Directly related to the Digital Forensics and Case Management capabilities described in earlier articles, even a modest sized Security Operations team will eventually need to establish some type of Digital Evidence Management policies, disciplined practices and supporting capabilities. Refer to principles and definitions first authored by International Organization on Computer Evidence (IOCE) (now defunct) and Scientific Working Group on Digital Evidence (SWGDE).
Many Digital Forensics solutions already include some basic capability for capturing and securing digital evidence (e.g., disk images, memory dumps, etc.) in its original, native, possibly proprietary form. But full Evidence Management should include additional capabilities that support Matthew Braid’s “five rules of evidence”: it must be authentic, accurate, complete, convincing, and admissible.
The first core capability to support the five rules is the ability to reliably track the “chain of custody”, who has access to it, when it is accessed, why, etc. Another core capability is the ability to prove/authenticate that the data has not been altered, by using hashing or encryption to ensure its integrity for extended periods of time.
Over time, the more forensic analysis an organization performs, and the more cases they investigate with potential for prosecution, the more critical it will be to establish some type of “vault” storage capability to properly handle and secure the growing volumes of digital evidence being collected. Use, and re-use, of this type of storage must strictly adhere to both policies (e.g., retention policy) and relevant legal regulations (e.g., case law describing the conditions under which storage may be wiped and reused).
Depending upon the nature and geographic locations involved in a cyber investigation, the records retention requirements can become quite burdensome and require significant investment in appropriate storage capabilities.