The importance of evidence preservation in incident response

Incident response has become a crucial component in the information security management process of every well-prepared organization. Performing effective incident response is a complex operation that requires resources and planning. Forensically sound preservation of evidence can also easily be overlooked by an incident responder due to the rapid and changing nature of the incident being investigated, which can potentially have a huge impact on the effective post-incident analysis and potential legal position.

This blog highlights the importance of evidence preservation and the necessary steps that should be taken in all stages of proper incident handling and preservation of digital evidence until the incident is resolved.

Why is evidence preservation important?

Preserving critical electronic evidence during a security incident is a must in order to obtain a full incident overview and to establish a basis for further investigation and threat containment/eradication. This evidence preservation is of crucial importance for successful incident analysis utilizing strict data preservation standards to ensure all potentially relevant data is captured and remains uncompromised during the course of the investigation.

Subsequent to detecting a cyber attack, most incident responders are prepared to contain and remediate the incident as soon as possible. Responders must, however, be wary not to rush the collection of evidence. This could destroy or potentially compromise items of evidentiary value, which could identify attacker methodology or avenues of compromise. These evidence items, appropriately collected in accordance with established regulations and/or best practices could further assist law enforcement in successful prosecution of the crime, and this is why the preservation of evidence should be the first priority in any incident.

Steps to incident handling management and preservation of digital evidence

Whether gathering digital evidence from single or multiple sources, forensically sound methods need to be applied in order to preserve key digital evidence. This will assist in establishing a clear picture of the incident and effective response to be launched. When sensitive information is compromised, it is important to ensure that all of the obtained pieces of electronic evidence are handled with precision and care, as well as to prevent further damage, such as being overwritten, destroyed, or otherwise corrupted.

When a cyber incident occurs, the incident response team (IRT) should follow the incident handling phases as advised by the National Institute of Standards and Technology (NIST), which provides an outline of the steps necessary to recover the systems, networks, and other assets that are victims of the attack.

Primarily, the ITR should be prepared for such an incident or one similar in nature so it can be more readily recognized and the analysis of the affected assets can start if appropriate. The next step would be to contain and minimize the damage and try to recover as much as possible of the affected data/systems.

It is advisable that after an incident, an organization performs a post-incident report with a detailed explanation and proposes potential solutions in order to prevent further occurrences of the same or similar incidents. Furthermore, as soon as the IRT arrives at the location where the incident has occurred, it is important to mitigate the risks through proper recognition of digital evidence.

Criteria for recognizing digital evidence

• Evaluating the digital environment

Assess the alerts that generate the most false positives and optimize your parsing rules to reduce these. Being able to tune an alarm that is unnecessarily broad will significantly reduce the number of alerts that must be reviewed on a daily basis, be this from your SIEM, Syslog or other feed. More precise analysis of relevant alerts will significantly reduce not only alert fatigue for your analysts, but dwell time for malicious activities in your network as they are identified and remediated faster.

• Seizing evidence

As previously mentioned, the fundamental responsibility of those collecting evidence is to ensure that measures are employed to avoid contaminating any evidence during the collection process. It may be necessary to shut down the machine/systems/network due to collection requirements, forensic best practices or to ensure that the virus/malware has been contained. Additionally, it may be necessary for the evidence to be preserved and backups performed before proceeding. The backups could also include, for example, copies of specific items of evidentiary value related to the incident in order to assist investigators at a later date in the event of litigation. Each piece of evidence should be protected from damage or alteration, labeled and a proper chain of custody maintained.

As soon as this stage is completed, the IRT can continue the process to contain, eradicate and recover all of the affected systems and computers affected by the attack or data breach. If there is further law enforcement involvement, or at their request, the IRT should be prepared to transfer a copy of items being seized, as well as a detailed log or history for all of the activities performed.

• Preparing computers, devices and media

Upon arrival at a forensic laboratory, all of the evidence/equipment should be properly inspected to verify that no tampering took place during transport. All evidence is placed in the evidence preservation lab for safekeeping and for detailed examination. The search and seizure evidence log and shipping manifest are also stored in the lab after this procedure is completed.

The importance of evidence preservation is therefore critical during any cybersecurity-related incident, including the necessary collaboration between IRT and forensic examiners in order to best handle the digital evidence for future use and analysis.

A SOAR solution, such as Cloud SOAR from Sumo Logic, can help organizations respond faster and more effectively to an incident. In an upcoming blog post, I will be discussing how quickly an IRT can respond to an incident and how a SOAR solution can help expedite this.