Re: Policies and Products surrounding investigation and storage

["Strubinger, Ray" <ray.strubinger () OIT GATECH EDU>]

Answers are in-line with the original message. 

----- Original Message ----- 
From: "Gregory N Pendergast/AC/VCU" <gnpendergast () VCU EDU> 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Sent: Monday, April 6, 2009 9:05:39 AM GMT -05:00 US/Canada Eastern 
Subject: [SECURITY] Policies and Products surrounding investigation and storage 

I am looking into both policies and products surrounding the secure storage of computes/disks/media involved in 
internal investigations. If anyone has ideas about any of the following questions, I'd appreciate hearing from you: 


1) Where/How do you store computers and other digital media that is being examined as part of an internal investigation 
(policy violation, security incident, etc)? 


We have an office/lab dedicated to storing and processing materials and media involved in investigations.  Everything 
coming into the lab is documented/photographed and items are tagged with a case number.  We will either use our own 
chain of custody form or use the one supplied by the customer (which is generally an auditor in my case.)  Any media 
(hard drives, CD/DVDs, thumb drives, etc) in a computer are removed, photographed, documented/tagged with a case 
number, forensically duplicated, placed in an anti-static bag, then put in an office envelope which has the date, case 
number and contents written on the outside.  The envelope containing the media is stored securely in a safe.  Large 
items such as computers are stored on a shelf once their drives and other media have been removed. 



2) Are there any products that you would recommend? (We're initially thinking of something that provides both secure 
storage and water/fire damage protection.) 


I don't have any specific recommendations but there are a lot of safes on the market with similar features and varying 
cost.  Gun safes seem to offer a good balance between cost, size, and environmental protection. 

3) How long do you retain the original evidence? 


Currently we retain the original material forever though in the past we have retained the material until it was no 
longer of value either in litigation or because the appeals process had run its course. 

4) How do you dispose of the evidence once it's beyond its retention cycle? 


When we dispose of copies, if the material is on a CD/DVD it's shredded with a cross cut shredder.  If the material is 
a flash drive, hard disk or some other read-write media, then we use a secure deletion tool such as sdelete (from 
Microsoft), shred (Linux), dban (bootable CD), or the secure wipe function on our hardware based media imager. 

5) When the collection of evidence requires the confiscation of equipment or media from faculty or staff, who 
authorizes the confiscation?  What provisions do you have for providing replacement/loaner equipment to allow the 
employee to continue working? 

We have policies and processes in place that provide the authority and authorization to collect and examine material.  
The process authorizing collection and examination of material involves our human resources office, the general 
counsel's office, internal audit and any other appropriate entity depending on the circumstances. 

-Ray 

-- 
Ray Strubinger 
Information Security Program Manager 

Georgia Institute of Technology 
OIT Information Security 
258 Fourth St, Rich 222 
Atlanta, Georgia 30332-0700 
Phone:404-385-0334/Fax:404-385-2331