S 6.127 Establishment of measures for collecting and securing the evidence of security incidents

Initiation responsibility: IT Security Officer, Head of IT, Top Management

Implementation responsibility: IT Security Officer

Procedures for securing the digital evidence to be collected must be planned and established before handling a security incident. Statements of fact and established facts that help to find out the truth when performing a computer forensic analysis or during a subsequent legal appraisal are considered evidence. To clarify the legal validity of the evidence and the procedures used, consideration should be given to deciding whether or not legal advice on this subject is necessary. In addition to considering the technical procedures required (see the descriptions of live response and post mortem analysis in S 6.126 Introduction to computer forensics as well as S 2.64 Checking the log files), it is also necessary to consider how the process for securing evidence will be organised. This includes, for example, prepared forms for documenting the traces of evidence secured. These forms can also be used to record who has performed which analyses on the traces of digital evidence.

A secure storage location should be selected for storing the IT systems or data media confiscated. This location could be a vault or some other room to which only a few trustworthy people have access.

If traces of electronic evidence are secured, then checksums should be used during each step of the analysis to verify the integrity of the evidence. The evidence should only be stored and analysed on specially protected systems. These systems, of course, should not be connected to any potentially compromised IT systems or the rest of the productive network so that no evidence can be changed.

The measures and tools for securing evidence must be examined to determine if they are suitable for reliably securing evidence and guaranteeing it cannot be manipulated.

The procedures for securing evidence must be coordinated with the IT Security Officer and the team of experts for handling security incidents. To ensure that data protection aspects are taken into account, the Data Protection Officer should also be involved. The personnel representative should also become involved as soon as it is suspected that the perpetrator is an insider. In addition, internal or external lawyers should be consulted to evaluate the procedures and methods used.

Review questions:

• Have the procedures for securing the digital evidence collected been defined and tested?
• Are the measures and tools established suitable for reliably securing the right evidence and ensuring it cannot be manipulated?
• Have the evidence collection measures been agreed to by the IT Security Officer and his/her team of experts?
• Were data protection aspects and the specification of who will participate in the investigation clarified in advance?
• Were internal or external lawyers consulted to evaluate the procedures and methods used?