Use your computer fearlessly.




[ Security | Consulting | Research ]





Preserving the Evidence Chain of Custody

by Brent Kirkpatrick

(Date Published: and modified on 07/07/2016.)



Data about an Intrusion Must be Collected Using a Secure Computer.



Imagine a hacker having access to digital evidence while you, the cyberinvestigator, tries to pin down what happened and who did it. What happens if the hacker throws you off the trail by spoofing a log entry in real-time? The real hacker sits comfortably down the street, while you chase someone in Russia.

The chaos created by hackers tampering with evidence during the initial phases of an investigation is only the beginning. Once an investigation is matured and the matter goes to court, how does a judge or jury view this bumbling of the chain of custody? Can convictions be made?

Digital evidence must be collected using secure computers and stored in hacking-proof locations. These requirements are becoming more difficult to satisfy as more of the world's computers are permanently connected to the Internet, and as we rely on digital locks to physically secure equipment.

The first step in forensics is data collection, according to NIST's Guide to Integrating Forensic Techniques in Incident Response. Some of the evidence is collected electronically, and some manually. Centralized logging and audit files are a classic electronic means of storing evidence. In both automated and manual collection, the goal is to collect evidence that is static and out-of-reach of the hackers.

A savvy hacker knows what type of logging and auditing is typically done on each device, each operating system, and each part of a corporate network. Their first goal is to cover their tracks by compromising the logs. Some hackers use misinformation, planting false information in the logs.

If a hacker has access to your automated logs, you cannot trust those logs as evidence. This is a violation of the chain of custody in evidence handling.

The first goal of incident handling is to establish a digital chain of custody. This begins by securing at least one computer, physically and electronically, so that it can be used to collect and secure evidence. The hackers who created the incident must not have access to this computer or to the chain of custody.

In cybersecurity this critical step, establishing a chain of custody, is one of the most difficult. Many times, an investigator might bring a secured computer into the compromised environment and immediately loose security. Sometimes, an investigator's computer was not secured to begin with. Other times, the computer is electronically secure but the physical environment is not.

From within an organization that is compromised, it can be very difficult to re-establish security. The vulnerabilities that were exploited by the hackers must be discovered and addressed, before forensics is done. But some amount of analysis must be done in order to discover the vulnerabilities and secure the computing infrastructure.

This leads to the chicken-and-the-egg problem of incident response. If we use electronic means for the initial discovery process, and we use hacked computers, then the discovery process can be compromised. We must use discovery processes that are not prone to re-compromise.

The initial phases of response to a compromise incident must rely on manual efforts. IT professionals need to be taught the record-keeping practices that are conducive to re-establishing security. We must avoid premature forensics at all costs. Forensics should be done in heavily secured environments.

Intrepid Net Computing can train your security staff to be more quickly and accurately solve security problems. We can provide your management tools to assess the progress of your security teams. We provide scalable solutions for small and large businesses.







bbkirk@intrepidnetcomputing.com




© 2015, 2016, 2017 Intrepid Net Computing. All rights reserved.