An interesting article by Daniel Thomas at Computing
Extract
Businesses could lose legal disputes and miss out on insurance claims because of their inability to collect and preserve computer and internet-based evidence, experts have warned.
While firms are investing heavily in disaster recovery plans for low-probability events such as fire or terrorism, many are failing to identify and preserve important digital evidence required to tackle more frequent incidents, such as payment disputes, employment tribunals and fraud.
Unless companies put procedures in place to handle potential digital evidence contained in emails, web transactions, computers and mobile devices they could lose legal action and risk downtime when investigation teams seize systems as evidence, says security industry body the Information Assurance Advisory Council (IAAC).
As someone who's been (gently) ridiculed in the past for emphasising the importance of "proactive" computer forensics preparation, it was nice to see I'm not alone!
What do others think? Is this something you see enough of (i.e. organisations being prepared for an investigation?) My guess is it's very rare for most organisations to have given it any thought, let alone put anything in place, but your experience may differ…
Jamie
Jamie
I believe you are 100% correct in your thinking.
Most organisations spend all their time trying to prevent incidents from occuring and spend little time, if at all, on post incident issues such as data collection.
I have worked with and had dealings with a large number of corporates and very few have even thought about this subject. For example, if a web server has been compromised, most techies will just wipe then rebuild rather than analyse the root cause of the attack. In most circumstances, the rebuild will leave the same holes that were exploited so the company is no better off.
I have been doing a course on Information Security Management (essentially implementing BS7799) and there is a section on developing an incident management plan, but is very small compared to the rest of the course.
So what is the general suggestion, companies actively archiving employees e-mails and web transactions? What is the current state of play with regard to data protection and invasion of privacy?
Can't speak for UK legislation per se, but certainly there's a need to study all relevant privacy laws whenever considering this type of proactive behaviour (e.g. increased logging). Not only to cover our own backs, of course, but also because such legislation, if well conceived, is worthwhile in its own right.
Having worked out not only what you can do in terms of preparation, and perhaps more importantly when you can do it, I think it's clear that thinking about these issues beforehand should lead to a more timely and appropriate response when the time comes (and I am talking about covering our backs there!) Every situation needs to be assessed on its own merits as by and large, at least as far as the legislation I'm aware of in the Netherlands is concerned, the powers of the investigator may change in relation to the perceived threat or level of suspicion at a particular moment in time.
Jamie
Jamie,
Really good article, thanks! I know this is something we are working on heavily. We are refining our procedures and policies to reflect the preservation of evidence although it's more for the sake of defending ourselves from litigation rather than prosecuting. We are drafting guides for first responders and the investigative teams. We are most likely going to be constructing a forensic lab in the near future as well.
Good luck with that, hogfly. Plenty to keep you busy 😉
Jamie