Preservation of Evidence

This blog post is the fourth entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the initial steps that a business should take once a cyberattack has been identified.  This post will discuss further steps that a business should take after an attack.

Preservation is critical when responding to a cyberattack, the more evidence that a business is able to preserve, the greater the chance that the business will be able to determine how its system was hacked.  “Forensic imaging” is a useful way to preserve a system because it is an exact copy of a computer’s hard disk.  A forensic image will capture all of the deleted files, the system’s files, and any other information that may be necessary for a detailed analysis of the attack.

After the necessary information and evidence of an attack has been preserved, the business should begin to transfer its information onto a clean system.  It is important to ensure that the new data is completely free of any impacted documents when transferring information.  The business should write-protect the transferred data to ensure that it is unable to be altered by other corrupted documents.  In order to maintain authenticity of the documents, access to the documents should be restricted and a chain of custody should be used.

All personnel involved with the response to the attack should keep detailed records of their actions.  This will not only help when modifying the Response Plan in the future, but may also be useful for law enforcement during its investigation.  Preferably, one employee should be in charge of coordinating and maintaining each individual’s information.  This ensures organization and continuity between employees’ responsibilities.  Important information to record includes (1) a description of all incident-related events, (2) details of all communications regarding the incident, (3) a description of each employee’s duties in response to the attack, (4) a listing of how each network system was impacted by the cyberattack, and (5) the version of software on the network.

If an attack is continuous, like a worm circulating through the network, a business should attempt to record the attack’s actions.  A business may be able to use network monitoring devices, like a “sniffer,” to intercept and note communications between the cyberattack and the business’ servers.  This type of monitoring is usually lawful if it is done to protect the business’ property or if network users have previously given consent.  However, a business should consult its legal counsel if it plans to engage in this type of monitoring because it may implicate the Wiretap Act or impact the business’ employment agreements.  A business should also ensure that is has enabled the ability to log on an impacted server if it has not previously done so.  Finally, increasing the default size of the log files can help to prevent data loss and defeat the cyberattack.

The following blog post will discuss which individuals and organizations a business should contact after a cyberattack.