S 6.128 Training on the use of evidence collection tools
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: IT Security Officer
The members of the team of experts for handling security incidents must be familiar with the tools for securing and analysing the digital evidence collected and know how to use them because otherwise essential data could be destroyed unintentionally, especially when conducting a live response analysis. In the first hours after the detection of a security incident, there may not always be specialists from the team of experts available on-site to handle a security incident, especially in the case of government agencies or companies which have several different sites. In such cases, local and trustworthy IT personnel (or even better, information security personnel) can be contracted to secure the evidence. These people then need to be instructed how to use the corresponding tools for securing evidence. This also applies to the administrators of servers, security gateways, or other IT systems if they are needed to secure log files, for example. This enables the people using the tools to become familiar with any weaknesses or errors in the tools that could influence the results of the analysis.
When selecting tools for collecting or analysing digital evidence, it is important to know where these tools came from. The software tools must come from trustworthy sources, for example directly from the manufacturer. In addition, checksums should be used, for example, to enable early detection of unauthorised manipulations to the tools. This is particularly important when using tools from the open source environment, in which case several different versions of a given tool may be available and in circulation.
Review questions:
- Have the administrators as well as the members of the team of experts been trained how to handle the tools used to secure evidence?
- Are the weaknesses of the tools used known?
- Do the analysis tools come from known and trustworthy sources?
- Are reliable checks performed to verify that the software has not been manipulated?