DER.2.2 Precautions for IT Forensics
IT forensics is the strictly methodical analysis of data on storage media and in data networks to investigate security incidents in IT systems.
Description
Introduction
IT forensics is the strictly methodical analysis of data on storage media and in data networks to investigate security incidents in IT systems.
Forensic investigation of IT security incidents is always necessary when the extent of damage must be determined, attacks must be repelled, future attacks must be prevented, and attackers must be identified. Whether an IT security incident is forensically investigated is decided during the incident handling process. An IT forensic investigation in the sense of this building block consists of the following phases:
- Strategic Preparation: In this phase, processes are planned and established that ensure an institution can forensically analyze IT security incidents. This phase is also necessary if the institution does not have its own forensic expertise.
- Initialization: After the responsible employees have decided to forensically investigate an IT security incident, the previously planned processes are initiated. Furthermore, the scope of the investigation is defined and initial measures are carried out.
- Evidence Collection: Here, the evidence to be preserved is selected and the data is forensically secured. A distinction is made between live forensics and post-mortem forensics: live forensics ensures that volatile data, such as network connections or RAM, is secured from a running IT system. Post-mortem forensics, on the other hand, involves creating forensic copies of storage media.
- Analysis: The collected data is forensically analyzed. The data is examined both individually and in the overall context.
- Presentation of Results: The relevant investigation results are prepared and communicated in a manner appropriate to the target audience.
Objective
This building block identifies the precautionary measures necessary to enable IT forensic investigations. The focus is on how evidence collection can be prepared and conducted.
If forensic service providers conduct evidence collection in whole or in part, the requirements also apply to the service providers. Contractual agreements and audits can be used to ensure that the service providers also comply with them.
Scope and Modeling
The building block DER.2.2 Precautions for IT Forensics is to be applied once to the entire information network.
This building block addresses precautionary measures that are fundamental to subsequent IT forensic investigations.
How the actual forensic analysis is conducted is therefore not the subject of this building block. No requirements are described that ensure attacks are detected — these are contained in building block DER.1 Detection of Security-Relevant Events and are assumed as a prerequisite in the present building block. Nor are criteria and processes explained that allow those responsible to decide whether an IT security incident must be forensically investigated or not. This decision is made during security incident handling (see DER.2.1 Security Incident Handling).
Likewise, this building block does not address IT forensic investigations in criminal proceedings.
Finally, this building block does not address how IT infrastructures can be cleaned up after they have been attacked (see DER.2.3 Remediation of Extensive Security Incidents). However, the activities described there can be significantly supported by the results of IT forensic investigations.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block DER.2.2 Precautions for IT Forensics.
Violation of Legal Framework Conditions
For IT forensic investigations, all data deemed necessary is often copied, secured, and evaluated. This usually includes personal data of employees or external partners. If this data is accessed without justification and without involving the Data Protection Officer, the institution violates legal regulations — for example, when the principle of purpose limitation is disregarded. It is also possible that the data collected can be used, for example, to infer employee behavior, or that a connection to specific individuals can be established. This creates the risk of violating internal regulations as well.
Loss of Evidence Due to Faulty or Incomplete Evidence Collection
If evidence is not secured correctly or quickly enough, important data can be lost that cannot be recovered later. In the worst case, this leads to an inconclusive forensic investigation. At a minimum, however, the probative value of the evidence is diminished.
The risk of losing important evidence increases significantly when employees use forensic tools incorrectly, secure data too slowly, or practice too little. Evidence is also frequently lost when those responsible fail to recognize volatile data as relevant and do not secure it.
Requirements
The following are the specific requirements of building block DER.2.2 Precautions for IT Forensics. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | Subject Matter Experts, Data Protection Officer, Top Management |
Exactly one role should be primarily responsible. In addition, there may be additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block:
DER.2.2.A1 Review of Legal and Regulatory Framework Conditions for Data Collection and Evaluability (B) [Data Protection Officer, Top Management]
When data is collected and evaluated for forensic investigations, all legal and regulatory framework conditions MUST be identified and observed (see ORP.5 Compliance Management (Requirements Management)). Internal regulations and employee agreements MUST NOT be violated. For this purpose, the works council or staff council and the Data Protection Officer MUST be involved.
DER.2.2.A2 Creation of a Guide for Initial Measures in the Event of an IT Security Incident (B)
A guide MUST be created that describes, for the IT systems in use, which initial measures must be carried out in the event of an IT security incident in order to destroy as few traces as possible. It MUST also describe which actions could potentially destroy traces and how this can be avoided.
DER.2.2.A3 Pre-Selection of Forensic Service Providers (B)
If an institution does not have its own forensic team, suitable forensic service providers MUST be identified during the preparation phase. The forensic service providers being considered MUST be documented.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
DER.2.2.A4 Definition of Interfaces with Crisis and Emergency Management (S)
The interfaces between IT forensic investigations and crisis and emergency management SHOULD be defined and documented. For this purpose, it SHOULD be regulated which employees are responsible for which tasks and how communication with them should take place. Furthermore, it SHOULD be ensured that the responsible contact persons are always reachable.
DER.2.2.A5 Creation of a Guide for Evidence Collection Measures in IT Security Incidents (S)
A guide SHOULD be created that describes how evidence should be secured. It SHOULD include procedures, technical tools, legal framework conditions, and documentation requirements.
DER.2.2.A6 Training of Personnel for Forensic Evidence Collection (S)
All responsible employees SHOULD know how to correctly preserve evidence and properly use forensic tools. Suitable training SHOULD be conducted for this purpose.
DER.2.2.A7 Selection of Forensic Tools (S)
It SHOULD be ensured that tools used for forensically securing and analyzing evidence are suitable for this purpose. Before a forensic tool is deployed, it SHOULD also be checked whether it functions correctly. It SHOULD also be verified and documented that it has not been tampered with.
DER.2.2.A8 Selection and Order of Evidence to Be Secured (S) [Subject Matter Experts]
A forensic investigation SHOULD always begin by defining the objectives or scope of work. The objectives SHOULD be formulated as concretely as possible. All necessary data sources SHOULD then be identified. The order in which the data is to be secured and the exact procedure SHOULD also be determined. The order SHOULD be based on the volatility of the data to be secured. Highly volatile data SHOULD be secured promptly. Non-volatile data, such as persistent storage contents, and finally backups SHOULD follow thereafter.
DER.2.2.A9 Pre-Selection of Forensically Relevant Data (S) [Subject Matter Experts]
It SHOULD be established which secondary data (e.g., log data or network traffic captures) is to be retained, in what manner, and for how long within the legal framework for possible forensic evidence collection measures.
DER.2.2.A10 IT Forensic Securing of Evidence (S) [Subject Matter Experts]
Storage media SHOULD, if possible, be completely forensically duplicated. If this is not possible — for example, with volatile data in RAM or in SAN partitions — a method SHOULD be chosen that alters as little data as possible.
The original storage media SHOULD be stored sealed. Cryptographic checksums of the storage media SHOULD be documented in writing. These SHOULD be stored separately and in multiple copies. It SHOULD also be ensured that the checksums documented in this way cannot be altered. For the data to be admissible in court, a witness SHOULD confirm the procedure used and authenticate the checksums created.
Only trained personnel (see DER.2.2.A6 Training of Personnel for Forensic Evidence Collection) or a forensic service provider (see DER.2.2.A3 Pre-Selection of Forensic Service Providers) SHOULD be used to forensically secure evidence.
DER.2.2.A11 Documentation of Evidence Collection (S) [Subject Matter Experts]
When evidence is forensically secured, all steps taken SHOULD be documented. The documentation SHOULD demonstrate without gaps how the secured original evidence was handled. It SHOULD also be documented which methods were used and why those responsible chose them.
DER.2.2.A12 Secure Storage of Original Storage Media and Evidence (S) [Subject Matter Experts]
All secured original storage media SHOULD be stored physically in such a way that only the investigating employees, who are known by name, can access them. When original storage media and evidence are stored, it SHOULD be specified how long they must be retained. After the retention period has expired, it SHOULD be checked whether the storage media and evidence need to be retained for longer. After the retention period has elapsed, evidence SHOULD be securely deleted or destroyed, and original storage media SHOULD be returned.
Requirements for High Protection Needs
The following are exemplary proposals for requirements that go beyond the level of protection corresponding to the state of the art for this building block. The proposals SHOULD be considered when there are elevated protection needs. The specific determination is made within the framework of an individual risk analysis.
DER.2.2.A13 Framework Agreements with External Service Providers (H)
The institution SHOULD conclude call-off agreements or framework contracts with forensic service providers so that IT security incidents can be forensically investigated more quickly.
DER.2.2.A14 Definition of Standard Procedures for Evidence Collection (H)
Standard procedures SHOULD be created for applications, IT systems, or IT system groups with high protection needs, as well as for common system configurations, that allow volatile and non-volatile data to be forensically secured as completely as possible.
The respective system-specific standard procedures SHOULD be implemented through tested and as far as possible automated processes. They SHOULD also be supported by checklists and technical aids, such as software, software tools on mobile storage media, and IT forensic hardware such as write blockers.
DER.2.2.A15 Conducting Evidence Collection Exercises (H)
All employees involved in forensic analyses SHOULD regularly practice in the form of exercises how to secure evidence in the event of an IT security incident.
Additional Information
Good to Know
The BSI provides further information on the subject in the “IT Forensics Guide” and can also serve as a reference for individual practical problem areas.
The International Organization for Standardization (ISO) provides requirements for conducting forensic analyses in standards ISO/IEC 27042:2015 and 27043:2015.
The Information Security Forum (ISF) provides requirements for conducting forensic analyses in Chapter TM 2.4 Forensic Investigations of its standard “The Standard of Good Practice for Information Security”.
Request for Comments (RFC) 3227 “Guidelines for Evidence Collection and Archiving” provides guidance on the basic approach to forensic evidence collection in its guide.