Amina Zilic
Throughout the digital evidence collection process all actions have to be taken in a secure manner. In the previous step we covered how to ensure that digital evidence is collected in a secure way, using appropriate tools, so the authenticity of the digital record is not compromised. In this article we will cover the steps on how to secure digital evidence, once it is collected, for the longer term in accessing your forensic readiness posture.
Digital evidence processes
Digital evidence, due to its legal and business importance, needs to be handled carefully and as is the case with other legal proof it needs to be tracked and documented in a systematic way for easy identification and information retrieval.
At this stage there is a need to establish a policy for secure storage and handling of potential evidence. Digital evidence can be easy to modify, therefore to preserve its authenticity, protocols need to be followed to ensure that collected digital evidence is stored in a safe mode excluding any possibility for modification.
That document will seek to protect digital evidence from any type of modification in every phase of the preservation process. In the previous steps we highlighted the importance of having a policy during the identification and collection process so you can ensure that the digital evidence was not modified until it reaches the preservation stage.
What is a smart move to do here?
According to UNODC it is vital to create a chain of custody in this process. This means including information about each individual who participated in the digital evidence collection process as well as documenting it in a proper way for the purpose of secure evidence handling. Using software to handle secure evidence acquisition, handling and storage is a smart move here since it requires less time and financial investment for even better results.
Due to the importance and sensitivity of the data that an DFIR tool, like AIR, collects to protect the network and keep it as safe as possible, it is always a smart move to have user/roles privileges defined. There are 82 privilege variables available in AIR, and there is no limit to the number of roles that can be created.
For secure evidence repositories, AIR contains one of the most requested features in digital forensics solutions, the SFTP secure evidence upload. SFTP is a separate protocol packaged with SSH that transfers files over a secure connection. The biggest advantage lies in the ability to leverage a secure connection with a pre-set username and password to transfer evidence files. Besides storing evidence locally and on the network you can also store it in Cloud repositories with your Azure Storage or Amazon S3 bucket accounts for increased secure evidence handling and storage.
What is the required output at this 5th stage of forensic readiness planning?
The required output of this step is to define a secure evidence policy as well as solutions that will help in handling and storing digital evidence. The solution should contain high levels of secure evidence handling and storage steps while the policy should contain legal points, and the procedural measures used to ensure the evidence requirement is met.
In the next step, we will cover how to create and maintain efficient system monitoring.