Throughout my career in digital forensics, I have had the opportunity to observe a wide variety of investigation projects. One challenge that has cropped up time and again is the task of ensuring data preservation prior to the initiation of the forensic preservation process.  

The Locard Exchange Principle in forensic science states: “Every contact leaves a trace.” In the context of digital forensics, this is true whether we consider the custodian, the IT team or the forensics team. When an incident occurs, the key is knowing how to control these variables to ensure the preparation of data in accordance with reliable standards before forensic preservation. 

Since each instance of contact with a given set of data may potentially affect its preservation, specific measures should be implemented from the time an incident is reported up until the forensics team conducts their assessment. Digital data is volatile, so procedures for data preservation may vary depending on the type of device or the nature of incident itself.  

Here are some recommended actions that can be taken in different types of incidents.

1. Device preservation: It is recommended to disconnect devices from the network and either leave them powered on or turned off as they were found, ensuring that the device remains charged if possible. The power state of a computer is crucial, as it may impact the ability to collect volatile data, particularly in the analysis of incidents involving malware attacks or cyber security breaches. On the other hand, in a regular eDiscovery project, the power state of the device may not be as significant, but keeping the device disconnected from the network is strongly recommended. 

2. Device isolation: Keep the device safe and disconnected in a controlled environment until the forensics team arrives. This can help to prevent data loss due to misuse or sabotage. In sensitive cases, such as criminal cases or certain civil matters, a documented chain of custody for the legal team should be established to track the handling of the device. This includes maintaining device isolation and a detailed chain of custody until the expert witnesses or first responders arrive. A process guideline should be developed by the IT and legal teams that aligns with forensic best practices while minimizing operational impacts to the business. 

3. Data protection solutions assessment: It is strongly recommended to have a thorough understanding of the data protection software solutions that are contracted and installed on the devices. Key considerations: 

  • Understand the configuration of hard drive encryption and ensure robust cryptographic key management.  
  • Know which Data Loss Prevention software (a.k.a. DLP) is in use and understand its configuration.  
  • Familiarize yourself with the Mobile Device Management (MDM) solution used on mobile phones and its configuration. It should be noted that mobile data collection may only be possible if the software is completely deactivated on the device. 
  • For computers, it is recommended to verify whether the Trusted Platform Module (commonly referred to as TPM) is enabled. Additionally, it is important to confirm if the device has BIOS password protection and if the custodian’s user privileges have been documented by the IT team. These factors may determine the forensic team’s approach to preparing the computer for data collection.  
  • In cases of incidents related to specific systems or infrastructure, it is recommended to have well-documented log mapping. Many companies do not record their logs, making it more challenging to investigate cyber incidents when they occur.  

(Those last topics may appear too “techy” for some, which is understandable. It is recommended that compliance and legal teams establish close communication with the IT and cyber security teams to discuss processes that align best with the company’s needs during an incident, assess existing mitigation plans, etc.)

4. Data custody assessment: Some companies allow employees to use their personal devices for work purposes. Under some company policies, any digital device owned by the employee can be used for work. However, it is crucial for the company to differentiate between devices owned by the company and those owned by the employee to avoid compromising privacy rights and jeopardizing the integrity of the evidence.  

In some countries, even when using company devices, a custodian may request targeted file collection to protect their personal data stored on the company device. Before any data collection, it is advisable for the legal team to determine the ownership of the devices used for work and the company’s protocols for data collection on these devices. It is recommended that companies have clearly defined legal mechanisms in place to ensure their rights to collect data from any device used for work. Following these guidelines can help prevent legal issues during investigations and must be discussed with the legal team, considering local laws regarding data and privacy rights. 

The tips provided above are just a few of the many strategies that can help reduce the risk of losing relevant data and expedite forensic collections in various incidents. In some cases, taking small actions such as these can play a crucial role in determining the legal admissibility and usefulness of collected data. Negligence and a lack of standards can result in the destruction of more data than an intentional sabotage attempt. 

Get in touch

Can our experts help you?