Forensic Readiness – Enabling a Corporate Approach to Digital Evidence

January 1, 2004

In a sense, everything is potential evidence and every ‘bit’ is potential electronic evidence. You only have to read a Sherlock Holmes story to realise that solving a crime may hinge on a seemingly trivial piece of information. Ultimately, evidence is only useful in a legal dispute. For evidence to be useful in court it must be admissible and it must have ‘weight’ (ie it must contribute to the legal argument of guilt or innocence). However, electronic evidence is ethereal: files can be deleted, copied, modified, transmitted and so on. Furthermore, electronic evidence may reveal truth, but it may also hide deception. If any evidence – electronic or otherwise – is to be relied upon, the court must be confident in its validity and integrity, which of course applies to any form of evidence. Just as criminals can leave fingerprints at the scene of a crime, a cyber-criminal can leave cyber-fingerprints.

Understanding Digital Forensics

To collect these cyber-fingerprints requires a digital forensic investigation. In terms of physical evidence, the forensic scientist follows strict procedures to avoid contaminating the crime scene, and to collect and analyse genuine traces of a crime. Similarly, a digital investigator needs to ensure that any evidence produced in court is an exact reflection of what was found at the scene of the crime – eg a computer (in most cases). The main problem is that, if a computer containing the evidence is switched on and used, it may automatically alter some of its files and contaminate the evidence. The digital forensics investigator preserves the evidence by making an exact bit-for-bit image of the memory. Whether it is on the hard disk of a PC, the SIM card of a mobile phone or the memory chip of a digital camera, the principle is the same: the physical evidence must be preserved so that the digital image can be used for the investigation.

After preserving the information, an analysis can begin. This is where many a criminal has been caught, because a good forensic investigator can find files that have been deleted, drafts that were never saved and computer-generated files that the user never even knew existed. These (and more) potentially incriminating traces are grist to the mill of the forensic investigator. Such investigators should be experienced and qualified practitioners, as one mistake can render the evidence inadmissible and worthless.

The Importance of Electronic Evidence

Someday toasters will be digital and will carry a warning.’whatever you eat for breakfast may be used against you in a court of law.’ K Whithers, Federal Judicial Centre

Electronic evidence is becoming increasingly important. It is not just a tool in the fight against Internet crime, but is also relevant to a wide range of crimes that affect businesses and leave electronic traces. Perhaps you fear that your computer systems have been misused; perhaps pornography has been found on your system; perhaps malicious e-mails have been circulating; perhaps company-confidential material has been released to the press or to a competitor; perhaps you have reason to believe that an internal fraud has taken place; perhaps you believe that personal data on your systems have been misused; perhaps you have recently dismissed someone who is now taking action against you in an employment tribunal, alleging that the e-mail evidence upon which you dismissed them was forged; or perhaps a software vendor is suing you, alleging that you are using a pirated version of their software.

The list goes on and on. Each of these situations could lead to a court case and each could be resolved with evidence potentially available on your information systems. The consequences of the failure of an organisation’s case in court are evident, as is the resulting damage to reputation, financial security and share prices.

Success in an investigation and a possible court case requires access to the necessary evidence. This is not as easy as it might seem, as the ‘right’ evidence is unlikely to exist. In any computer security incident there will be a tendency to focus on containment and recovery, as these are the foremost business critical issues. However, in stressing these, important evidence might be damaged or discarded, and therefore there is a trade-off between recovery and evidence. A lot of information is also lost or discarded as part of normal business practice. Moreover, the capability to process evidence cost effectively is vital, as are suitably trained staff with the expertise to ensure potential evidence is preserved. Preparation is the key. This leads us to the idea of forensic readiness.

Forensic Readiness

Forensic readiness is the ability of an organisation to maximise its potential to use electronic evidence when required. Electronic evidence is required whenever it can be used to support a legal process. Recourse to litigation is generally a last resort for most businesses, so why is it necessary to be concerned about evidence? The right evidence facilitates management of the impact of some key business risks. Electronic evidence can support a legal defence. Many criminal hackers use so-called cuckoo systems as a launching point for attacks; if one of your systems is used in such a way, it may be necessary to prove that your organisation is not the real source of the attacks. It may also be necessary to show that you were not negligent in letting the cuckoo into the nest. Electronic evidence can also support claims to IPR; electronic records can demonstrate that due care was taken in a particular process and transaction evidence can resolve a commercial dispute.

Being prepared to gather and use evidence can also have benefit as a deterrent. A good deal of cyber-crime is internal. Staff will know what the company attitude is towards the policing of corporate systems. They will know, or will hear rumours, as to what action was taken against staff and what type of crimes may have been successfully or unsuccessfully committed. A company showing that it has the ability to catch and prosecute this type of insider attack will deter them, in the same way as the shop sign, “We always prosecute thieves”.

So how do you collect and use evidence effectively? There are good, reputable forensics specialists around, but when do you call them in? What will happen when you call them in? How do you decide whether to employ your own specialist investigators or use outsiders? When must you involve the police? How do you keep your information systems running – and your business running – while an investigation is going on? How do you cope with the fact that, if you wait until you know you are going to court before organising your investigation properly, the evidence may already be compromised and your case will probably fail? And most of all: how do you make sure that the information the court needs is available and fit for purpose, when the computer files may have been generated long before you knew you were going to court, and long before you knew anything was wrong?

If you wait until you know you have a problem, it’s probably too late.

The objective of forensic readiness is to collect the evidence that might be required, in a cost effective way, and to be prepared to use it, in your defence, in your interests, and as a deterrent to crime.

Enabling a Corporate Approach to Electronic Evidence

Forensic readiness puts electronic evidence into a business context as well as a law enforcement context. The critical question for a successful evidence-gathering process in business is whether it can be performed cost effectively. In other words:

· Can evidence be gathered to target the potential crimes and disputes that may have a requirement for electronic evidence?

· Can evidence be gathered, stored and retrieved at reasonable cost and within legal constraints?

· Can an investigation proceed at a cost in proportion to the incident?

· Can an investigation proceed with minimal disruption to the business?

· Can the evidence make an impact on the likely success of any formal action?

The European CTOSE project has researched and documented the electronic evidence process. From a business perspective, it found that electronic evidence is rarely actively managed, leaving organisations open to considerable risk. In order to address this, the initial requirement is to identify the potential evidence sources and what crimes and disputes may necessitate the use of evidence. Using this information, it is possible to assess what evidence should be gathered.

Evidence must be legally gathered and securely stored. Above all, the integrity of evidence must be preserved. Staff must be trained to spot suspicious events and to understand when to escalate to a full investigation. Investigations need to be well managed, to produce a cogently argued evidence-based case, and to follow company legal and media policies. The implementation of forensic readiness is a way of bringing together and extracting value from many existing information security practices.

To justify the costs involved with gathering evidence and preparing investigations, an organisation needs a return on investment. Good forensic readiness has many benefits:

· Evidence can be gathered to act in the company’s defence if subject to a lawsuit.

· Comprehensive evidence can be used as a deterrent to the insider threat (throwing away potential evidence is simply helping to cover the tracks of a cyber-criminal).

· In the event of a major incident, an efficient investigation can be conducted and actions taken with minimal disruption to the business.

· A systematic approach to evidence storage can significantly reduce the costs and time of an internal investigation (and of any court-ordered disclosure).

· Forensic readiness can extend the scope of information security to the wider threat from cyber crime, such as intellectual property protection, fraud, extortion etc.

· Forensic readiness demonstrates due diligence and good corporate governance of the company’s information assets.

· It can improve and facilitate the interface to law enforcement (if involved).

· It can improve the prospects for a successful legal action.

The cost-benefit analysis is for senior management to assess the appropriate degree of risk management.

Forensic readiness actually applies all through the company, as a wide range of staff will be involved with, impacted by, or responsible for evidence and investigations, including:

· the investigating team

· the investigation subjects (ie suspects)

· corporate HR department

· corporate PR department

· ‘owners’ of business processes or data.

There are also potential dependencies and interactions with external organisations:

· police (not necessarily local force, especially if defending against allegations from overseas, or if the organisation is multi-national)

· other law enforcement authority (eg HM Customs and Excise, trading standards or Serious Fraud Office)

· overseas prosecution authority or court

· trade union/staff association representatives

· internal or external auditors

· regulatory authorities (eg Financial Services Authority, Data Protection Commissioner, Bank of England)

· customers, suppliers, partner organisations

· facilities management organisations (eg companies to whom IT or building security has been outsourced).

So, forensic readiness requires and enables a corporate approach to electronic evidence. Organisations need staff trained in the sensitivities of evidence and company policy. Implementing forensic readiness requires an understanding of the possible evidence sources, how to gather evidence legally and cost-effectively, when to escalate a suspicious event into a formal forensic investigation; and how to put together a case with the possible involvement of law enforcement agencies.

Establishing a Relationship with Law Enforcement

In the UK, the National High Tech Crime Unit has a confidentiality charter and is actively working with companies to manage the threat to corporate data and the risks to the corporate image from a cyber-crime. There is a win-win scenario for companies who embrace forensic readiness. Companies who understand the electronic evidence process can establish an effective relationship with the relevant law enforcement agencies, who will have a better chance of understanding the scope, scale and nature of hi-tech crime, and can obtain the evidence they need to prosecute it successfully.

Conclusion

Forensic readiness is complementary to, and an enhancement of, many existing information security activities. It should be part of an information security risk assessment to determine the possible disputes and crimes that may give rise to a need for electronic evidence. It is part of incident response, to ensure that evidence found in an investigation is preserved and the continuity of evidence is maintained. It is part of security monitoring, to detect or deter disputes that potentially have a major business impact. Forensic readiness also needs to be incorporated into security training, particularly for middle managers that have to deal with an incident in a multi-disciplinary team.

Many organisations will already perform some of the activities required effectively to collect and exploit electronic evidence in place as part of their general information security, incident response and crime prevention activities. What is needed in most organisations is a systematic and pro-active approach to the gathering and preserving of evidence for a forensic investigation. Forensic readiness is at the heart of this approach.


The use of electronic evidence in formal procedures is likely to grow. Computer laws are being clarified in test cases and lawyers and judges are becoming more familiar with the domain. Disputes are arising from e-business and e-commerce and we are moving towards the information society and pervasive computing. This short article has raised many issues that companies need to consider in order to respond to this trend. Policies should now start to address the needs for electronic evidence gathering by stating what to monitor, what is suspicious, how to gather and preserve evidence, when an investigation should be launched and when to involve law enforcement in countering the crimes that leave electronic evidence.

Dr. Rob Rowlingson is a Researcher with QinetiQ, the forensic specialists (www.QinetiQ.com).