Every organization is at risk of becoming the target of a cyberattack. Ensuring the integrity and admissibility of digital evidence and supporting legal proceedings related to the attack is only possible if the chain of custody is properly maintained.

Chain of custody (CoC) refers to the collection, documentation and preservation of evidence in a way that ensures its integrity and reliability in court proceedings. In the event of litigation, it is essential to establish a complete CoC of exhibits and evidence collected during an investigation that is admissible in court and can be relied upon by the parties involved.

The response to a cyberattack is only as good as the company’s readiness. It is of utmost importance to train the team and implement an effective cyber resilience strategy.

Identification

Documentation

Packaging

Preservation / Storage

Transfer

Analysis

Digital forensics is a broad field. The investigation team often needs to cover a wide range of tasks with specialist skills and experience. One of the most common challenges for experts is the growing complexity of data on a daily basis. As the storage spaces are getting bigger, it is more difficult to extract, collect and investigate the data impacted by the incident. Validating the authenticity of data becomes more challenging as data manipulation and alteration techniques become more sophisticated.

There are more incidents happening every day since hacking tools are easily accessible to everyone.

According to research conducted by TOP10VPN, the prices of powerful tools are very low. For example, a set of digital hacking tools that would enable a full range of identity theft costs only $125 on the dark web or one can get powerful Remote Access Trojans for less than $10.

The number of global cyberattacks increased by 38% in 2022 compared to 2021 as pointed out in the Check Point Research. This number of cyberattacks is the result of smaller, more agile hacker gangs targeting educational institutions that switched to e-learning after the COVID-19 program ended, and ransomware aimed at exploiting collaboration tools used in a home working environment.

Different statistics only cover the known number of cyberattacks. The grey zone is much larger. On one side, organizations are not aware that they are already hacked. On average, it takes up to nine months until a breach is detected. On the other side, quite often law enforcement is not included in handling the cyberattacks.

There are several reasons for that.

The most usual one is that organizations fear a damage to reputation and trust. In these cases, private investigators are involved. If the organization itself does not report the cyberattack, then these cases remain unknown for statistics.

The main challenge for digital forensics teams is the lack of physical evidence as found at physical crime scenes. Also the collection of data is different from physical crime scenes. The difference lies in the art, the characteristics of the evidence. According to Yudi Prayudi et al, the “digital evidence has a number of characteristics and is easy to duplicate and transmitted, very susceptible to modify and remove, easily contaminated by the new data, as well as time-sensitive. The digital evidence is also very possible to be cross countries and legal jurisdiction. /…/ In addition, the rapid growth of cybercrime should always be followed by a new understanding of digital evidence itself along with the handling of its chain of custody.”

As technology advances, AI tools are developed to support forensic specialists for more precise and faster data analysis, and some of these challenges may disappear in time. At the same time, as technology evolves, other new challenges may arise too.

In a case of an incident, there is no time left to set up proper policies and procedures. A forensic investigation needs to be started immediately. To ensure the comprehensiveness and effectivity, all the possible scenarios must be trained beforehand.

For example, as part of the SEC Defence Service setup for an emergency, we provide preparation and strategy workshops and crisis plan games to simulate cyberattacks. These trainings include strategic, tactical and operational levels. An important part of the preparation is also the evaluation of your organization with an incident readiness maturity assessment. The focus here is on evaluating the defensibility of your organization.

Also, policies and procedures for information security management must be in place and practiced. The latter includes mapping IT resources, data, equipment, and users in the IT ecosystem. This provides a clear view of the IT infrastructure, which is useful both during and before a security event to identify vulnerabilities for preventive action.

An earlier blogpost by Stephan Mikiss, Cyber resilience against ransomware: Fiction or reality? highlights preventive measures, holistic security, and some of the basic requirements for an effective security strategy. Simply put, organizations should be cognizant of the role played by digital forensics in cybercrime, and work towards implementing a watertight cyber resilience program to protect themselves. In case of an attack, they should exercise caution to ensure a failproof CoC for a proper investigation and litigation.