Data Security and the Preservation of Evidence

Joe Calandrino

Security & Privacy

Digital Forensics

Client Bulletin

March 21, 2013

Discovering a suspected data breach in your systems can be a harrowing experience. Available details might be confusing or unclear at first, and concerns about what the incident may mean for your business, your customers, and others can be overwhelming. As chaotic as the situation may be, a calm and organized response can save considerable difficulty. In this post, we'll discuss actions you should take following a potential data breach that can help preserve evidence for an investigation and protect against additional danger.

Seek Legal Counsel: Before continuing, we wish to note the importance of legal guidance in responding to a possible data breach. Your legal obligations in the event of exposing patient medical records differ dramatically from your obligations in the event of revealing a partner company's business plans or your customers' credit card numbers. A prompt call to an attorney who specializes in privacy and data security issues is critical. Preferably, your business would have prepared a data breach response plan under legal guidance in advance, helping avoid the possibility of early missteps. Nothing in this post should be interpreted as a substitute for legal advice.

Seek Technical Help: Specialists such as Elysium Digital with experience in assisting firms facing a possible breach can be retained to investigate. The goals of the technical investigation are:

To reconstruct the attack narrative to uncover the enabling vulnerabilities
To determine the scope of the attack
To determine the data exposed
To decide on immediate and long-term remediation steps
In some cases, to identify the responsible parties

Preserve the Evidence: The success of the investigation depends on the quality of the available evidence. To foil a potential investigation, attackers may delete files or perform other modifications to cover their tracks. By using or modifying a system after a breach, you may inadvertently destroy evidence of actions that a forensic investigation could otherwise uncover.

Thus, your first concern after discovering a possible breach is to preserve the evidence. While the exact steps to take depend on the situation, advisable steps may include:

Turn off your server(s) (just pull out the power plug)
Swap all hard drives out of the affected servers
Use a properly-trained forensic consultant to create court-defensible forensic images of server hard drives++
Rebuild a secured system on new drives
Create forensically-sound images of backup media, network monitoring details (such as network logging, router/firewall logs, or intrusion detection systems), and all relevant log files, as these may contain evidence of the attack over time
Document and preserve copies of your network layout and configuration at the time of the attack, including network topology and the configuration of any routers and firewalls

++ Be careful how images are collected, and always use forensic specialists for this task. For all of their other invaluable skills, IT departments often are not aware of the specific steps that enable a preservation effort to stand up in court. Forensic images are perfect copies of the entire contents of a storage drive, including deleted and fragmentary data that cannot be captured by doing an ordinary file copy. GHOST and similar backup tools do not capture forensically-sound images. If in doubt about how to collect forensic images, do not hesitate to call Elysium for free advice.

If you cannot remove the hard drives and cannot immediately call in a forensic investigator, you should attempt to back up as much of the system as possible before modifying the system to secure it. A complete copy of all data would be ideal, but at a minimum, you should preserve originals of any modified files and take care to ensure that your preservation process retains metadata such as creation and last-modified dates. You should also store copies of any system, application, server, FTP, database, and other logs as soon as possible. Even if an attacker has modified log files, they still may contain useful information. Preservation of backups and logs is particularly urgent if they may be deleted or overwritten as time passes.

In addition, you should document any changes that you make (system settings, accounts, firewall settings, etc.) and any remediation steps that you undertake. If these changes can be independently documented or verified via log files, copies of files, etc., you should also preserve evidence supporting the changes so that others can verify them later. For example, you could take a screenshot of the configuration screen or back up the configuration files both before and after a change is made. Among other benefits, this evidence demonstrates your remediation process to any interested parties who may assess your efforts to mitigate the breach.

When working with a specialist such as Elysium on the response to a data breach, the specialist has a duty to provide independent analysis. They may:

Ask you questions about your operations
Ask you to make your IT staff and policies available to help inform the investigation
Ask you to entrust them with confidential data belonging to your company or your clients (subject, of course, to contractual requirements to keep this data confidential)
Uncover and suggest additional ways of strengthening your system, including suggestions that may seem unrelated to the attack under investigation but reduce the potential for future attacks
Uncover evidence that confirms or narrows the possible scope of the attack

Having an outsider dig through your systems following a suspected data breach may be intimidating. If you believe that you have already patched any vulnerabilities, you may be tempted to simply move on. However, an investigation can be a critical step, even when not legally required. An investigation may settle questions regarding the data accessed and provide confidence in any remediation steps, including confirming that the attacker has not left any “back doors” in your system to maintain access for future attacks. The investigation also may uncover ways to reduce future risk, preempting the need to repeat an unpleasant process. Experienced investigators understand that this review may be unpleasant, and they attempt to perform their work objectively and professionally. Preservation of evidence can make this process as smooth and painless as possible, helping you to achieve the goal of protecting both your data and the trust you have built with your customers and clients.

Elysium Digital offers a full range of services to assist with data breach investigations. For more information about how Elysium can assist you or your clients in a forensic matter, please contact us.