• Home
• About us
• Technology enabled crime types
• Key partners
• Frequently asked questions
  • Incident Response Guidelines
• News and Information
• Glossary

Incident Response Guidelines

In order for the AHTCC to commence an investigation, evidence of a criminal offence needs to be identified.

Larger businesses may have in-house trained staff that can respond to incidents and commence the process of identifying and preserving evidence.

If you do not have an internal trained capacity to deal with such incidents, it may be necessary for you to employ the services of appropriately trained persons to assist in the process of identifying evidence that will determine whether or not an offence has been committed and to assist in preserving such evidence.

Evidence preservation following an incident

• It is critical that as much evidence (and other information) as possible is gathered at this stage as there may not be an opportunity to gather it at a later time.
• It should be noted that the quality of the outcome of an investigation will be highly dependent on the quality of the information that is provided as a result of the incident response.
• Preservation of evidence (for subsequent presentation in court in the event of a prosecution) is a critical factor in any criminal investigation.
• The appropriate action to take to preserve the evidence will depend on the circumstances but may involve actions ranging from copying unaltered computer logs to CD/DVD through to forensic copying of computer hard drives.
• Forensic copying of computer hard drives by appropriately trained personnel is the most effective means of preserving ALL of the evidence, however, it is also the most intensive and time consuming.

Sources of evidence may include any or all of the following:

• Systems that have been compromised;
• Hard drives of systems that have been compromised;
• Web, mail, ftp or any other relevant server logs;
• Proxy logs;
• RADIUS logs;
• Intrusion Detection System (IDS) logs;
• Firewall logs;
• Router logs.

Preservation of evidence

Methods used to preserve the evidence will depend on the circumstances.

Options (in order of preference) are listed below.

Please be aware that Police computer forensic staff may assist with or undertake these tasks if a matter becomes the subject of an investigation:

1. Take the computer(s) involved off line and secure, pending forensic examination by adequately trained and qualified persons.
2. If it is not possible for the system to remain off-line, remove the hard drive(s) from the computers involved and secure them. The system can then be restored using spare hard drive(s) and ‘clean’ backups and placed back into service. If this is done it is necessary to record full details of the computer from which the hard drive was removed (e.g. time/date settings; hardware details; role of computer; IP addresses, etc) and who undertook the task.
3. If the hard drive cannot be replaced, it will be necessary for suitably trained and qualified persons to take a forensically sound copy of the hard drive(s). This may be undertaken by Police personnel.
4. If it is not possible to take the system off-line at all, consideration will have to be given to taking a ‘live’ bit-stream copy of the hard drive(s) involved. This should only be done by suitably trained and qualified staff.
5. If all data cannot be obtained from a system, consideration should be given to copying relevant files to write once CD/DVD. Copying data to write once CD/DVD immediately puts it in such a format that it is preserved. Any such CD/DVD’s should be clearly marked as to what they contain, who created them, and when and where they were created.
6. If suitably trained and qualified persons are available, consideration can be given to undertaking a live analysis of a system which has been involved in an incident. This involves capturing volatile data (such as settings, processes, active connections etc) that would be lost if the system was shut down. This should only be carried out by appropriately trained and qualified staff. Such actions may alter information on a system (and potentially destroy evidence or call into question the integrity of the evidence). Anyone undertaking such activities may be required to justify their actions to management, investigators or the court. The absolute minimum activity (and commands) should be undertaken to obtain the required information if a live analysis is undertaken. Note: in the case of routers, live data acquisition will be necessary to obtain the required information (e.g. settings, configuration data and connections).

The following points need to be taken into consideration in handling any incident (for further details refer to the references listed at the end of this document.)

Witnesses

• Be aware that anyone involved in the incident response process may be required to provide statements to investigators and may be required to give evidence in court (sometimes years after the event).
• Such individuals may be required to explain their credentials to the court and why they undertook certain actions.
• Appropriate consideration and action on the following points will help ensure that the best evidence is obtained and any processes and procedures withstand scrutiny by the court.

Running Sheets/Note Taking

• Commence detailed running sheets (notes) of all actions that are undertaken in responding to an incident.
• Record who is undertaking the action, what action they are taking, the time/date that the action is being taken and sign and date each entry.
• The more detail the better with such notes.
• Detailed notes will assist others involved in the incident response process and will assist investigators.
• Such notes will also assist those involved in preparing statements and will assist in remembering details whilst giving evidence in court (sometimes years after the event).

Continuity of Evidence/Chain of Custody

• Ensure that the continuity (chain of custody) of any evidence is maintained.
• It is important that records are kept of all instances where evidence is handled.
• This is important to show to the court that a piece of evidence obtained by someone is the same as that which is being presented to the court.

Label all Evidence

• Clearly mark all items of evidence, from where and when they were obtained and who obtained them.

Record Time/Date Skew

• Record time/date settings (and time zones) compared to actual time/date for all computers/systems from which evidence is obtained.
• This is critical to the interpretation of time/date stamps on files, log entries etc.
• If a system time/date setting is different from actual time/date, adjustments will have to be made during the course of investigations in order to accurately determine sequences of events and match incidents on different computers.
• Comparisons with actual time/date can be made by utilising on-line time servers, dial up time recordings or via GPS systems.

Gather All Other Relevant Information

Identify and gather all other pieces of information that may assist with any subsequent investigation. Such information may include any or all of the following:

• Network layout diagrams;
• Detailed network information such as roles of individual machines, IP addresses, operating systems and versions, other software used, date of implementation etc;
• Details of all authorised user accounts on systems;
• Details of previous incidents involving the network and outcomes;
• Computer system baselines (including hashes of critical files);
• System backups taken prior to compromise;
• Details of all relevant contacts (e.g. system administrators, security officers, legal officers, data entry officers etc).

References

RFC 3227 - Guidelines for Evidence Collection and Archiving - Copyright (C) The Internet Society (2002). 

Guidelines for the management of IT Evidence – HB 171-2003 – Standards Australia.

Guidelines for best practice in the forensic examination of digital technology - International Organisation on Computer Evidence (IOCE)