When a server is hacked, what do you do? That is the question. There are several questions:
- Do you want to prosecute the offender?
- Do you want to analyze the attack?
- Do you want to preserve the evidence?
For the moment, we’ll assume that you want to preserve the evidence in order to prosecute. Once this decision is made, the system administrator’s role starts to enter the legal realm. In order to preserve the evidence, a chain of custody must be maintained and preserved.
At its simplest, the chain of custody is a legal phrase that describes the provable knowledge of every one who handled the evidence and a provability that this evidence is the same as the one that was present at the crime scene. The question that the chain of custody attempts to answer is: Is this evidence (hard drive) the same one (and unaltered) that was at the crime scene (in the server)?
Before preserving the evidence, make a copy of the hard drive in order to have a copy for forensic analysis. This process should be noted on the evidence’s chain of custody, more than likely.
To make the chain of custody (and preserve the evidence), there are a number of things that can be done:
- Once the hard drive is no longer needed, wrap it and seal it (possibly along with an initial document stating its origins) – then sign across the seal itself (to prove that it hasn’t been opened since).
- Put the drive into a safe with a very limited access.
- Each time the drive is touched (i.e., moved, relocated, or reassigned) fill out an entry on a form with date, action, by who, and why the action was taken.
All through the process, there should always be a witness to what occurs. For example, when the system administrator removes a hard drive from a server, there should be additional witnesses present. Likewise, if anyone moves the hard drive – or gives it to someone, then witnesses should be present also. In all these cases, note the witnesses and other information in the chain of custody log (always with date).
Another excellent tip is to photograph the removal of the hard drive – specifically, photograph the location of the machine, what was done to the machine, and where was the hard drive physically located. The person removing the hard drive may also want to sign the hard drive itself, in order to prove that this was the actual hard drive removed from the system.
The wrap should be some sort of wrap that will show evidence of tampering – shrinkwrap may fit the bill.
The chain of custody is a legal phrase with a legal definition. However, I am not a lawyer (sheesh, do I really have to say that?). So for best advice, seek that of a lawyer (or forensic specialist).
In a big enough company, certainly you should consult with your in-house corporate attorney before taking any unnecessary action.
Here are some further resources:
- How to Keep a Digital Chain of Custody from CSO Online
- Proof of a Chain of Custody in a Case
- Forensic Science: the Basics by Jay A. Siegel (chapter 2)
- Computer Forensics: Computer Crime Scene Investigation by John R. Vacca (pp. 247 and following)
- Laws of Evidence by Thomas Buckles (pp. 81 and following)
Some of these resources are directed towards the legal profession instead of the computer professions, but if you have the willingness to learn more, they can only help.
UNIX Administratosphere 