Previous article in series – Digital Forensics: E-Discovery Service Types & Legal Terms
ISO/IEC 27037 offers guidance on identifying potential data sources and acquiring the data from the sources. Data acquisition should be performed using a three-step process:
- Develop a plan to acquire the data: Developing a plan is an important first step in most cases because there are multiple potential data sources. Create a plan that prioritizes the sources, establishing the order in which the data should be acquired. Important factors for prioritization include the following:
- Likely value: Based on your understanding of the situation and previous experience in similar situations, estimate the relative likely value of each potential data source.
- Volatility: Volatile data refers to data on a live system that is lost after a computer is powered down or due to the passage of time. Volatile data may also be lost because of other actions performed on the system. In many cases, acquiring volatile data should be given priority over nonvolatile data. However, nonvolatile data may also be somewhat dynamic in nature (e.g., log files that are overwritten as new events occur).
- Amount of effort required: The amount of effort required to acquire different data sources may vary widely. The effort involves not only the time spent by security professionals and others within the organization (including legal advisers) but also the cost of equipment and services (e.g., outside experts). For example, acquiring data from a network router would probably require much less effort than acquiring data from a cloud service provider.
- Acquire the data: If the data has not already been acquired by security tools, analysis tools, or other means, the general process for acquiring data involves using forensic tools to collect volatile data, duplicating nonvolatile data sources to collect their data, and securing the original nonvolatile data sources. Data acquisition can be performed either locally or over a network. Although it is generally preferable to acquire data locally because there is greater control over the system and data, local data collection is not always feasible (e.g., system in locked room, system in another location). When acquiring data over a network, decisions should be made regarding the type of data to be collected and the amount of effort to use. For instance, it might be necessary to acquire data from several systems through different network connections, or it might be sufficient to copy a logical volume from just one system.
- Verify the integrity of the data: After the data has been acquired, its integrity should be verified. It is particularly important to prove that the data has not been tampered with if it might be needed for legal reasons. Data integrity verification typically consists of using tools to compute the message digest of the original and copied data, then comparing the digests to make sure that they are the same.
Next article in series – Digital Forensics: Evidence Management