence, Table 11.1 provides an approximation of values and corresponding backup solutions required to meet the service levels.
Near Real-Time Data Replication
Meeting service levels with this type of backup solution requires that data be synchronously replicated across multiple identical and distributed instances of the storage solution, such as an EDW. Because this type of backup strategy requires multiple instances of the storage solution to be highly available for near real-time data clustering, it is considered the most expensive, complex, and resource intensive.
Performed on a consistent schedule, this backup solution replicates data to two or more identical and distributed instances of the storage solution. Like the requirements of the near real-time strategy, this type of solution still requires the implementation of two or more identical and distributed instances of the storage solution. However, with more moderate RTO targets, this type of backup solution is considered just as expensive but slightly less complex and resource intensive.
Data Restoration from On-line Backup Media
With data replications set to occur on a schedule, this backup solution replicates data to highly available on-line media; such as network attached storage (NAS). Service levels for this type of strategy are reduced to allow for data to be restored to the production storage solution when required, which makes this type of backup solution less expensive, complex, and resource intensive.
Data Restoration from Off-line Backup Media
Discussed previously in this chapter, data can be transferred to off-line media, such as backup tapes, for long-term storage. This type of backup strategy is the least expensive because it does not have the complexities of implementing additional storage infrastructures; however, the RTO targets for this solution are extremely relaxed because of the time required to restore from off-line media.
Preserving the authenticity and integrity of digital evidence extends beyond the implementation of technical and physical security controls. Through the implementation of a governance framework that ensures forensic viability right from when data is created, organizations can ensure that legal admissibility of digital evidence is maintained during secure handling and storage.