As the realm of technology and digital forensics constantly expands, there is a need for you and your clients to become familiar with ways that contribute to the preserving digital evidence. The fundamental importance of digital preservation is clear, as more lawyers and clients need to present evidence related to technological devices. For this reason, LMG Security wants to highlight the necessity of following a series of steps in the preserving digital evidence, as even a small, inattentive move could lead to the loss of evidence and the break of a case.
For example, a local lawyer once was brought a phone to be analyzed for one of his clients. At that point in time, the phone had been OFF for several years. Instinctively, the lawyer thought that looking at the data on that phone would require him to turn ON the phone. As soon as the phone was turned on, updates and downloads automatically started, overwriting of all the data and evidence previously on the phone.
What should have happened instead? The phone should have been brought to forensic experts as soon as possible. They could have collected the phone, stored it in a safe Faraday cage [which prevents signals from reaching the phone] and proceeded to collect a forensic image of the data in the device.
So then, what are those critical steps that need to be taken to prevent loss of data before bringing to the forensics experts? In following the next steps, act as quickly as you can and call a trained digital forensic specialist immediately. Time is highly important in preserving digital evidence.
Image by Luis Llerena via: unsplash.com
– As a general rule, make sure you do not turn ON a device if it is turned OFF. For computers, make sure you do not change the current status of the device at all. If the device is OFF, it must be kept OFF. If the device is ON, call a forensics expert before turning it off or doing anything.
– If it is not charged, do not charge it; for mobile phones, if the device is ON, power it down to prevent remote wiping or data from being overwritten.
– Ensure that you do not leave the device in an open area or other unsecured space. Document where the device is, who has access, and when it is moved.
– Do not plug anything to the device, such as memory cards, USB thumb drives, or any other storage media that you have, as the data could be easily lost.
– Do not open any applications, files, or pictures on the device. You could accidentally lose data or overwrite it.
– Do not copy anything to or from the device.
– Preserve any and all digital evidence that you think could be useful for your case.
– Take a picture of the piece of evidence [front, back, etc.] to prove its condition.
– Make sure you know the PIN/Password pattern of the device.
– Last but not least, do not trust anybody without forensics training to investigate or view files on the original device. They might cause the deletion of data or the corruption of important information.
LMG Security offers digital forensics services, and our world-class experts will provide you with a cell phone forensic image and a detailed forensic investigation report for $350. As always, send any questions or comment to .
Incident response has become a crucial component in the information security management process of every well-prepared organization. Performing effective incident response is a complex operation that requires resources and planning. Forensically sound preservation of evidence can also easily be overlooked by an incident responder due to the rapid and changing nature of the incident being investigated, which can potentially have a huge impact on the effective post-incident analysis and potential legal position.
This blog highlights the importance of evidence preservation and the necessary steps that should be taken in all stages of proper incident handling and preservation of digital evidence until the incident is resolved.
Why is evidence preservation important?
Preserving critical electronic evidence during a security incident is a must in order to obtain a full incident overview and to establish a basis for further investigation and threat containment/eradication. This evidence preservation is of crucial importance for successful incident analysis utilizing strict data preservation standards to ensure all potentially relevant data is captured and remains uncompromised during the course of the investigation.
Subsequent to detecting a cyber attack, most incident responders are prepared to contain and remediate the incident as soon as possible. Responders must, however, be wary not to rush the collection of evidence. This could destroy or potentially compromise items of evidentiary value, which could identify attacker methodology or avenues of compromise. These evidence items, appropriately collected in accordance with established regulations and/or best practices could further assist law enforcement in successful prosecution of the crime, and this is why the preservation of evidence should be the first priority in any incident.
Steps to incident handling management and preservation of digital evidence
Whether gathering digital evidence from single or multiple sources, forensically sound methods need to be applied in order to preserve key digital evidence. This will assist in establishing a clear picture of the incident and effective response to be launched. When sensitive information is compromised, it is important to ensure that all of the obtained pieces of electronic evidence are handled with precision and care, as well as to prevent further damage, such as being overwritten, destroyed, or otherwise corrupted.
When a cyber incident occurs, the incident response team [IRT] should follow the incident handling phases as advised by the National Institute of Standards and Technology [NIST], which provides an outline of the steps necessary to recover the systems, networks, and other assets that are victims of the attack.
Primarily, the ITR should be prepared for such an incident or one similar in nature so it can be more readily recognized and the analysis of the affected assets can start if appropriate. The next step would be to contain and minimize the damage and try to recover as much as possible of the affected data/systems.
It is advisable that after an incident, an organization performs a post-incident report with a detailed explanation and proposes potential solutions in order to prevent further occurrences of the same or similar incidents. Furthermore, as soon as the IRT arrives at the location where the incident has occurred, it is important to mitigate the risks through proper recognition of digital evidence.
Criteria for recognizing digital evidence
Evaluating the digital environment
Assess the alerts that generate the most false positives and optimize your parsing rules to reduce these. Being able to tune an alarm that is unnecessarily broad will significantly reduce the number of alerts that must be reviewed on a daily basis, be this from your SIEM, Syslog or other feed. More precise analysis of relevant alerts will significantly reduce not only alert fatigue for your analysts, but dwell time for malicious activities in your network as they are identified and remediated faster.
Seizing evidence
As previously mentioned, the fundamental responsibility of those collecting evidence is to ensure that measures are employed to avoid contaminating any evidence during the collection process. It may be necessary to shut down the machine/systems/network due to collection requirements, forensic best practices or to ensure that the virus/malware has been contained. Additionally, it may be necessary for the evidence to be preserved and backups performed before proceeding. The backups could also include, for example, copies of specific items of evidentiary value related to the incident in order to assist investigators at a later date in the event of litigation. Each piece of evidence should be protected from damage or alteration, labeled and a proper chain of custody maintained.
As soon as this stage is completed, the IRT can continue the process to contain, eradicate and recover all of the affected systems and computers affected by the attack or data breach. If there is further law enforcement involvement, or at their request, the IRT should be prepared to transfer a copy of items being seized, as well as a detailed log or history for all of the activities performed.
Preparing computers, devices and media
Upon arrival at a forensic laboratory, all of the evidence/equipment should be properly inspected to verify that no tampering took place during transport. All evidence is placed in the evidence preservation lab for safekeeping and for detailed examination. The search and seizure evidence log and shipping manifest are also stored in the lab after this procedure is completed.
The importance of evidence preservation is therefore critical during any cybersecurity-related incident, including the necessary collaboration between IRT and forensic examiners in order to best handle the digital evidence for future use and analysis.
A SOAR solution, such as Cloud SOAR from Sumo Logic, can help organizations respond faster and more effectively to an incident. In an upcoming blog post, I will be discussing how quickly an IRT can respond to an incident and how a SOAR solution can help expedite this.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
Start free trial
Please check your inbox
To start using Sumo Logic, please click the activation link in the email sent from us. We sent an email to:
email@domain.comemail@domain.comemail@domain.com
Start your free trial today
No credit card required. Up and running in minutes.
Business email Please enter a valid email.
Deployment region
Plan
I agree to the Service License Agreement. Please agree to the Service License Agreement.
Yes, I’d like to opt-in to Sumo Logic communications.
Loading form...Already have an account? Login
Privacy Statement Terms & Conditions
You're in good company
More than 2,100 enterprises around the world rely on Sumo Logic to build, run, and secure their modern applications and cloud infrastructures.