T 2.142 Destruction of evidence while handling security incidents

When the action taken to handle a security incident is performed carelessly or not according to plan, then important evidence needed to investigate the incident or pursue legal action can be destroyed unintentionally.

Examples of this include:

• An administrator notices that the storage space available on his system has suddenly shrunk and that he cannot store any more data. To quickly free up some storage space, he immediately deleted all log files. However, these log files may have revealed during a subsequent evaluation that the server was attacked, and could have even pointed to possible sources of the attack.
• An attacker installs a computer virus or a Trojan horse whose method of operation and objectives can only be analysed while it is running. Information on the currently active processes and the contents of main memory need to be recorded for this purpose. If the affected system is hastily shut down, then this information may not be available any more when analysing and investigating the security incident.
• An administrator finds a process running on one server that has consumed a large amount of processor capacity over the last few days. In addition, this process writes numerous temporary files to the hard disk and sends unknown information over the Internet. If the process is hastily terminated and the unknown files deleted, then it may be impossible to determine if the process was a tool used in an attack or if confidential data was send out.
• An important server becomes compromised because the administrator was not able to install the latest security updates due to the heavy load on the server and the lack of a free maintenance window. To avoid any possible disciplinary consequences after an intrusion, the administrator installed the missing updates before the security team was able to analyse the source of the intrusion and the damage resulting from it. A low tolerance for employee errors therefore prevented analysis of the problem.