Educause Security Discussion mailing list archives
Re: Case Images
From: "Rajewski, Jonathan" <rajewski () CHAMPLAIN EDU>
Date: Fri, 5 Aug 2011 09:56:31 -0400
Having a digital forensic image with some type of integrity checking (MD5/SHA1 etc..) will pass best practices and legal requirements. Having two validated copies is also best practice. That said, to help with your original question - Unless you have some type of regulatory/legal reason to retain your images, I would contact those involved in the dispute as well as legal counsel to determine if they still want you to retain the images. Most responses are "let's hold on to them just in case" so I would have some figures ready to help them make the best educated/legal decision for your situation/organization - for example - if you put a number on storing 15TB of data associated with a case (physical space/cooling/security etc) - or - the cost of the SAN/NAS or HDDs to store the hardware etc. You could then use those conversations as justification for a larger budget or shifting cost to the respective department that wants you to hold on to the images. Moving forward I would recommend establishing an evidence disposition policy. It sounds like you have one in place, but for what it's worth, a good disposition policy will have a framework to visit your case log/evidence on a regular basis. That way you can escalate space and cost issues to management. Also - are you compressing your images? If you're using EnCase or FTK there are built in compression features that can compress/hash on the fly, which can save you considerably on space if you have hard drives that are half full. Good luck and I hope this helps. Jon -- Jonathan T. Rajewski, MS, CCE, EnCe, CISSP, CFE Assistant Professor, Digital Forensics, Champlain College Director/Principal Investigator, Champlain College Center for Digital Investigation (C3DI) Digital Forensic Examiner, Vermont Internet Crimes Task Force Champlain College West Hall Room 205 163 South Willard Street Burlington, VT 05401 Office: +1 802-865-5460 Google Voice - +1 802-318-4804 Mobile - Available via request Skype - jtrajewski rajewski () champlain edu jonathan.rajewski () leo gov PGP Public Key: Located on keyserver.pgp.com On 8/5/11 9:26 AM, "Kevin Halgren" <kevin.halgren () WASHBURN EDU> wrote:
To my knowledge, the only certain way to demonstrate chain of custody and maintain the integrity of the data, from a court's perspective, is to retain the original hard drive. You could conceivably store them off-site in a secure location where chain of custody can be maintained, e.g. with a bank. I wouldn't do anything without checking with your General Counsel first. I'd phrase the question "How can I...?", a "Can I...?" question will more than likely get a "No" answer. :) Kevin -- Kevin Halgren Assistant Director - Systems and Network Services Washburn University (785) 670-2341 kevin.halgren () washburn edu On 8/4/2011 11:17 AM, Mclaughlin, Kevin (mclaugkl) wrote:Hi Everyone: I am wondering if anyone has come across a good, secure (:) ) and effective way to archive their HD images from internal cyber investigations/ litigation hold work? We do a fairly large amount of these each year and it is becoming cumbersome to physically store the actual hard drives, not to mention it's not really cost effective to keep purchasing additional drives. We do roll the cases off per our retention policy (case closed +1, +2 etc.) but some of the cases remain active for legal reasons even though we don't need to do anything with them other than store them safely. The cases that remain open with no activity required are the ones I am thinking about archiving off somewhere/somehow. Thanks in advance for any process or best practice ideas you would be willing to share, - Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security& Special Projects University of Cincinnati 513-556-9177 The University of Cincinnati is one of America's top public research institutions and one of the region's largest employers, with a student population of more than 41,000. [cid:image001.gif@01CC529F.DDCD9FE0]
Current thread:
- Case Images Mclaughlin, Kevin (mclaugkl) (Aug 04)
- Re: Case Images Kevin Halgren (Aug 05)
- Re: Case Images Rajewski, Jonathan (Aug 05)
- <Possible follow-ups>
- Re: Case Images Mike Fox (Aug 05)
- Re: Case Images Kevin Halgren (Aug 05)