Evidence Handling and Administration
An integral part of every incident response is collecting evidence of what happened. Evidence is necessary to identify what happened, the scope of the incident, the extent of the effect, and the source of the incident. Evidence collection is critical to each investigation and can provide the basis of pursuing legal remedies and prosecution after the incident has been resolved. Understanding how to properly conduct evidence collection and handling is fundamental to properly handling incidents and laying a solid foundation for any future legal action.
Evidence Collection Techniques
Proper collection of evidence is essential and is something that is best left to professionals whenever the need arises. When a crime is suspected, it may become necessary to expand the incident response to include trained professionals and law enforcement in the process. The process here is really one of forensics, or the methodical and defensible process of collecting information from a crime scene. This is a process best left to those professionals trained to do it because novices can inadvertently damage evidence in such a way that makes the investigation unlikely to produce meaningful results or the case indefensible in court. Trained personnel will know how to avoid these mistakes and properly collect everything relevant.
Evidence Types
Not all evidence carries the same weight when analyzing an incident or submitting the evidence in a court of law. Collecting the wrong evidence, failing to collect the meaningful evidence, or treating evidence incorrectly can invalidate any attempt to pursue legal remedies or prosecution.
TABLE 14-2 lists some of the different types of evidence that can be collected and what makes each type unique.
TABLE 14-2 Types of evidence. |
|
|---|---|
| EVIDENCE | DESCRIPTION |
| Best | Best evidence is a category of evidence that is admissible by requirement in any court of law. In the case of documents, best evidence is the original document. The existence of best evidence eliminates your ability to use any copies of the same evidence in court. |
| Secondary | Secondary evidence is any evidence that is a copy of the original evidence. This could be items such as backups and drive images. This type of evidence may not always be admissible in a court of law and is not admissible if best evidence of the item exists. |
| Direct | Direct evidence is evidence that is received as the result of testimony or interview of an individual regarding something he or she directly experienced. This individual could have obtained the evidence as a result of observation. Evidence in this category can prove a case. |
| Conclusive | Conclusive evidence is evidence that is above dispute. Conclusive evidence is considered so strong that it directly overrides all other evidence types by its existence. |
| Opinion | Evidence of this type is derived from an individual’s background and experience. Opinion evidence is divided into the following types:
|
| Corroborative | Evidence in this category is obtained from multiple sources and is supportive in nature. This type of evidence cannot stand on its own and is used to bolster the strength of other evidence. |
| Circumstantial | Circumstantial evidence is any evidence that indirectly proves a fact through the use of deduction. |
Chain of Custody
When collecting evidence for use in court, the chain of custody must be maintained at all times. The chain of custody is simple in theory; it documents the whereabouts of the evidence from the point of collection to the time it is presented in court and after, when it is returned to its owner or destroyed. A trusted chain of custody ensures that the evidence as presented is in the same state as it was when it was collected. The chain is essential because any breaks or questions about the status of evidence at any point can result in the evidence being inadmissible and even potentially a case being thrown out. A chain of custody should include every detail about the evidence, such as how it was collected up to how it was handled after collection.
A chain of custody can be thought of as enforcing or maintaining six key points at any step in the investigation. These points will ensure that you focus on how information is handled at every step. Chain of custody can be maintained by asking the following questions:
What evidence has been collected?
How was the evidence obtained?
When was the evidence collected?
Who are the individuals who handled the evidence?
What reason did each person have for handling the evidence?
Where has the evidence traveled, and where was this evidence ultimately stored?
Also, remember to keep the chain of custody information up to date at all times. Every time any evidence is handled by an investigator, a record must be kept and updated to reflect this. This information should explain every detail, such as what the evidence actually consists of, where it originated, and where it was delivered. It is important that no gaps exist at any point.
Additionally, for added legal protection, evidence can be validated through the use of hashing to prove that it has not been altered. Ideally, the evidence you collected at the crime scene is the same evidence you present in court.
Remember, lack of a verifiable chain of custody is enough to lose a case.
Computer Removal
When any sort of computer crime is logged and reported, it becomes necessary to examine the system and in some cases remove the computer from the crime scene. Of course, such a seizure of a computer means that the chain-of-custody requirements come into play and the system must be tagged and tracked up until it is presented in court.
Also, do not forget that collecting computer evidence, like many different types of evidence, may require specific legal authorization. Requirements will vary depending on the company and situation in question, but it is another item to consider.
Rules of Evidence
No evidence, regardless of type, is necessarily admissible in court. Evidence cannot be presented in court unless certain requirements are satisfied. These requirements should be fully understood by all personnel handling evidence and reviewed ahead of time. The rules of evidence presented here are general guidelines and are not consistent across jurisdictions.
The following list includes the five commonly accepted rules of evidence:
Reliable—This is consistent and trustworthy evidence that leads to a common conclusion.
Preserved—Chain of custody comes into play, and the records help identify and prove the preservation of the evidence in question.
Relevant—This is evidence that directly relates to the case being tried.
Properly identified—This is evidence in which records can provide proper preservation and identification proof.
Legally permissible—This is evidence that is deemed by the judge to fit the rules of evidence for the court and case at hand.
Security Reporting Options and Guidelines
Part of handling incidents involves communicating with affected or interested parties. When developing any type of incident communications, including after-incident reports, always take the structure and hierarchy of a company into consideration. All communication and the parties that receive communication can have a huge effect on how things operate during a security incident response effort. Additionally, making all personnel aware of this structure ahead of time is of the utmost importance so there is no confusion when the time comes to report and respond to an incident.
When considering how to report a security incident, the following guidelines are worth keeping in mind and can prove helpful while responding to incidents:
Whenever feasible, refer to previously established guidelines as documented and described in the company IRP. The IRP should include guidelines on how to create a report and whom to report to. Furthermore, the IRP should define the formats and guidelines on how to put the report together to ensure that the information is actually usable by its intended audience.
Consider the situations in which it is necessary to report the incident to law enforcement in addition to company personnel.
Consider the situations and conditions in which the security incident must be reported to regulatory bodies as required by law.
Security incidents reported outside the organization can and should be noted in the company incident report.
During the preparation of a security incident report, include all the relevant information to detail and describe the incident. At a minimum, the following items should be included:
A timeline of the events of the security incident that includes any and all actions taken during the process.
A risk assessment that includes extensive details of the state of the system before and after the security incident occurred.
A detailed list of any and all participants who took part in the discovery, assessment, and final resolution (if this has occurred) of the security incident. It is important to include all those who took part in this process regardless of how important or unimportant their roles may be perceived to be.
A detailed list of the reasons behind the decisions that were made during the process. Document these actions in a format that states what each action was and what factors led to the decision to take the action.
A recommendation as to what could be done to prevent a repeat of the incident and what could be done to reduce any damage that may result.
Two sections to ensure that the report is usable by all parties: first, a long-format report that includes specific details and actions that occurred during the incident and, second, an executive summary that provides a high-level, short-format description of what occurred.