VI_POLICY_MODUS_SecurityProcedures (1)

advertisement
The Forensics Services Group
A Department of Modus
Modus eDiscovery – Listen – Learn – Leverage
Security & Defensibility Related Procedures
SUMMARY:
Trust is one of the key factors in building a top tier forensics group. Trust is earned by providing a service and
product that one can come to depend on at all levels. A major part of this message come through our various
policy related to data security and defensibility of process. We have create various means to ensure that our
client’s data is safe at all times and that all our actions are defensible.
STERILE MEDIA
All previously used rewriteable media used to store electronic evidence is forensically wiped prior to any
information being copied to it. We currently use a single pass wipe with x00 with hash code verification against our
database of wiped drive hash codes as well as visual inspection. This verification ensures that no information has
been missed during the wiping process.
HARDWARE & SOFTWARE MANAGEMENT
We use many various software and hardware tools to assist us in our duties. But these tools are not perfect. They
are constantly being updated with fixes, paths and new versions. These updates and changes usually add functions
and/or fix bug in the previous version. Therefore, it is critical that our team stay up to date on new releases and
changes to existing tools.
We track all of our software and hardware tools for updates every quarter*. We analyze these updates to identify
if any of the changes will require additional training for our internal and external clients. If the update is major we
not only review the updates but test the new versions to ensure the results are consistent with our expectations.
In this way we ensure that we are completely update to date while defending against bug in new versions.
It is also our policy that all software utilized in capacity is fully updated and licensed to, or authorized for use by,
the examiner and/or Modus eDiscovery.
DATA SHIPPING & TRANSMITTAL
When data is uploaded via FTP or shipped out via a courier it is AES encrypted and password protected. We use a
secure FTP site to ensure that the downloaded contents are encrypted during transmission. When data is shipped
via courier it is declared as a high value package so that an internal chain of custody is maintained within the
courier company.
WRITE BLOCKING
Modus eDiscovery uses multiple write blocking methods depending on the device we are write blocking. We
ensure proper procedures by using a multitier approach when available. This approach ensures to us that if one of
the write block methods was to fail, our backup method would still protect the integrity of the media. All write
blocking methods are tested for accuracy each quarter.
Hardware Write Blocker – We use various methods of hardware write blocking. All of our hardware
collection devices have built in write blocking. We also have additional standalone hardware write
blockers. These are for use when a drives must be removed from the computer and we are unable to use
our physical collection devices.
Software Write Blocker – There are various software write blockers available. We currently attach our
drives via USB. In this manner we can use our custom USB Write Blocker software.
HASH CODE VERIFICATION
It is the policy of Modus eDiscovery to create two forensic copies of any media/data received for analysis. This
creates a working coy and a preservation copy of the original media. These copies are verified against the original
by using an MD5 hash code. The MD5 hash code of the original data is generated prior to the acquisition process
and the acquired data MD5 hash codes are verified against this original. Once the acquisition and MD5 hash
verification is complete the original data can be hash coded again to ensure the integrity of the source data. A final
MD5 is run against the data prior to the finalization of an analysis report to ensure that the information being
reported is accurate.
DUAL COPIES
Data storage devices are not flawless. They can fail at any time. When considering the amount of time and cost
associated with data collections it is a must that we create a backup of the collected data. The collection scope will
determine if the second copy is made at the same time as the first or if the second copy is made when the data
arrives back at our forensics lab.
CHAIN OF CUSTODY & THE VAULT
Modus eDiscovery currently uses a multi-level chain of custody and evidence handling process. This process begins
with labeling and tracking of media from receipt to delivery. These processes are put in place to ensure that the
information has not been accessed. Once bagged the evidence is entered into our COC (Chain of Custody)
application. The application uses a two tier identification and authorization process (biometric finger print and user
name and password). This ensures that all access our database is properly authorized. All actions taken in the
application are tracked and recorded for quality and integrity. The database and evidence are only accessible from
a single point: the evidence room / vault. The vault is a single entry point room that is secured with biometric
fingerprint access and monitored via multiple motion activated security cameras. Bagged evidence is then placed
in an evidence container.
If data has to be accessed, removed from the vault or returned to the client, the database is updated with this
information. Each time the media is transferred to another party the media document and chain of custody is
update and a signature is required.
Download