Re: Case Images

["Rajewski, Jonathan" <rajewski () CHAMPLAIN EDU>]

Having a digital forensic image with some type of integrity checking
(MD5/SHA1 etc..) will pass best practices and legal requirements. Having
two validated copies is also best practice.

That said, to help with your original question -

Unless you have some type of regulatory/legal reason to retain your
images, I would contact those involved in the dispute as well as legal
counsel to determine if they still want you to retain the images. Most
responses are "let's hold on to them just in case" so I would have some
figures ready to help them make the best educated/legal decision for your
situation/organization - for example - if you put a number on storing 15TB
of data associated with a case (physical space/cooling/security etc) - or
- the cost of the SAN/NAS or HDDs to store the hardware etc. You could
then use those conversations as justification for a larger budget or
shifting cost to the respective department that wants you to hold on to
the images. 

Moving forward I would recommend establishing an evidence disposition
policy. It sounds like you have one in place, but for what it's worth, a
good disposition policy will have a framework to visit your case
log/evidence on a regular basis. That way you can escalate space and cost
issues to management.

Also - are you compressing your images? If you're using EnCase or FTK
there are built in compression features that can compress/hash on the fly,
which can save you considerably on space if you have hard drives that are
half full. 

Good luck and I hope this helps.

Jon

--  
Jonathan T. Rajewski, MS, CCE, EnCe, CISSP, CFE
Assistant Professor, Digital Forensics, Champlain College
Director/Principal Investigator, Champlain College Center for Digital
Investigation (C3DI)
Digital Forensic Examiner, Vermont Internet Crimes Task Force
 
Champlain College
West Hall ­ Room 205
163 South Willard Street
Burlington, VT 05401
Office: +1 802-865-5460
Google Voice - +1 802-318-4804
Mobile - Available via request
Skype - jtrajewski


rajewski () champlain edu
jonathan.rajewski () leo gov



 
PGP Public Key: Located on keyserver.pgp.com
 






On 8/5/11 9:26 AM, "Kevin Halgren" <kevin.halgren () WASHBURN EDU> wrote:

> To my knowledge, the only certain way to demonstrate chain of custody
> and maintain the integrity of the data, from a court's perspective, is
> to retain the original hard drive.  You could conceivably store them
> off-site in a secure location where chain of custody can be maintained,
> e.g. with a bank.
>
> I wouldn't do anything without checking with your General Counsel
> first.  I'd phrase the question "How can I...?", a "Can I...?" question
> will more than likely get a "No" answer.  :)
>
> Kevin
> -- 
>
> Kevin Halgren
> Assistant Director - Systems and Network Services
> Washburn University
> (785) 670-2341
> kevin.halgren () washburn edu
>
>
> On 8/4/2011 11:17 AM, Mclaughlin, Kevin (mclaugkl) wrote:
> > Hi Everyone:
> >
> > I am wondering if anyone has come across a good, secure (:)  ) and
> > effective way to archive their HD images from internal cyber
> > investigations/ litigation hold work?  We do a fairly large amount of
> > these each year and it is becoming cumbersome to physically store the
> > actual hard drives, not to mention it's not really cost effective to
> > keep purchasing additional drives.
> >
> > We do roll the cases off per our retention policy (case closed +1, +2
> > etc.)  but some of the cases remain active for legal reasons even though
> > we don't need to do anything with them other than store them safely.
> > The cases that remain open with no activity required are the ones I am
> > thinking about archiving off somewhere/somehow.
> >
> > Thanks in advance for any process or best practice ideas you would be
> > willing to share,
> >
> > - Kevin
> >
> >
> > Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
> > Assistant Vice President, Information Security&  Special Projects
> > University of Cincinnati
> > 513-556-9177
> >
> > The University of Cincinnati is one of America's top public research
> > institutions and one of the region's largest employers, with a student
> > population of more than 41,000.
> >
> > [cid:image001.gif@01CC529F.DDCD9FE0]