Do You Know Where Your Evidence Is?

A closer look at digital forensics within incident response 

In part two of our series focused on the Enemy Perspective, we’ll focus on an important element of incident response: digital forensics investigations. 

The digital forensics and incident response (DFIR) world continues to evolve on a yearly basis. Investigators need to keep track of changes to the various operating systems, new attack vectors discovered, uncover new locations of evidence and on occasion an ethical quandary regarding an undocumented “Activities” API for Microsoft Outlook O365 (also known as the Secret Office 365 Forensics tool). 

But we are not here to talk about artifact locations, tools or other investigation standards that change. This blog is meant to highlight an often-overlooked part of digital forensics and/or incident response investigations. There are organizations lucky enough to have internal forensic investigators or incident response teams on staff. Even in these organizations there are going to be times when an external third party is needed for investigation.  

1.  What happens to your company’s data/evidence after collection by third parties? Who retains ownership of that data or evidence during an investigation? 

In reality, there are only a couple of answers to these questions. Let’s tackle them one at a time. 

• What happens to data/evidence collected and analyzed during an investigation by a third-party? 
• Once the evidence leaves your organization it is likely going to one of the following locations: 
• State/regional digital crime lab - Data and evidence ending up at a state/regional digital crime lab is unlikely. We typically only see this when law enforcement is involved in the investigation.  
• A corporate office for the third-party you brought in - Something important to consider when evidence is going to your third party’s corporate facility is what types of controls are in place for accessing the storing room or space. This may be a space carved out for forensics or it could be the consultant’s desk cubicle. We have witnessed evidence stored in cabinets (without locks) above a consultant’s desk to a dedicated room on premises with minor to higher level access security controls. So security with regard to storing evidence or data can really vary. 
• A consultant’s home or apartment - Sometimes evidence is taken from a client’s environment to a personal living space. This is concerning on many levels, and unfortunately we see it time and time again with some organizations. There tends to be a lack of security controls in most of these instances. The enterprise incident management team learned of one client’s woes when a third-party consultant removed evidence from the client site and began working on the evidence at their home. In an unknown amount of time there was a home invasion and all electronics were stolen, including the powered-on laptop with the USB drive containing evidence. Unfortunately, the client now had to disclose a breach for an investigation that did not originally meet notification disclosure requirements. 
• A dedicated lab owned by your third-party forensics team - These are questions you should absolutely ask your third party forensic and incident response teams. Do you have a dedicated lab for processing and analyzing evidence? What are the controls on the facilities, lab space, evidence locker, etc.? What is the process for destruction of the data? How long is your third party going to hold on to the data? 

2.  Who retains ownership of the data/evidence during an investigation? 

Some overly aggressive firms have language in their MSAs, SoWs and retainers that changes the ownership “of any and all collected evidence” to the external firm. The firm does not want your intellectual property, customer lists or health information. What they want to own is the metadata and the indicators of compromise (IOC) for the attack. However, that comes with a caveat that they can do what they want with the data they own. Imagine being a one-of-a-kind organization in a specific area of the world/country/state. A simple web search can be used to identify the company who suffered an incident/possible breach when the firm releases a blog post referring to a new attack campaign that targeted a specific industry vertical in a specific location. It is extremely important to get this ironed out in contracts before an active incident, when time is of the essence. 

We love to take clients through our high-level investigative procedures for responses to every sort of incident, because we’re proud of what we do. But we also urge our clients, both potential and active, to not forget the simple stuff, and that’s data storage and ownership. You must know before, during and after any incident and investigation where your evidence and datum is going, where it’ll be stored and who owns it once it’s settled. And because that sounds so simple it becomes very easily forgotten. And the hassle that follows when it’s forgotten makes it paramount to your enterprise’s security practice.