Illegal Acts

Preserving Electronically Encoded Evidence - Part IV

Whether target data is in transit or at rest, it is critical that measures are in place to prevent the sought information from being destroyed, corrupted or becoming unavailable for forensic investigation. When evidence is at rest adequate procedures should be followed to ensure evidential non-repudiation. Volatile data capture assists investigators in determining the system state during the incident or event. Consequently, the utilization of functionally sound imaging software and practices are essential to maintaining evidential continuity.

“View Part I of the Preserving Electronically Encoded Evidence series here“

Preserving Electronically Encoded Evidence - Part III

Creating evidential copies through routine backup procedures will only permit replicating specific files while none of the files with delete indicators are recovered, nor the designated ‘free space’ between files. To remediate this limitation, a ‘forensic image’ should be obtained utilizing task-oriented software. Appropriate forensic image software reproduces an exact working copy of the original media’s content. Technologically, media content imaging can be carried out without launching the computers operating system, thereby avoiding tampering allegations. Functionally, the applied imaging software should be capable of making an exact replication of every encoded bit contained on the target media.

Residual data includes deleted files, fragments of deleted files and other data that are still existent on the disk surface. Forensic imaging software can capture residual data on targeted drives. Effective imaging replicates the disk surface sector-by-sector as opposed to reproduction file-by-file. With appropriate tools, even data commonly considered destroyed can be recovered from a disk’s surface. Furthermore, imaging software can also generate a log file recording of IT parameters such as disk configuration, interface status, and data checksums that are critical for supportable conclusions regarding an incident or event.

After creating at least two media images, one replication can be inserted as a target system substitute for the original while the second replication can be utilized for forensic analysis. Lastly, once facsimiled, the original media should be sealed in a sterilized container, labeled and stored as evidence.

“View Part I of the Preserving Electronically Encoded Evidence series here“

Preserving Electronically Encoded Evidence - Part II

Conditionally, if the target system is turned off, simply turning the technology on and permitting a ‘boot’ can introduce content changes to files directly or indirectly connected through operating system procedures. Some files interacting with the IT boot process may not be of interest to an investigation. Nevertheless, IT boot configuration modifications can cause previously deleted files — containing pertinent information — to become irretrievable.

When circumstances will not permit the embryonic operational state and site being maintained until law enforcement authorities arrive or when management accepts lawful extraction risks, data acquisition procedures may be invoked for evidence preservation. Data acquisition procedures involve the process of transferring encoded content into a controlled location; including electronic media types associated with an incident or event. Upon commitment to this course of action, all earmarked hardware media should be protected, as well as the target content, during transference to another medium through an approved methodology. However, capturing volatile data (such as open ports, open files, active processes, user logons and other random access memory information) is also critical in most situations where evidence integrity can become an issue. By definition, volatile data is transient electronic bits. Therefore, without adequate precautions, volatile data ceases to exist when an information technology is shut down.

“View Part I of the Preserving Electronically Encoded Evidence series here“

Preserving Electronically Encoded Evidence - Part I

Seeking to preserve electronically encoded evidence implies an incident or event has occurred that will require facts extrapolation for presentation as proof of an irregular, if not illegal act. Anticipating this potential scenario requires information security management proactively construct incident response and forensic investigation capabilities considering legal imperatives. Consequently, procedures addressing the infrastructure and processes for incident handling should exist within the security response documentation inventory.

Cardinally, all potential electronically captured evidence should be protected (as soon as possible) from deletion, contamination, modification and inaccessibility. When dealing with stored data, prudent information security management dictates informing appropriate parties that evidence will be sought through electronic discovery from the target IT; establishing specific protocols that address preserving electronically encoded evidence; and enforcing eradication restrictions for data residing within the target IT. Furthermore, when feasible, electronically captured evidence should be stabilized in the environment that existed during the suspected inappropriate activity.

Control Assessments - Part IV

Arguably, data security is the most significant domain supporting information reliability. Entity oversight committees should monitor control activities for on-going relevance and effectiveness as well as responses to information security recommendations. If installed systems are inadequately protected, data may not be properly processed. An entity’s IT employees need to bring a fundamental understanding of operational requirements and security to their respective professional duties to ensure sustained confidentiality, integrity, and availability are achieved through appropriate consideration of control assessment results.

“View Part I of the Control Assessments series here“

Control Assessments - Part III

Information security managers should prepare for audits utilizing control self-assessments to verify compliance with laws, regulations, policies and procedures. It is always a sound idea to strategically plan annual control self-assessments. Beneficially, information security practice testing assists in evaluating designed processes and validates deployed controls are functioning as intended. Following a cyclic approach to control self-assessments cannot guarantee clean audit reports. It will, however, aid in ensuring the security department is briefed on governance expectations.

There are a few traditional events that occur once a year, some are considered cheerful, while others are considered dreadful. Regarding IT audits, enlighten security managers approach the assurance process as a periodic assessment of the way business is conducted throughout the year that enables obtaining an extraneous view of the current state of IAP controls from knowledgeable professionals. IAP managers that normally encounter difficulties during audits are those that adopt an adversarial posture. IT auditors are not storm troopers sent to dismantle departmental efficiency, and security managers that build communication firewalls and ‘honeypots’ based on a perceived organizational threat premise have misinterpreted generally accepted IT audit objectives.

“View Part I of the Control Assessments series here“

Control Assessments - Part II

Management needs to understand the status of the entity’s IT systems to decide what safeguarding mechanisms should be deployed to meet business requirements. When IAP monitoring is built into the entity’s operating activities, and process performance is reviewed on a real-time basis; control degradation can easily be ascertained for expeditious remediation. Characteristically, productive monitoring activities dynamically adapt to environmental factors with each control assessment being performed according to an authorized plan reflecting the evaluation type, assurance level, and information classification.

Monitoring and evaluating the current state of implemented controls may take a variety forms, including control self-assessments and IT audits. Furthermore, an IT auditor may not be the individual who executes an entity’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civil and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.

“View Part I of the Control Assessments series here“

Control Assessments - Part I

For most entities, information and related technologies compliance management is critical to survival as well as success. As with other organizational programs, security compliance does not occur through managerial intent transmissions from a remote planet in some distant galaxy far, far away. Typically, an entity’s oversight committee and subordinate management periodically evaluate the effectiveness of an information assets protection (IAP) program’s responsiveness to recommendations, control and monitoring activities as well as the ability to prevent or detect irregular and illegal acts. Consequently, information security managers should continually seek to improve IAP controls.