At #19 on our list of “Top 20” SOC Capability Areas is Digital Evidence Management. Digital Forensics solutions may already include some basic capability for capturing and securing digital evidence. But it is also important to consider the implications of the formal tracking, retention, authentication, and long-term accessibility of this evidence for it to be deemed admissible in court.
Directly related to the Digital Forensics and Case Management capabilities described in earlier articles, even a modest sized Security Operations team will eventually need to establish some type of Digital Evidence Management policies, disciplined practices and supporting capabilities. Refer to principles and definitions first authored by International Organization on Computer Evidence (IOCE) (now defunct) and Scientific Working Group on Digital Evidence (SWGDE).
Many Digital Forensics solutions already include some basic capability for capturing and securing digital evidence (e.g., disk images, memory dumps, etc.) in its original, native, possibly proprietary form. But full Evidence Management should include additional capabilities that support Matthew Braid’s “five rules of evidence”: it must be authentic, accurate, complete, convincing, and admissible.
The first core capability to support the five rules is the ability to reliably track the “chain of custody”, who has access to it, when it is accessed, why, etc. Another core capability is the ability to prove/authenticate that the data has not been altered, by using hashing or encryption to ensure its integrity for extended periods of time.
Over time, the more forensic analysis an organization performs, and the more cases they investigate with potential for prosecution, the more critical it will be to establish some type of “vault” storage capability to properly handle and secure the growing volumes of digital evidence being collected. Use, and re-use, of this type of storage must strictly adhere to both policies (e.g., retention policy) and relevant legal regulations (e.g., case law describing the conditions under which storage may be wiped and reused).
Depending upon the nature and geographic locations involved in a cyber investigation, the records retention requirements can become quite burdensome and require significant investment in appropriate storage capabilities.
This article barely scratches the surface of the need for Digital Evidence Management capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Digital Evidence Management capabilities to support your own Security Operations efforts.