March 15, 2016
IIn 2007, the city of Los Angeles was locked in a particularly nasty round of contract negotiations with a labor union representing, among others, a couple of transit engineers. At some point in time before this, one of the engineers' supervisors had shared his login credentials with him. Using the borrowed password, the two engineers allegedly entered the system that controls the traffic lights of L.A.'s notoriously busy intersections. They reset four traffic lights at critical intersections and then hacked the system so that no one else could get back in and undo their work. For four days, the lights were useless in directing traffic at those already hectic and hairy intersections.
This is just one of countless scenarios in which your data, computers, and systems might be called to testify against someone in a court of law. In some situations, the organization has to prove an insider job; in other cases, they have to identify and prosecute an outsider. No matter what happened, you'll need to be able to bring your data and systems to court with confidence that the data is all present, accurate, and accounted for. This is what it takes to assure your data and systems can raise their virtual right hand and swear to tell the truth, the whole truth, and nothing but the truth.
Court-Worthy Data Starts With Asset Management
Database, do you swear to tell the truth, the whole truth, and nothing but the truth, so help you God?
It can be years between the time a criminal act or an act that leads to civil court comes to trial. In some situations, you might not know about the incident for months, perhaps years, after the fact. That means that you need to be preparing now for a scenario that may or may not happen anytime in the future. A solid backup plan and good asset management can protect you in court, as well as many other situations (business continuity 101).
Keep copies of your full system backups for as long as possible, given the storage space, budget constraints, and other resource restrictions. If you can afford to keep backups for ten years, do it. This way you will have whatever data might be subpoenaed. A smart asset management plan means that you know where any relevant computers, servers, or other hardware is. In the event that the equipment was disposed of, asset management best practices means that the system was fully backed up before disposal, wiped clean, and logged properly, and the chain of custody can be presented in court as ironclad.
Court-Worthy Data Requires an Overseer
When data goes to court, it will need a human representative (perhaps more than one). The IT manager in charge of asset management, database administrator, or whoever is charged with overseeing asset management, network monitoring, backups, etc. will need to be able to present their recollection of the events, supported by documentation of the activities. This means that the documentation has to be created at the time of the activity. Courts won't accept or have confidence in documentation that was manufactured after the fact. In fact, it could cause your organization to face undue scrutiny for fabricating evidence.
What Needs to Be Kept and Protected?
The court will require an overseer who has first-hand knowledge and memories of the events to testify on the chain of custody and handling of related data, systems, computers, servers, and other digital evidence.
What documentation, data, and other digital forensic evidence do you need to be keeping in case it is needed for court? Obviously, the nature and circumstances of each case differs. Here is a good starting point:
- Email, instant messages, chat messages, and other electronic communications.
- Mobile devices used to access systems, store data, or for electronic communications. Even if the devices aren't available, the data and transaction records should be.
- Web server access logs
- Proxy server logs
- Intrusion detection systems
- Application logs
- Dark network logs
- Database information relative to the event
- Cloud-based data (even if the cloud service is no longer active)
- Other relevant ESI (Electronically Stored Information)
Obviously, the network monitoring solutions have to be in place before the event in question even occurs to be useful in court. Do you need more information on network monitoring and security? Take advantage of this free webinar on securing your WLAN.