If you’re planning to take the SY0-501 version of the Security+ exam, you should have a good understanding of basic forensics concepts. A forensic evaluation helps the organization collect and analyze data as evidence it can use in the prosecution of a crime. In general, forensic evaluations proceed with the assumption that the data collected will be used as evidence in court. Because of this, forensic practices protect evidence to prevent modification and control evidence after collecting it.
For example, can you answer this practice test question?
Q. Your organization is involved in a lawsuit. A judge issued a court order requiring your organization to keep all emails from the last three years. Your data retention policy states that email should only be maintained from the last 12 months. After investigating, administrators realize that backups contain email from the last three years. What should they do with these backups?
A. Backups older than 12 months should be deleted to comply with the data retention policy.
B. Backups for the last 12 months should be protected to comply with the legal hold.
C. Backups for the last two years should be protected to comply with the legal hold.
D. Backups for the last three years should be protected to comply with the legal hold.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Chain of Custody
A key part of incident response is collecting and protecting evidence. A chain of custody is a process that provides assurances that evidence has been controlled and handled properly after collection. Forensic experts establish a chain of custody when they first collect evidence.
Security professionals use a chain of custody form to document this control. The chain of custody form provides a record of every person who was in possession of a physical asset collected as evidence. It shows who had custody of the evidence and where it was stored the entire time since collection. Additionally, personnel often tag the evidence as part of a chain of custody process. A proper chain of custody process ensures that evidence presented in a court of law is the same evidence that security professionals collected.
If evidence is not controlled, someone can modify, tamper, or corrupt it. Courts will rule the evidence inadmissible if there is a lack of adequate control, or even a lack of documentation showing that personnel maintained adequate control. However, the chain of custody provides proof that personnel handled the evidence properly.
Legal Hold
A legal hold refers to a court order to maintain different types of data as evidence. As an example, imagine that Ziffcorp is being sued for fraud and is being investigated by the Securities and Exchange Commission. A court orders them to maintain digital and paper documents for the past three years related to the case. Ziffcorp now needs to take steps to preserve the data.
This data may include emails; databases; backup tapes; data stored on servers in file shares and document libraries; and data stored on desktop computers, laptops, tablets, and smartphones owned by the company. The first step management needs to take is to direct the data custodians to preserve this data. On the surface, this might sound easy, but it can be tremendously complex, especially if it is not clear to data custodians what data should be maintained. They might preserve too much data, resulting in a significant cost to store it. They might preserve too little data, subjecting the company to more litigation in a suspected cover-up.
Data retention policies also apply here. As an example, imagine that the data retention policy states that email older than six months is deleted. If administrators rigorously followed the policy, the company wouldn’t have any emails from more than six months ago. That’s OK if the policy is in writing and administrators are following it.
What if the administrators didn’t follow the data retention policy? What if they have email from as long as two years ago? In this scenario, administrators need to maintain these emails. If they take steps to delete the emails after receiving the court order, it looks like they are trying to withhold evidence and puts the organization into legal jeopardy for a cover-up.
Recovery of Data
Generically, data recovery refers to restoring lost data, such as restoring a corrupt file from a backup. In the context of forensics, data recovery goes further. Even without backups, it’s often possible to recover data that has been intentionally or accidentally deleted.
When a user deletes a file, the operating system typically just marks it for deletion and makes the space the file is consuming available to use for other files. However, the file is still there. Many file systems place the file in a recycle bin or trash can and you can just retrieve it from there. Even if the user empties the trash after deleting a file, forensic experts can use tools to undelete the files.
Formatting a drive appears as though it has overwritten all the data on the drive. However, just as forensic experts have tools to undelete files, they also have tools they can use to unformat drives. It’s worth noting that criminals have access to these same tools, too, and can recover data from systems that haven’t been sanitized.
Active Logging for Intelligence Gathering
It’s often appropriate for organizations to engage in strategic intelligence or counterintelligence gathering by increasing the amount of data that they collect. For example, an active logging strategy can help an organization gather a significant amount of data on attackers.
Typically, a network infrastructure is configured to log only the data needed for daily operations. If the network is under attack, administrators might increase the logging capabilities at some point while the attack is happening. However, they might not have valuable data if they had those same logging capabilities enabled when the attack began.
An active logging strategy increases the amount of logged data collected on a routine basis. Ideally, network administrators will have filters available so that they can view only the data they need for daily operations. However, if an attack begins, security professionals can view all the logged data.
Q. Your organization is involved in a lawsuit. A judge issued a court order requiring your organization to keep all emails from the last three years. Your data retention policy states that email should only be maintained from the last 12 months. After investigating, administrators realize that backups contain email from the last three years. What should they do with these backups?
A. Backups older than 12 months should be deleted to comply with the data retention policy.
B. Backups for the last 12 months should be protected to comply with the legal hold.
C. Backups for the last two years should be protected to comply with the legal hold.
D. Backups for the last three years should be protected to comply with the legal hold.
Answer is D. The court order specified a legal hold on email from the last three years, so all the backups for the last three years should be kept.
If the backups had been destroyed before the court order, they wouldn’t be available, so the legal hold wouldn’t apply to them.
Deleting them after the court order is illegal.
Protecting only the backups from the last 12 months or the last two years doesn’t comply with the court order.
See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information implementing policies to mitigate risks.