Educause Security Discussion mailing list archives
Re: Policies and Products surrounding investigation and storage
From: "Strubinger, Ray" <ray.strubinger () OIT GATECH EDU>
Date: Mon, 6 Apr 2009 10:36:09 -0400
Answers are in-line with the original message. ----- Original Message ----- From: "Gregory N Pendergast/AC/VCU" <gnpendergast () VCU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Monday, April 6, 2009 9:05:39 AM GMT -05:00 US/Canada Eastern Subject: [SECURITY] Policies and Products surrounding investigation and storage I am looking into both policies and products surrounding the secure storage of computes/disks/media involved in internal investigations. If anyone has ideas about any of the following questions, I'd appreciate hearing from you: 1) Where/How do you store computers and other digital media that is being examined as part of an internal investigation (policy violation, security incident, etc)? We have an office/lab dedicated to storing and processing materials and media involved in investigations. Everything coming into the lab is documented/photographed and items are tagged with a case number. We will either use our own chain of custody form or use the one supplied by the customer (which is generally an auditor in my case.) Any media (hard drives, CD/DVDs, thumb drives, etc) in a computer are removed, photographed, documented/tagged with a case number, forensically duplicated, placed in an anti-static bag, then put in an office envelope which has the date, case number and contents written on the outside. The envelope containing the media is stored securely in a safe. Large items such as computers are stored on a shelf once their drives and other media have been removed. 2) Are there any products that you would recommend? (We're initially thinking of something that provides both secure storage and water/fire damage protection.) I don't have any specific recommendations but there are a lot of safes on the market with similar features and varying cost. Gun safes seem to offer a good balance between cost, size, and environmental protection. 3) How long do you retain the original evidence? Currently we retain the original material forever though in the past we have retained the material until it was no longer of value either in litigation or because the appeals process had run its course. 4) How do you dispose of the evidence once it's beyond its retention cycle? When we dispose of copies, if the material is on a CD/DVD it's shredded with a cross cut shredder. If the material is a flash drive, hard disk or some other read-write media, then we use a secure deletion tool such as sdelete (from Microsoft), shred (Linux), dban (bootable CD), or the secure wipe function on our hardware based media imager. 5) When the collection of evidence requires the confiscation of equipment or media from faculty or staff, who authorizes the confiscation? What provisions do you have for providing replacement/loaner equipment to allow the employee to continue working? We have policies and processes in place that provide the authority and authorization to collect and examine material. The process authorizing collection and examination of material involves our human resources office, the general counsel's office, internal audit and any other appropriate entity depending on the circumstances. -Ray -- Ray Strubinger Information Security Program Manager Georgia Institute of Technology OIT Information Security 258 Fourth St, Rich 222 Atlanta, Georgia 30332-0700 Phone:404-385-0334/Fax:404-385-2331
Current thread:
- Policies and Products surrounding investigation and storage Gregory N Pendergast/AC/VCU (Apr 06)
- <Possible follow-ups>
- Re: Policies and Products surrounding investigation and storage Strubinger, Ray (Apr 06)