Untangling that; basically preservation of records for litigation is pretty complex and is discussed in many publications. It is supported by the test of authenticity which results in whether the data carries sufficient evidential weight to be admissible see The Foundations of Digital Evidence and BS10008. As US Chief Magistrate Judge Paul W. Grimm (author of lorrain vs markel opinion paper) in his recent eDiscovery interview, suggests “rules that deal with whether it’s admissible or not must be addressed…If people weren’t aware of what they had to do to get this stuff into evidence during the discovery phase…they were potentially spending huge amounts of money only to be left wanting a trial because they couldn’t get it into evidence”.

Think about a simple case of a cloud provider who does somehow agree to provide data to support your e-Discovery requests but cannot prove the data´s authenticity.  Brings to mind all those sunk costs invested to discover, retain and preserve the data, but with no forethought towards actually having to use it in court.   

Author: Nadeem Bukhari

Their study highlights just how many companies are immature in the detective and reactive controls following a breach.  I would suggest that for data theft and fraud breaches, most of the deployed controls as so ineffective that often, the occurance of a breach is detected though a source outside of their organisations.  A great example of this is the TJX breach  where the incident was reported by TJX officials around a month after an extensive fraud had occurred. 

There are many reasons for this including but not limited to zero day hacks, or ineffective intrusion detection systems.  However, as Ponemon points out in their findings, “companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM”… Yes, the sponsor or this study is a SIEM provider.  More importantly though, it does point to the fact that audit log information is a key source of information in the detection capabilities.  However as recognised year after year by another study known as the Deloitte Global Financial Services Security Survey; within the top 5 internal/ external audit findings is “Audit trails/ logging issues”.  I.e., organisations are still wrestling with collection, analysis and protection of audit log data.   CSO´s need to place greater emphasis on using some of their rapidly reducing IT budgets on log collection, analysis and protection tools.  Because as Ponemon points out  “Cyber attacks can get costly if not resolved quickly…the average time to resolve a cyber attack by a participating organisation was 18 days at an approximate average cost of $415k with malicious insider attacks taking more than 45 days”… I know of more than a few log management solutions that cost less than that.
 
OK,  now lets assume that you have a solution to detect and fix a breach but now want to prosecute or even have to defend a prosecution.  Most companies are missing a critical capability that will cause such a significant pain point in litigation scenarios.  Specifically most organisations have not deployed capabilities so that the electronic data to be digital evidence ready.    I will write more on this in an upcoming post, however if you cannot prove the electronically stored data´s authenticity, it will not be usable as evidence.  A great source to identify the controls you need to consider are located in BS 10008 – Evidential weight and legal admissibility of electronically stored information. 

In addition to the digital evidence point, it is now a known fact that the hacker of today is not out to be noticed.  In fact they have always preferred to stay undetected until they want to get noticed.  To do this they delete or modify data that may show their activity.   In most hacking 101 books/ papers, there are sections on how to conduct a stealth attack and how to remain undetected by deleting or modifying log data.  It’s obvious that if the log data has been modified the time to detect and respond to an attack will be substantially increased. 

A professor at one of the first lectures that I had in Information Security asked the question: “What is the most dangerous thing a hacker can do?” After going through a list of responses by the class, he suggested; “It is to stay hidden and seep corruption into the organisations digital data that it even gets into the backups and yield an unrecoverable digital data environment…. This type of effect can put a company out of business”.  Now, years on, I recognise that this is not the worst a hacker can do, i.e. they can cause an outage of a power grid, mayhem at a nuclear plant etc.  However with respect to normal business it does make me wonder how many organisations were subjected to this type of attack when the UK´s Ministry of Defence published the warning “Foreign hackers ‘putting UK firms out of business’“.

Author: Nadeem Bukhari

Time is used throughout the judicial; landscape to provide a chronology of events. In the digital world, these events are often captured in audit logs where each event is associated to a timestamp. When things go wrong and the audit log data will be needed in a court of law as evidence, it does beg the question of whether system time synchronization capabilities have been used or even better, whether trusted time stamping solutions are installed. At issue here, is whether it can be proven that the data has not been compromised or tampered-with in any way.

Organizations that have implemented Network Time Protocol (NTP) are better off than those only relying on the systems hardware clock which is usually set at the beginning of the hardware’s life or maybe during some critical hardware maintenance event. This would mean that any time data e.g. in audit logs would have their time data equivalent to that of the hardware engineer’s wristwatch. In well run IT environments this is not so common. Additionally, well run organizations would use a Log centralization tool that would include its own timestamp from when it received that audit event data. If this is done in real-time across a multitude of systems, the forensics and audit value is very high.

Going back to using these audit log records for digital evidence. If I were a cross examining lawyer that wanted to diminish the value of the time data, it would be fun finding out if the audit logs time source comes from some time synchronized system, or not. Obviously any time data associated with the hardware engineers watch as an endpoint would result in significantly lower evidential weight. Or if an NTP time server was used; then the question arises “How vulnerable is the NTP timeserver and what is the time source that sets its clock?”. Motivation may be a defense but that discussion is for another blog post. There have been many vulnerabilities posted associated with the use of NTP for example, Cisco Security Advisory: NTP Vulnerability and Ubuntu NTP vulnerability, many more are available through a simple web search.

Trustworthy time is a crucial attribute in the digital evidence world. If the time data within the audit logs of at least important systems does not carry sufficient evidential weight, then there could become happy defense lawyers and their clients celebrating their successes out there .

Author: Nadeem Bukhari

The new standard’s name is quite self-explanatory: “Evidential weight and legal admissibility of electronic information. Specification”. As the BSI website states, “legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case”. The BSI 10008 is aimed therefore to ensure that any piece of electronic information used in a Court of Law has the maximum evidential weight.

There are many interesting aspects here. First, it shows the need of clearly establishing guidelines and a common framework for how to deal with electronic data and digital evidence. And second -but no less important- it outlines how data integrity is a key aspect in information management.

We just bought a copy of the standard. We’ll read it and publish some thoughts… Stay tuned.