Monday, September 9, 2013

Enterprise IT Forensic Process - Disposal

In my previous posts, I have covered the first 4 processes of Enterprise IT Forensic Process:

1) Approval - Ensuring that we are allowed to do what we want to do
2) Acquisition - Ensuring that we collect and acquire the evidence in a forensically sound manner
3) Analysis - Performing the analysis and investigation, also in a forensically sound manner
4) Reporting - What a report should contain?

Disposal process is the final piece of the puzzle.

Once we have done the analysis, completed the report, the next question is what to do with the evidence (both original and acquired) that we have gathered? We cannot keep the evidence forever due to various reasons, e.g. storage limitation, legal requirements, security etc.

Basically, the options are:
1) Store - If there is a need to preserve the evidence e.g. legal case
2) Return - Return the evidence to the owner or data custodian
3) Forward - Forward the evidence to another party as agreed with the Requestor
4) Dispose - Securely delete or dispose the evidence

However, it is important to take note that the above decision does not lies entirely with the forensic examiner or investigator. The decision shall be made together with the Requestor.

There is also possibilities that the Requestor might want the original evidence to be returned and the acquired evidence to be deleted or vise versa. Anyway, regardless of the option, the chain of custody must be maintained and updated to reflect the status.

To delete/wipe an evidence, for example a hard drive, simply formatting the hard drive is not secure enough as data can still be recovered. There are a few methods out there that you could use to securely wipe a drive:

1) Hardware based - It is the fastest way. The hardware is known as degausser. It will render the drive useless digitally and physically - not a good idea if you still want to use the drive for other purposes.
2) Software based  - This method which is slower is to rewrite the drive with zeros or random data multiple times. There are various free tools out there that can do the job. For example diskwipe and dban.