|
Kevin Mandia, president and CEO of Mandiant, which provides forensics and other infosecurity services, says chain of custody is maintained by the following steps:
- Keeping evidence within an investigator's possession or sight at all times
- Documenting the collection of evidence
- Documenting the movement of evidence from one investigator's custody to another's
- Securing the evidence appropriately so it cannot be tampered with.
Besides the chain of custody, it's important to create hash values for a piece of evidence, says Bill Spernow, a consultant and former director of infosecurity, investigations and incident response at Experian. Creating hash values "substantiates the fact this is what it was on Monday, and when we show it to the court six months later, it's still the same thing," he says.
Forensics investigators typically make copies of a compromised system or other evidence and perform analysis on one of the copies. Jenkins usually makes three copies and puts the original system in an evidence bag for safe storage.
Courts will also accept evidence that is produced in the normal course of business, Spernow says. For example, if a firewall administrator routinely examines logs on a daily basis and sees evidence of a hack, those logs will be considered a normal business record.
Getting Help
While some organizations have in-house resources to conduct forensics examinations, many need to call in a consultant. Resources for finding an expert include professional associations, forensic tool vendors, and certification providers such as the SANS Institute, which lists online those who have earned its GIAC forensics certification.
But there are no hard-and-fast rules for evaluating forensic experts. Certifications can be one means of assessing skill--there are vendor and vendor-neutral certifications available in the field--but hardly the only measure. In fact, Mandia says in his work, reputation and experience weigh more heavily than certifications.
|
 |
|
