“Digital Evidence is not just a piece of information it’s a trace of an incident happened”
If you are working on or maintaining a digital device network be cautious, because you are working on a digital evidence and not just the digital data, but what is this digital data and digital evidence and how is it different?
Any information that is stored and transmitted in binary format is your Digital Data. Identifying such information and following the methods to submit that information as a supporting data in the court of law / to the management makes it important Digital Evidence.
Most of the corporates today deal with different types of applications where various number of file types are involved, proper identification of such data helps them in resolving minor issues to a major security incident. It is important for corporates or any organization to keep track of the data transfer that happens in the network at least a transactional log of such data communication will help to analyse the incident. Digital evidence is important when we are analysing any security incidents, audit or for any kind of requirement where a serious incident analysis or investigation is involved. As there are multiple sources of data like office data, user created personal documents, database, and application specific records etc, based on the requirement of the specific analysis it is required to identify specific data set which can be used as digital evidence.
Below are the relevant areas to identify and preserve the digital evidence:
If you have an insider threat where an employee is to be questioned for an incident, below mentioned sources can be considered for the evidence seizure
- Laptop / Desktop used by the employee
- Messaging communication from the Mail Servers
- Mobile Device
If you have to analyse a malware infected network then the below digital traces can be considered
- Network architecture of the specified malware affected network.
- Sample of the malware if any is identified by the security / IT team.
- HDD image of the affected End user asset to analyse the behaviour and to find out the propagation if possible.
- Network communication Logs may be from log server kind of devices
- Logs available on different network devices (Firewall, Servers, Router, IDS/IPS and more)
As a part of incident response process once assessment and identification is done collection of digital evidence is to be done using different techniques depending on the data sources.
Below are the most commonly used techniques used to seize the digital evidence.
- Data collection from a laptop / Desktop HDD: FTK Imager software can be used to capture the evidence HDD
- Logs from the network devices: Every appliance have their utility to export logs for the specified periodic time line
- It is a good practise to collect the configurations done at the endpoint level to know the chances of exploits
Every corporate is facing a common problem in maintaining the digital evidence very often people are concerned about performance, storage space and basic awareness to the IT personnel about the importance of the data.
The way to solve the above issue is
- To identify critical areas to keep the logs enabled with minimum fields like Hostname, Internal IPAddress, External IP Address, Date and time, activity type, no of bytes transferred.
- Specific Storage servers and tape backups to identify the backup data
- Prompt awareness programmes to the IT team who handles end user assets and servers.
However, considering the practices mentioned above the root cause analysis results can be achieved most of times but it depends on the incident behaviour.
Rate this article: