Digital evidence: are you prepared?

For most organisations, computer systems have become a preferential tool to do business and are generally used to store documents, files and carry out online transactions. However, how many users have considered that they might one day need to provide admissible and reliable digital evidence to support a legal dispute or suspected crime, or even to show compliance with regulatory bodies?

Computer forensics is now a recognised discipline and demands a very high standard for preserving digital evidence from the computer systems of corporate networks, the internet, handheld devices, and other portable devices. To prevent potential digital evidence from contamination, an organisation must ensure that evidence is gathered and preserved in a forensically sound manner. The development and implementation of relevant policies and procedures could prove critical to the success or failure of a litigation case where the first responder acts inappropriately.

Over the past few years, many companies have standardised their policies and procedures to tackle disaster recovery and business continuity to include events such as fire, flood, electricity failure, earthquakes and communication network failures. But very few organisations have developed practices to help identify, gather and preserve digital evidence in an efficient, cost effective manner when carrying out an investigation, for example, malicious computer attacks, hacking and potential leakages of data and information; while at the same time ensuring that there is minimal impact on business operations.

Management objectives
The primary duty of an organisation is to survive so that it can continue to serve its customers and clients. Furthermore it must be able to fulfil its obligations to its banks, employees and finally the public. In addition, commercial organisations are expected to generate profits for shareholders. In the case of a suspected computer crime, an organisation's primary objectives may include:

	arranging for business continuity,
	rapid recovery of basic operational functions,
	successful legal and insurance claims,
	assisting law enforcement in potential criminal matters,
	mitigating potential risks.

While recovering from disasters, whether the result of natural or human causes, it is difficult in computer forensic investigation for the management to determine its objectives until more information about what has really taken place is available. In particular, there can be a significant conflict issue between the need for an organisation to continue its business and the requirement to collect reliable and forensically sound evidence from the suspected computers, as their continued use may be required to keep the company running.

In such real life scenarios, the organisation needs a management team and a framework to deal with crisis decisions. These crisis decisions may include: 

	identification of the appropriate personnel to deal with the crisis,
	diagnosis of the emergent problem,
	assessment of the overall impact on the organisation,
	investigation, recovery and liaison with third parties, public relations and law enforcement agencies.

Many large organisations already have disaster recovery and business continuity plans for fire, flood, malicious attacks and more. In addition, there may be unique situations which require careful attention and a tailor-made response strategy. In these cases, the management needs to identify the executive internal and/or external personnel and resources in advance, to address matters effectively when they do occur. The factor of utmost importance in cases of suspected computer crime is to decide whether in-house expertise or third party computer forensic experts are required to assist in the investigation, or whether there should be a combination of the two.

The considerations
When developing policies and procedures to deal with a crisis, an organisation must understand the level of risk involved in particular incidents by conducting a risk analysis to identify the types of threat experienced by the business, the frequency that they may occur and finally the monetary impact on the organisation if an incident was to happen. Through risk analysis, the management team can develop a set of processes to mitigate an identified risk. These policies and procedures usually take the form of implementing preventative and detective counter measures to reduce the impact of potential damage. These different measures may include administrative changes, audit control reviews, deployment of appropriate technologies and development of disaster recovery sites.

While the risk analysis is considered, on the other end of the scale organisations must seek to take into account the legislation and regulation imposed on businesses to produce and preserve a wide variety of business records. The better known pieces of relevant legislation and regulation are the US Sarbanes-Oxley Act of 2002 and the Basel Committee on Banking Supervision Revised International Capital Framework of 2004 better known as "Basel II", the Freedom of Information Act 2000 (UK and US), just to name a few. These regulations carry explicit penalties for the deliberate destruction of essential files. Organisations in the financial services sector are required to conduct risk assessments on companies requiring loans or financial assistance in the form of investments and may be required to produce reliable information on request within a given period of 20 days.

Formulating a response strategy
The goal of a response strategy is to formulate a set of predetermined courses of action to respond to a given set of circumstances based on information gathered from an investigation. The strategy should take into consideration the business, legislation, regulation, technical and legal factors that surround the incident. The final set of actions will depend on the objectives of the organisation and on the individual who has the responsibility for determining the overall strategy. These steps may include a combination of internal "Information System" personnel and external "computer forensic experts" to assist in the business recovery and investigative process and reduce the impact to the overall business.

Summary
When considering the right strategy for a particular potential incident, an organisation must strike the right balance between real life scenarios, the probability that an incident might occur and whether it will cost the company millions of dollars to reinstate its business functions. At the same time, organisations must not neglect legislationand regulation when developing such practices. If asked to submit evidence to a court of law, an organisation must produce evidence which is forensically sound, reliable, examined by trained forensic experts and finally and most importantly, is legally admissible.

matthew.chu@gthk.com.hk

Main