INCIDENT RESPONSE

Forensic Acquisition

Essentials

Just as crime scene investigators carefully gather physical evidence, Computer Forensics Acquisition professionals methodically, safely, and securely acquire electronic evidence in a manner that preserves the data and maintains the chain of custody. This may involve creating a forensic backup of a system or network in cases where the equipment cannot be taken offline; or physically acquiring the equipment. For each piece of evidence, Chain of Custody forms, host records, and imaging logs are produced.

All evidence is hashed to ensure two things:

Images match original data
Images of backup data are identical

Evidence is transported within approved standards, and stored within a secure holding facility.

Benefits

In the event of a breach, theft, or inappropriate employee behavior, it is absolutely crucial that electronic evidence be preserved. Why? Because electronic evidence contains the information needed to understand three things:

How the events happened
How to mitigate the cause of the events
What data or resources may have been affected by the breach or theft

It is essential that electronic evidence be acquired in a methodical, safe, and secure manner, and preserved in a manner that is admissible in a court of law.

Expertise

SecureState’s Readiness and Response Team is comprised of industry experts with experience in Military Intelligence, Law Enforcement, and Big X Consulting; and includes members with high-level government clearances. Members of our Team have been involved in the acquisition and forensic analysis of data in high profile events including the Space Shuttle Columbia Disaster. They have coordinated Incident Response teams that included FEMA, AFCERT, and DHS against inclement weather, terrorist activities, and world-wide threat events. Several members of the Team have high-level government security clearances and are trusted with the nation’s most classified secrets. With unimpeachable ethical standards and unsurpassed technical skills, SecureState’s Readiness and Response Team is ready to assist with even the most complex businesses’ information security readiness and response.

Get Scoping Questions Now!

Fill in your details and you can download a FREE questionnaire to ask your vendors.

Your Name

Your Phone

Your Email

Your Company

We will not share or distribute your email to anyone. It will be used solely to contact you about the service you have inquired about.

Did You Know?

Forensic acquisition principles and methodologies are not just for incidents that may go to trial
Any investigation on systems or devices affect evidence and therefore the accuracy of the analysis
Forensic acquisition techniques ensure the integrity of the collected data and investigation.
Forensic methodologies may be required and driven by regulatory guidelines such as PCI, PHI and privacy laws.
Forensic acquisition, tracking, management and validation should be included within the organization’s incident procedures and policies
Forensic procedures and policies should have annual testing and exercises.

Our Approach and Methodology

SecureState’s Acquisition Policy is to protect the integrity, original-state and confidentiality of sensitive, regulatory, confidential or proprietary information, including HIPAA, PCI, PI and PHI, and to comply with legal or regulatory requirements. This policy establishes the coordination of the response to computerized and electronic communication systems incidents to enable proven and tested collection, information gathering, and reporting of security related events.

SecureState provides the following framework and methodologies for Forensic Acquisitions:

Evidence Handling:

SecureState Readiness and Response Team personnel will provide Chain of Custody forms, host records, and imaging logs for each piece of evidence. All evidence will be hashed to ensure images match original data and also ensure that images of backup data are identical. SecureState Readiness and Response Team personnel will transport evidence within approved storage bags and storage containers, and store evidence within a secure holding facility at SecureState premises.
Digital evidence will be secured in accordance with SecureState guidelines and driving regulatory or legal requirements as appropriate. Methodologies and procedures can be referenced within SecureState: Incident Response Policy Revision 2, Department of Justice: A Guide for First Responders 187736, and NIST: Special Publication 800-61.

Evidence Preserving

SecureState Readiness and Response Team personnel will forensically collect evidence to maintain the integrity of the data. All efforts will be made to ensure evidence is not altered, modified, or corrupted.
SecureState Readiness and Response Team personnel will also verify that all evidence is accounted for, validated and clearly marked, labeled, and recorded.

Evidence Collecting

All evidence collection procedures will be reviewed by SecureState Readiness and Response Team before acquisition begins. As deemed appropriate, SecureState is the custodian of data and the handler for evidence, response, and analysis. All imaging, collection and documentation will be observed and supervised by SecureState Readiness and Response Team personnel.
SecureState will create a host record for each evidence collection that would tie the data to the original owner or location, explicitly state the method of collection and backup of evidence as described in the imaging or collection log, hashing and validation procedures, investigator notes, and provide the volume, configuration, media details and type of data for each piece of evidence. These host records are then tied to the corresponding C.O.C. forms.
SecureState Incident Responders will collect, label, and preserve the digital evidence, as well as package and transport digital evidence in a secure manner.

Protection

SecureState keeps all digital evidence away from magnetic fields such as those produced by radio transmitters, speaker magnets, and magnetic mount emergency lights, and avoids temperatures that could possibly damage or destroy evidence.
SecureState will verify that evidence is stored and packaged correctly to prevent damage from shock of vibration during transportation.
SecureState will document the transportation of the evidence and maintain proper Chain of Custody
SecureState will ensure that examination of evidence is performed on isolated lab systems.
SecureState will make every attempt to ensure the admissibility of evidence in criminal and other legal proceedings in accordance with applicable jurisdictional requirements.

Dispose

SecureState follows NIST guidelines for disposing physical or digital evidence.

Audit the Data and Policies and Procedures

Each completed case will be reviewed by a supervisor with knowledge of forensic examinations
SecureState will review lab policies and procedures at least once a year.
An audit of the laboratory and examiners will be conducted using accepted standards and criteria set forth in this policy and referenced documentation to ensure compliance and quality.
Documentation of audits and reviews will be maintained for one calendar year.
If compliance or performance issues are identified, SecureState will work to remediate or rectify the findings to ensure the lab operates in accordance to the Lab Policies and Procedures.

What Makes Us Different

SecureState’s Forensic Team:

Consists of consultants with industry-leading certifications and security clearances
Has led, developed, and implemented emergency response teams, forensic investigations, and evidence collection for top financial and insurance institutions, as well as the United States Air Force and supporting units world-wide.

Related Services

Downloads

We Can Help You

Generate New Image

Enter the code from above.