Every organization is at risk of becoming the target of a cyberattack. Ensuring the integrity and admissibility of digital evidence and supporting legal proceedings related to the attack is only possible if the chain of custody is properly maintained.
Chain of custody (CoC) refers to the collection, documentation and preservation of evidence in a way that ensures its integrity and reliability in court proceedings. In the event of litigation, it is essential to establish a complete CoC of exhibits and evidence collected during an investigation that is admissible in court and can be relied upon by the parties involved.
The response to a cyberattack is only as good as the company’s readiness. It is of utmost importance to train the team and implement an effective cyber resilience strategy.
Linking the CoC with cybersecurity
CoC is an essential element of IT forensics to ensure the integrity of digital evidence and all related activities are responsibly managed. They must comply with the courts’ requirements for durable evidence. This means that the documentation of evidence and the way it is collected, analysed and evaluated must be complete and comprehensive.
The chain of evidence must be traceable so that the evidence can be used in court at a later stage. Therefore, every handling, every change, including the location of the evidence, must be definitively and objectively documented at all times by means of a complete CoC form. This action prevents:
- loss of evidence
- mix-up of evidence
- exchange of evidence
- tampering with evidence
- falsification of evidence
The preventive measure will ensure traces of digital evidence cannot be misused or manipulated at any time, and that their statuses are verifiable and therefore legally secured.
The CoC itself is a key component of the legality assurance system (LAS). The latter is a set of policies and procedures designed to ensure that a company’s services or products comply with legal and regulatory requirements.
Basic requirements for a proper CoC
During the investigation of a cybersecurity incident, forensic experts collect evidence from computers and other digital media used. Their skills should include vulnerability diagnostics, digital forensics, memory gaps and malware analysis, and the ability to use analytical tools for correlation analysis of security events.
A proper CoC during the investigation of a cyber security incident should cover the following steps:
The evidence must be clearly identified and marked at the scene or location of the event.
Records of who collected the evidence, where and when it was collected, and in what condition it was found need to be maintained.
Evidence must be packaged in a manner that preserves its integrity and prevents contamination.
Preservation / Storage
Evidence must be stored in a secure place where it is protected against tampering, theft or damage.
Each transfer must be carefully documented, including who deposited the custody of evidence, when and why.
Evidence should be analyzed by a qualified expert who can testify to its relevance and reliability.
The challenges of digital forensics
Digital forensics is a broad field. The investigation team often needs to cover a wide range of tasks with specialist skills and experience. One of the most common challenges for experts is the growing complexity of data on a daily basis. As the storage spaces are getting bigger, it is more difficult to extract, collect and investigate the data impacted by the incident. Validating the authenticity of data becomes more challenging as data manipulation and alteration techniques become more sophisticated.
There are more incidents happening every day since hacking tools are easily accessible to everyone.
According to research conducted by TOP10VPN, the prices of powerful tools are very low. For example, a set of digital hacking tools that would enable a full range of identity theft costs only $125 on the dark web or one can get powerful Remote Access Trojans for less than $10.
The number of global cyberattacks increased by 38% in 2022 compared to 2021 as pointed out in the Check Point Research. This number of cyberattacks is the result of smaller, more agile hacker gangs targeting educational institutions that switched to e-learning after the COVID-19 program ended, and ransomware aimed at exploiting collaboration tools used in a home working environment.
Different statistics only cover the known number of cyberattacks. The grey zone is much larger. On one side, organizations are not aware that they are already hacked. On average, it takes up to nine months until a breach is detected. On the other side, quite often law enforcement is not included in handling the cyberattacks.
There are several reasons for that.
The most usual one is that organizations fear a damage to reputation and trust. In these cases, private investigators are involved. If the organization itself does not report the cyberattack, then these cases remain unknown for statistics.
The main challenge for digital forensics teams is the lack of physical evidence as found at physical crime scenes. Also the collection of data is different from physical crime scenes. The difference lies in the art, the characteristics of the evidence. According to Yudi Prayudi et al, the “digital evidence has a number of characteristics and is easy to duplicate and transmitted, very susceptible to modify and remove, easily contaminated by the new data, as well as time-sensitive. The digital evidence is also very possible to be cross countries and legal jurisdiction. /…/ In addition, the rapid growth of cybercrime should always be followed by a new understanding of digital evidence itself along with the handling of its chain of custody.”
As technology advances, AI tools are developed to support forensic specialists for more precise and faster data analysis, and some of these challenges may disappear in time. At the same time, as technology evolves, other new challenges may arise too.
Prepare. Persevere. Protect.
In a case of an incident, there is no time left to set up proper policies and procedures. A forensic investigation needs to be started immediately. To ensure the comprehensiveness and effectivity, all the possible scenarios must be trained beforehand.
For example, as part of the SEC Defence Service setup for an emergency, we provide preparation and strategy workshops and crisis plan games to simulate cyberattacks. These trainings include strategic, tactical and operational levels. An important part of the preparation is also the evaluation of your organization with an incident readiness maturity assessment. The focus here is on evaluating the defensibility of your organization.
Also, policies and procedures for information security management must be in place and practiced. The latter includes mapping IT resources, data, equipment, and users in the IT ecosystem. This provides a clear view of the IT infrastructure, which is useful both during and before a security event to identify vulnerabilities for preventive action.
An earlier blogpost by Stephan Mikiss, Cyber resilience against ransomware: Fiction or reality? highlights preventive measures, holistic security, and some of the basic requirements for an effective security strategy. Simply put, organizations should be cognizant of the role played by digital forensics in cybercrime, and work towards implementing a watertight cyber resilience program to protect themselves. In case of an attack, they should exercise caution to ensure a failproof CoC for a proper investigation and litigation.
About the author
R&D Lead, Vulnerability Lab
Anna-Maria Praks is R&D Lead, Vulnerability Lab, at SEC Consult, an Eviden business
Anna-Maria Praks is a professional with over 24 years’ experience in the security industry. She is currently R&D Lead at SEC Consult Vulnerability Lab and a member of the Atos Scientific Community. Mrs Praks holds Master’s degrees in European Studies and in Law with a specialisation in International Law. Her areas of expertise include cyber security, defence and security policy, international relations and government affairs. Mrs Praks has worked in politics, academia and the private sector throughout her career. From 1999 to 2012, she worked at the Estonian Ministry of Defence, with postings to the Defence Committee of the Estonian Parliament and the Embassy of the Republic of Estonia in Berlin. Later, from 2012 to 2015, she worked as a researcher in cyber and security policy at various research institutes and universities. Since 2015, she has been working at SEC Consult.