Get startedGet started for free

How security teams preserve evidence

1. How security teams preserve evidence

An IP address here, authentication attempts there, packets everywhere. It’s all evidence in an incident investigation, and all that evidence needs to be preserved. In this video, you’ll learn how to preserve evidence and what to consider during the process. Security teams must preserve evidence for accurate investigations and legal compliance. Preserved evidence must be undamaged, unaltered, and documented. Preserving evidence is a team effort. For it to be successful, all team members must recognize the value of evidence preservation and follow the chain of custody. The chain of custody is the process of keeping track of evidence as it progresses through an investigation. As part of the chain of custody, there are mandatory rules and processes. These rules and processes address issues such as unauthorized access and evidence tampering. When following the chain of custody, records and documentation are essential. Clear, accurate, and complete records of an incident investigation helps maintain the integrity of the evidence, ensuring that evidence is admissible and reliable. Organizations can then use that evidence to meet legal, insurance, or regulatory requirements. Proper documentation and collection of evidence helps organizations limit damage, prevent further losses, and comply with regulations. Now that you understand the importance of evidence preservation and how the chain of custody supports it, let's discuss some of the legal and ethical aspects to consider when handling evidence. As a cybersecurity professional, there are four key legal and ethical best practices. First, be aware of legal and ethical requirements. Second, balance the need for evidence with privacy rights. Third, collect only what's necessary. And fourth, destroy evidence when no longer needed. So far, we’ve covered two topics that are important throughout the incident investigation life cycle: evidence preservation, and legal and ethical considerations. Now, let’s discuss the incident lifecycle and how evidence preservation fits in. Investigating incidents involves three phases: identification, incident control, and iterate improvement. In each of these phases, preserving evidence is one of the most important principles to focus on. The first phase, identification, is the phase that new cybersecurity professionals interact with the most. The goal of identification is to provide a foundation of evidence that the team can build from and not have to go back and repair. When identifying and defining the incident in the identification phase, you'll address questions like: What logs, alerts, or events have I observed that make up this incident? What detection rules were triggered? And how can I be sure this is a true incident and not a false positive? Now let’s discuss the unique challenges for evidence preservation when working in the cloud. Cloud resources like virtual machines or containers can be short-lived and automatically scaled. Because of this, you need to collect evidence promptly and create snapshots before any changes occur. Examples of this evidence include virtual machine logs or container operating system logs. When preserving evidence, it’s crucial to enforce strict access control management and encryption policies for data at rest and in transit. Logs from any system or device in the cloud are critical. Logs help you preserve integrity and restrict access to collected evidence. Finally, let’s discuss a couple tools and services in Google Cloud that you can use for evidence preservation. Cloud Logging and Cloud Monitoring are often used for evidence collection and analysis. These tools help collect, store, and analyze log data from a wide range of sources, allowing you to identify and investigate security incidents. Cloud Storage also supports evidence preservation. In Cloud Storage, identity and access management provides appropriate access controls to secure evidence storage. Once evidence is stored, cloud cybersecurity professionals can use features like object versioning and storage bucket policies to ensure data integrity and secure access. Google Backup and Disaster Recovery are designed to create regular, incremental, and secure backups for everything you need in an investigation. The opportunity for evidence preservation is built right into the design of the tool. In this video, you learned the steps involved in preserving and documenting evidence and the legal and ethical considerations to be aware of. You also learned about the incident investigation life cycle and the tools you can use along the way. Now you know how to handle evidence like a pro.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.