E-forensics: what you need to know

If you reported being mugged to the police, you’d expect to have to provide them with enough information for them to start an investigation. As a minimum, you’d expect to have to tell them where and when the attack took place and what was stolen.

The same holds true of reporting a cyber crime, which is (one of the reasons) why managing your systems data and communications in an effective manner is so important.

Within a police station, you would not find evidence put into desk drawers and filing cabinets along with routine paperwork. You would find it kept in secure evidence lockers and you would probably not be allowed to handle the contents.

You need to apply the same approach to managing your log files and data, and this is a necessity, not an “option”. One good point about dealing with digital evidence as opposed to its physical counterpart is that it can be backed up, so make sure it is.

This is not a “nice-to-have” or a maybe, it’s an essential. As a minimum, you need to specify what data is being captured and why, as well as how it is treated after capture.

Think about popular crime shows on TV, like CSI. The comments you will hear on those shows about the importance of ensuring that crime scenes remain free of contamination are actually valid for the topic of e-forensics as well as physical crime scenes: if you ever want to use a log file as evidence in court, you will have to be able to demonstrate that it has been preserved in a way that has protected it tampering.

That means, in the event of a crime, you have to follow the same sort of procedures as the police do when they are collecting evidence, including having a robust chain of custody.

Litigation hold basically means being instructed to keep a record of email messages in case they need to be used for legal purposes. The actual technicalities of implementing the hold are often straightforward; in fact, Microsoft Office 365 has an in-built facility to enable a litigation hold.

Essentially, an effective litigation hold management process needs to be able to:

• Identify all custodians
• Identify and locate all data sources
• Ensure compliance with the litigation hold order.

The fewer custodians and data sources there are, the easier it is to keep tabs on the entire process and the less likely you will be to find yourself subject to sanctions for failing to preserve evidence, even if the failure was entirely unintentional.

It is also important to remember that litigation holds can apply to data produced by former employees, so your organisation needs to have a process for holding their data for at least as long as required by law.

E-forensics might sound like intimidating terminology, but good data management and a working knowledge of cyber security will take you a long way towards having effective policies in place. Work with your cyber-security or IT consultants to make sure your processes are up to date and efficient.