Digital forensics, also known as computer and network forensics, has many definitions. It includes identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Organizations have an ever-increasing amount of data from many sources. Because of the variety of data sources, digital forensic techniques can be used for many purposes, such as investigating crimes and internal policy violations, reconstructing computer security incidents, troubleshooting operational problems, and recovering from accidental system damage.
E-Discovery
Electronic discovery (e-discovery) is the identification, preservation, collection, processing, review, analysis, or production of electronically stored information. SaaS based discovery like Microsoft E-Discovery is critical in the modern digital world. e-discovery in the cloud” means using the cloud to deliver tools used for e-discovery. SaaS packages typically cover one of several e-discovery tasks, such as collection, preservation, or review.
Preparing for legal hold or e-discovery may include the following:
- Consideration of the SLA and contract agreements
- Contract agreements
- Use of data dispersion techniques and data regeneration techniques
- Use of data discovery
- Development of a legal incident response team
- Development of a data retention and destruction policy
- Develop a plan to acquire the data
Chain of Custody
Throughout the process, keep a detailed log of every step that was taken to collect the data, including information about each tool used in the process. The documentation allows other security professionals to repeat the process later if needed. Acquiring digital evidence is vital and depends on the cloud provider policies so consider reaching out to the provider and asking them about their data acquiring process and policies.
In traditional forensic procedures, it is “easy” to maintain an accurate history of time, location, and persons accessing the target computer, hard disk, etc. of a potential suspect. On the other hand, in a cloud, we do not even know where a VM is physically located. Hence, maintaining a proper chain of custody is much more challenging in the cloud.