Saturday, June 8, 2013

Enterprise IT Forensic Process - Acquisition

Last month, I talked about the first  process in Enterprise IT Forensic Process, which is the Approval process. Today, I shall proceed to talk about the next process - Acquisition.

What is acquisition? In a nutshell, it means collecting the evidence. Sounds easy right? Not really. There are many things need to be considered, especially if there is a high chance that the investigation will lead into a legal case.

You may have heard that the evidence collection must be done in a forensically sound manner. I bet you would recall from many scenes in CSI or other movies alike that some criminals got away scott-free on technical grounds, for example police's mistake when taking evidence etc. This sort of things could happen in IT Forensic as well. Thus, it is very imperative that the acquisition is done properly and (again), in a forensically sound manner.

Now, what is meant by "in a forensically sound manner"? Basically:
1. Ensure that evidence intake is done legally (refer my last piece on "Approval" process).
2. Evidence's chain of custody is well documented and preserved.
3. Ensuring that tampering of evidence is not possible during collecting, transferring, analysis and storing of the evidence.
4. All forensic activities are well documented and traceable.

I will say a) Evidence Intake and b) Evidence Chain of Custody are two key sub-processes within the Acquisition Process. Furthermore, there are two principals that I always apply:
1) Four Eyes Principal - ensuring that there is always a witness around
2) Bag and Tag - ensuring that evidence is properly labelled, sealed and its movements are recorded.

a) Evidence Intake:
Basically referring to how the evidence is collected or taken into custody.

Let's image a simple and basic scenario - A forensic investigator is tasked to collect a laptop from IT department (data custodian) for forensic.

What the forensic investigator needs to prepare beforehand?

1. A camera or phone with decent camera - It is always a good idea to photograph everything before you touch the evidence.
2. Evidence Intake and Custody form:
a) To record the information of the to-be-taken evidence
b) This form also serves as an acknowledgement of transfer/receipt of evidence. Both the investigator and the custodian shall sign on it (Four Eyes Principal).
3. Waterproof envelope to "bag" the evidence
4. Sticker to "tag" (labelling) the evidence

General Steps:
1. First, take photos of the evidence. Important info such as serial number, model, brand etc shall be clearly photographed.
2. Fill in the form and record all details as possible e.g. the model of the laptop, serial no, HDD size, its condition etc.
3. Label the evidence (Tag) with a unique ID (you shall already has this info beforehand!).
4. Put the evidence into the envelop and seal it (Bag).
5. Label the sealed envelope (Tag).
6. Sign the form and ensure that the data custodian counter signs as well (Four Eyes Principal). Once both parties have signed, the custody of the evidence is now with the investigator.
7. The investigator can now proceed to his lab and start the forensic analysis (shall be done in a forensically sound manner as well).

That's it for a simple scenario. How about a more complex scenario? Such as - evidence intake is to-be-done by a representative in a remote location, then the evidence will be shipped to the head office and handed over personally to investigator. As you can imagine, the evidence intake and chain of custody process will be much more complex.  So, stay tuned for the next piece!

No comments:

Post a Comment