less than 5.6. Maintaining evidence in chain of custody.
The objectives of this lesson are to discuss the best practices for collecting and preserving evidence and understand the chain of custody and how it applies to cyber incident response.
We've already talked about chain of custody and evidence briefly in this course, and now we'll talk about it in more depth.
I would recommend having a checklist for individuals responsible for evidence collection. This is a job and a role that is critically important and one that requires some training ahead of time. You don't just assign someone evidence collection
without understanding that how the chain of custody works, how you should handle in store evidence, the documentation required. So it's really important to have that checklist because it's not something people are going to do often. But they should also have some training up front. That's why you may want to select a few people
that are cross trained in this area, so you have at least one of them available during an incident.
Also, it's very important as you're collecting evidence to ensure that it hasn't been tampered with prior to collection.
That's one reason why we use SIM tools and other tools available to us to get the logs off of the hosts. If a host is compromised, then an attorney for the attacker
may be able to say that you can't trust any the logs on that compromised host because the host was compromised and they may have a point. Although you could probably defend this through good forensics, it's not going to be easy. It's going to be expensive, and it's going to take some time.
So if we can get logs off of the hosts and into a SIM or some other area
that is not compromised and is locked down through network segmentation and I DPS and good access control, then it makes the logs much more impactful and valid to be able to use in court if necessary.
Protect evidence from tampering after collection. Is Justus important as protecting them before collection? So once you have the logs, don't just leave them sitting on the sim. Make sure you're exporting everything that you feel you might need to use. So if you are going to use evidence from
digital forensics from log files that you're getting,
especially if it's an insider threat. Or maybe an employee misconduct case where the employee may face termination for something they were doing
anything that could result in, ah, legal proceeding. You need to handle the evidence carefully. So let's say, for instance, you are pulling event logs off of a host. Then you would want to make sure those air being saved there.
They're acquired in a way that they won't be changed in the acquisition process,
typically through forensics. We would do this would use right blockers, weed, hash the evidence before we grab it. And then we'd hash the evidence after we grab it to make sure those hash values match. And then we store the evidence in an area or on a device that no one has physical access to other than the the investigators.
And access to that is controlled
through logging, whether it's who's physically access to through badge readers or keypads on a lock, or at least a written log of everyone who's come in contact with that piece of evidence,
and you store them in a way that they're also not susceptible to degradation or being destroyed accidentally. So those were just a few examples of what you would do. Same thing with a forensic image of an entire hard drive. We would
collect that image with right blockers. We'd save it onto another hard driver onto a server or a sand or NASS device.
We'd use MD five or Shaw hash values to make sure the evidence is an exact copy if we can, and we would protect it,
make sure you document who collected the evidence where it came from and the exact date and time of when that evidence was collected.
Utilised chain of custody forms I've got some examples of these on my website. Josh mullen dot com. You're more than welcome to pull them down if you're interested, but think about the
right kind of form for your organization. At a minimum, though, you want these things description of the evidence where it came from, who collected it, the date and time, and then you also want to be able to document any transfers, and that's really the chain of custody. So I got the evidence I put in into the CIS owes locked file cabinet that we also use for evidence
a copy of that chain of custody form is with the evidence in there. And then if it ever comes out of that file Cabinet, or if you actually have an evidence locker or evidence control process, then that also is logged. Who got it out date and time in the reason If I transfer it from me to you that I'm going to say on this date in time,
Josh Brolin transferred it to you,
I'm going to sign it, You're going to sign it and now everything else is on you. From that point forward, my responsibility with the evidence is done.
But everybody that's on that chain could potentially be called into court to talk about what they did with the evidence when they had it, how they made sure they protected it. They didn't leave it sitting out somewhere where other people could have access to it. So this is a pretty strict process and for good reason. So make sure you have this baked into your I R processes
and then have a physical location or virtual,
depending on the kind of evidence to store this and again, make sure it's locked down in one of the I R teams that I managed we had our own Nah, as
that I t maintained for us. They patched it in that sort of thing, but they did not have access to the actual data. The only people that did were the incident responders, and we log all the access to that device and we made sure that people were only getting in when there was a legitimate
reason to get in and on Lee, the case agent and those involved
involved in the investigation. We're getting into their respective files.
This is a screenshot of the chain of custody form that I've just made and have available.
So remember that all of this could be used in legal proceedings. We want to make sure everything is well documented that certain members air trained in this. They shouldn't be hearing about chain of custody for the first time when they get subpoenaed, and you should have retention policies. How long are you going to keep this stuff?
And some of this may be dictated by
your legal department if it's used in an employee misconduct case, for instance that resulted in discipline, maybe have to keep it for three or seven years. If it's involved in a criminal case, maybe have to keep it until the case is adjudicated. And then any appeals are over with those timelines air done.
But you need to have something figured out for your retention schedule. If you have a full time records person in your organisation, lean on them for help on how to develop that.
All right, Quiz questions for evidence. True or false, it is best to have two or more people assigned to take custody of evidence.
This is false. I did say you should have a couple of people trained in how to do it. But I also said it's best to assign a single person toe evidence collection because that way they're on the hook and they're tracking all the collection of evidence, all the forms and paperwork associated with it and handling it. It makes the process much cleaner.
So, in summary for this lesson, we talked about the best practices for collecting and preserving evidence. We also talked about the chain of custody and how it applies to cyber incident response