ISF Briefing No.

12 • December 2008

ISF Briefing: Electronic Evidence

This briefing is one of a series of short reports designed to give Members a ‘heads-up’ on key topics related to information security. It is
based on desktop research and interviews with Members only and does not necessarily reflect good practice or Member opinion. This
briefing has been written for information security professionals and does not necessarily adhere to strict legal terminology.
This paper has not been legally validated (due to differing legal systems in different jurisdictions) and does not constitute
legal advice. Members should seek legal advice when dealing with electronic evidence matters.

What is electronic evidence?

Electronic evidence is information in a digital format (including electronic records and digital media) that is used to establish proof of
factual allegations or arguments. Electronic evidence may exist on a variety of different devices (from mainframe computers to mobile
phones) and can be gathered from a range of storage media (from computer tapes and hard drives through to Secure Digital cards and
portable media players).
Electronic evidence can be part of an internal investigation, tribunal, civil or criminal action and is typically used to:
• establish facts (or disprove allegations) about events that have taken place (eg accessing a computer room, copying data to a USB
device, deleting event logs on a database)
• corroborate the authenticity, credibility, consistency and continuity of other evidence about these events (eg timestamped file creation,
digitally signed evidence, record of users with access to files).
ISF Briefing: Electronic Evidence

Electronic evidence is often associated with computer forensic investigation or e-discovery through the process of:
A – collecting electronic evidence: identifying and extracting digital information that can be used to establish proof
B – protecting electronic evidence: implementing controls to ensure the integrity of the information
C – presenting electronic evidence: processing information in the context of events such that it is understandable in a tribunal or court
of law.

Why is collecting, protecting and presenting electronic evidence an information security issue?
Many of the activities associated with electronic evidence are likely to be the organisational responsibility of information security and may
have a number of problems associated with them, such as:
A – collecting: electronic evidence may be difficult and costly to identity and extract if information security guidelines relating to the
production of data that may form electronic evidence (such as event logs) have not been put in place and followed
B – protecting: electronic evidence can be susceptible to tampering and the information security function may have a duty to implement
controls that protect the integrity of electronic evidence
C – presenting: the information security function is likely to be involved in placing electronic evidence in context and a representative
may be required to present in a court of law.

How do I respond?
For a large organisation there is likely to be a continual requirement to produce electronic evidence quickly and cost-effectively. Processes
related to electronic evidence should be documented and tested, and include:
A – collecting electronic evidence: guidelines for the collection of electronic evidence must be created and followed. Specialist tools
must be deployed and legal constraints (such as privacy laws) must be identified
B – protecting electronic evidence: employees must be made aware of how to secure evidence and controls must be used to protect
evidence both during and after collection
C – presenting electronic evidence: information security specialists must be able to produce information in a manner that is
understandable to a court of law and be prepared to testify in a court.

COMMENTARY
Collecting, protecting and presenting electronic evidence is becoming part of ‘business as usual’ for many information security
functions. There are significant costs and risks associated with electronic evidence and there are many ways in which the evidence
can be spoiled if information security processes related to electronic evidence are not drawn up and followed.

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 WHAT is Electronic Evidence?

Electronic evidence is information in a digital format that is used to establish proof of factual allegations or arguments.
Typically electronic evidence is used to establish proof in cases of:
• employment tribunals (eg proving Internet misuse, identifying the sender of an abusive e-mail, highlighting inappropriate material being
downloaded to company servers)
• civil litigation (eg supporting a dispute with competitors, suppliers or customers, defending a claim for discrimination by an employee,
or verifying online changes to insurance policies by customers)
• criminal prosecution (eg proving illegal content was hosted on company servers, ratifying facts about a malicious data breach, or in
support of facts related to a criminal legal case).

Legal and Regulatory

In some cases, legal and regulatory requirements demand proof (evidence) of compliance with regulatory requirements. Whilst the
principles related to collecting, protecting and presenting evidence can be used for legal and regulatory compliance, typically the
evidence is gathered to a different standard from that required by a court of law. An example of legislation which has evidentiary
requirements is section 1102 of the Sarbanes-Oxley Act 2002 (US) which states “Whomsoever alters, destroys, mutilates or conceals
a record...with the intent to impair the objects’ integrity... shall be imprisoned for not more than 20 years.”

Standards
WHAT is Electronic Evidence?

Whilst there are several standards for handling electronic evidence (listed at the end of this paper), they often differ according to the
legal jurisdiction.

Electronic evidence is typically collected, protected and presented during a computer forensics investigation or as the result of an
e-discovery exercise. Computer forensic tools and devices are designed to read memory and storage devices directly (bypassing normal
operating system procedures) and allow duplication of different types of electronic evidence in their original form by creating a forensic
copy (mirror image) and avoiding subsequent access of the original copy.

Computer forensic investigation E-discovery

A technical discipline specialising in examination of computer systems and
other electronic devices that are recorded and presented as
electronic evidence.
The focus is typically on a small number of electronic devices and on
electronic evidence collected from one event (eg unauthorised access to a
customer credit card database).
In many jurisdictions discovery is part of the process of law, but the
phrase ‘e-discovery’ is frequently used to refer to the discovery of digitally
(or electronically) stored information.
An e-discovery order is a legal order served by another party on the
organisation requiring the production of electronic evidence. E-discovery
is typically wide reaching and can incur significant costs involving the
analysis of a large number of electronic devices or storage media.

Admissibility of electronic evidence

Often it is not possible to differentiate the electronic media (such as a hard drive) from the electronic records (data) that it contains.
Both may be considered as electronic evidence and a failure to collect, protect and present both may result in the electronic evidence
being ruled inadmissible. In many cases the electronic records are considered to be a sub-set of the electronic media, and protection
of the media de-facto also protects the records.

Whilst electronic evidence is typically classified under legal terminology of direct or circumstantial, different types of electronic evidence
may exist as illustrated below and on the following page.

Type Description Examples

‘Smoking gun’ Any electronic content which serves as • Digitally signed e-mail implicating the suspect
conclusive evidence that an act took place. • Digital CCTV showing suspect committing an act
• Sensitive spreadsheets found on suspect, indicating a theft attempt

Metadata ‘Data about data’, or hidden data which • Original author of a document clarifying the source of a forged document
explains the circumstances about a file and • Time of file creation, placing the document into a timeline
any historical changes. • Spreadsheet formulae revealing fraudulent calculations

Audit trail Chronological chain of events that have • Network logs showing information sent outside of the organisation
taken place on a system or application. • System logs listing attempted logons
• Hardware logs cataloguing the removal of a hard drive

Configuration Operating system, software and • BIOS settings establishing internal time clock settings
settings application settings that can be used to • Version numbers demonstrating that data has been accurately reconstructed
establish the integrity of evidence. • Windows Registry data proving that an external disk drive was connected

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 When dealing with electronic evidence it is important to adopt a consistent approach. Typically there are three stages to consider –
collecting, protecting and presenting electronic evidence.

There are many different examples of electronic evidence that may be used in disputes. Set out
in the table on the previous page, these may involve obvious sources such as system event logs
A. Collecting and e-mails to more obscure sources such as recorded VoIP calls or application configuration
files. An illustration of a sequence of events generating different types of electronic evidence
is shown below:

9:00 9:15 11:00 17:00 17:15 As the chain of events that

B. Protecting lead to an illegal action may be
extremely complicated, proving
HACK it happened or did not happen
is often difficult. Organisations
****
___ are advised to involve computer
forensic and e-discovery experts
C. Presenting COPY
as soon as possible after an
incident, as they will determine
DELETE what electronic evidence to
collect and what measures
WHAT is Electronic Evidence?

are needed to produce legally

ENTRY LOGIN LOG OUT EXIT
admissible electronic evidence.
‘Smoking gun’ evidence Audit trail ‘Smoking gun’ evidence Audit trail ‘Smoking gun’ evidence
Audit trail Metadata Audit trail
Configuration settings
Negative evidence
(Server logs)

Negative evidence
Negative (or disproving) evidence is evidence which proves that an event or action did not occur, for example card swipe system logs
A. Collecting
show that the suspect was not in the building.

Electronic evidence is often stored in a volatile or changeable format (eg computer

memory, temporary system files, router buffers) and can be vulnerable to alteration. A
B. Protecting court will expect that electronic evidence is of a high quality and has not been subject to
modification or destruction by:

• one of the parties involved in the dispute, either intentionally or by mistake

• software or hardware malfunction
C. Presenting
• legitimate system or housekeeping processes
• the process of collection if appropriate steps to protect its integrity have not been taken
• anti-forensic methods used to thwart investigative efforts.

Protecting electronic evidence from alteration or destruction is crucial for its accuracy and reliability. Failure to collect evidence with
specialised computer forensic software or devices may result in: ‘trampling over’ evidence; metadata being overwritten (eg creation
date of file, storage location, name of author); or ‘smoking gun’ type evidence being erased (eg a logic bomb planted by the employee
committing fraud).

Evidential quality
The extent to which electronic evidence needs to be protected is related to the incident and form in which the evidence is to be
presented – for example, evidence for an internal disciplinary hearing may require a lower level of protection than a court of law.
However, it is important to note that a disciplinary hearing can escalate to a court of law, which may then reject previously used
evidence as inadmissible.

Electronic evidence needs to be protected from unauthorised tampering at a later date. Ideally devices containing electronic evidence
should be physically removed, sealed and stored in a secure place and controls (such as hashing) used to demonstrate that the evidence
has not been altered.

Litigation hold
In some cases the integrity of electronic evidence also needs to be protected before collection. An upcoming lawsuit may require
suspending housekeeping routines (such as archiving or deletion) to prevent deletion of existing documents or record archives that
contain potential electronic evidence. This action is called ‘litigation hold’.

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 Anti-forensic methods
There are many anti-forensic techniques that ‘rogue’ employees, cybercriminals or hackers may use to avoid detection from computer
forensics or to increase significantly the required investigative effort. Examples include:
• tampering with system time and file access time metadata
A. Collecting
• destroying data beyond recovery by deleting and physically overwriting storage
• evading network routing techniques by masking the original source of a network transmission.
Anti-forensic methods can be sophisticated – for example, rootkits (such as DDefy) are written specifically to compromise forensic
B. Protecting
tools. The compromised forensic software may be unable to find the relevant evidence and may even reveal inaccurate or
compromised evidence.

Presenting is a process of demonstrating the meaning of electronic evidence to all the parties
of the dispute in a way that allows clear and unambiguous interpretation and supports the
C. Presenting final judgement.

Electronic evidence:
WHAT is Electronic Evidence?

• is typically analysed and summarised in a report. While the ‘smoking gun’ evidence is often self-explanatory, supplementary types of
electronic evidence, such as metadata require additional expertise to ensure the evidence is examined, interpreted and presented in a
way that can be understood by a judge and jury
• needs to be admissible when presented in the dispute. This involves proving that adequate measures have been taken to protect the
integrity of the evidence.

Although many of the information properties of evidence are related to integrity, in a court evidence may also have to be shown to be
authentic, credible, consistent and continuous.

Description Examples
Authenticity Electronic evidence needs to be original and valid, Hash values proving that the evidence has not been tampered with.
meaning that it has not been altered in any way. Document metadata indicating the original author.
Ideally it also confirms the authorship of the evidence.

Credibility Every piece of evidence needs to be believable in Evidence of an employee sending out threatening e-mails prior to the
the general context of the fact that the electronic employee deleting sensitive data indicates an intent to do so, making
evidence is supporting. it more credible.

Consistency Every piece of electronic evidence conforms to the Evidence of an employee logging into a workstation may be
same storyline without contradicting the logic of the inconsistent when there is no supporting evidence from the building
sequence of events. access control system showing that the employee was in the building.

Continuity Every piece of electronic evidence needs to be Evidence of an employee logging into a workstation followed by
contiguous and demonstrate that it follows the evidence of malicious modification of business data, and then
sequence of events. evidence of the employee deleting system access logs.

The way that electronic evidence is presented is typically guided by specialists, such as lawyers. However, it is possible that the court
requires testimonies by employees (including information security staff) or third parties to confirm the authenticity, credibility, consistency
and continuity of electronic evidence. This may cover a broad set of issues that are not directly related to the presented electronic evidence
itself, such as the policies, procedures and practices in the organisation and how electronic evidence was generated.

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 WHY is collecting, protecting and presenting
electronic evidence an information security issue?
WHY is collecting, protecting and presenting electronic evidence an information security issue?

Organisations often find themselves under pressure to produce electronic evidence quickly when a dispute arises. Failure to do so may
result in excessive lawsuit costs, regulatory and legal fines or loss of the case. Even though electronic evidence is primarily a legal matter,
there are also a range of information security-related problems associated with the activities of collecting, protecting and presenting
electronic evidence.
In many organisations the information security function acts as the primary liaison with the legal department for all IT related matters and
assumes responsibility for ensuring that the activities of collecting, protecting and presenting electronic evidence are performed to the
required standard. Some of the typical problems that may be encountered are outlined in the section below:

The information security activities associated with the collection of electronic evidence typically
covers: configuring systems to generate specific information that can be used as electronic
A. Collecting evidence; ensuring that time-stamping is accurate at the point of generating such information;
checking that the content of information does not breach any privacy laws; searching databases
for evidence.

Problem Description of problem Possible impact

B. Protecting
Inability to identify the cause of The critical application has not been configured to
misuse of a critical application. generate security-related event entries (eg multiple
failed passwords, access to a particular port, excessive
CPU usage).
The organisation may not be able to launch a successful
prosecution if specific events have not been recorded in
the event logs.

C. Presenting
Unsynchronised system time on
critical systems.
Critical systems have not been synchronised (eg to a
Network Time Protocol (NTP)) to keep system clocks
Organisations would be unable to correlate event
entries across multiple platforms to corroborate a
consistent and referenced to a standard time. sequence of events.

Negligence in balancing privacy
rights with the need to collect
electronic evidence.
An event investigation often introduces multiple privacy
issues. Creating a remote forensic copy of an employee’s
laptop (for example) may be regarded as a breach of
human rights in certain jurisdictions.
The organisation will not be able to use the electronic
evidence if it was gathered illegally. Furthermore such an
illegal action can itself have legal consequences, such as
the prosecution of individuals who have gathered
the evidence.

Data is not searchable or
prohibitively expensive to
search.
Data fields that are required to identify the evidence Failure to provide evidence in accordance with court
may not be indexed in a database and cannot be easily imposed timescales, or at a reasonable cost.
searched. For example, identifying e-mail text within a
corporate e-mail system of several terabytes is likely to
be a complex task.

Technical obsolescence
In some cases (for example in legal cases relating to medical records or insurance policies) it can be necessary to produce electronic
evidence that dates back a considerable number of years. It may be possible to retrieve the data relating to the event or incident,
but not to present the information, as it may have become obsolete (eg Is in Lotus 1-2-3 format, or is stored on floppy disk, or
decryption keys cannot be found).

Outsourcing
Increasingly the data that needs to be collected as evidence may reside with an outsource organisation, in a different legal jurisdiction.
This can create additional complications related to cost of collection, protecting integrity, confidentiality of the incident and
jurisdictional problems.

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 A. Collecting
WHY is collecting, protecting and presenting electronic evidence an information security issue?

Information that could be used as evidence will need to be protected from modification or
destruction. This is often a complex undertaking as organisations do not always know what
B. Protecting types of information will be required as evidence to support a legal dispute.

Problem Description of problem Possible impact

C. Presenting
Failure to protect potential
Users with privileged access may be able to change Evidence is declared inadmissible, or the altered evidence
electronic evidence from electronic evidence. leads to an unfavourable outcome.
privileged users.

Degradation of electronic
information existing on
removable media over time, or
A. Collecting
obsolescence of media types.
Information stored on electronic media has a shelf-life.
Failure to continually access, re-write and restore these
old files could result in the degradation or complete loss
of information (eg the failure to be able to read data
from a backup tape).
Damage, degradation or loss of information prevents an
organisation from using it as evidence (eg to disprove a
claim) which may harm their defence.

Loss of the original set of Highly technical information may be processed to Failure to keep an original copy of the raw data
raw data containing summarise the results for presenting to a court of law may allow a challenge to the authenticity of the
B. Protecting
electronic evidence. and the source data may not be properly protected. processed version.

Presenting evidence in a court of law to support a prosecution or defence comes with a set
of issues different to collecting and protecting and requires a different set of skills. Although
C. Presenting a legal case will be led by a lawyer, if the evidence is poorly presented then this can adversely
affect the outcome of the case.

Problem Description of problem Possible impact

Failure to present detailed Evidence such as event logs are typically highly detailed If the information has not been presented in a format
electronic information in a and often require a technical expert to analyse, interpret that members of the court can easily understand, it may
non-technical format. and present to non-technical members of the court. confuse the jury and consequently be dismissed in the
final judgement.

Incomplete records of the chain
of custody of evidence.
Organisations will need to prove that the integrity of
evidence has been maintained at each stage of the
process for the electronic evidence used in a legal dispute.
Failure to document the steps of the process and
individuals involved could place the evidence in doubt. If
the case hangs on the electronic information as evidence
this could significantly affect the legal position of an
organisation.

Failure to deliver electronic Identifying and isolating the electronic evidence (eg Failure to deliver this information in a timely manner
evidence to a court of law from storage) typically requires significant amounts of could result in it being excluded from court presentation.
within a set timeframe. time and skilled resources.

The importance of a chain of custody

Throughout the collection and protection stages associated with electronic evidence it is important that a chain of custody is
maintained. This includes maintaining a documented timeline of each step when handling evidence and (where possible) having each
step witnessed. Failure to maintain a chain of custody record can lead to the evidence being inadmissible.

COMMENTARY
Failure to request help or asking for help too late in an investigation is one of the biggest issues reported by computer forensics and
e-discovery experts. Not only is there a risk of electronic evidence being altered, there is also a risk that this evidence is spoiled or not
actually presented within the required timeframe.

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 HOW do I respond?

Large organisations operating across the globe will typically experience a continual stream of legal actions from third parties, but also from
within the organisation as action is taken against third parties, or as the result of internal disputes (such as a fraud or staff disciplinary
action). This is simply the nature of global business, but can effectively generate an almost constant demand for electronic evidence of
some sort.
To be able to respond to this demand in a cost effective and timely manner, the information security function needs to be prepared to
handle all aspects of electronic evidence by ensuring that arrangements for collection, protection and presentation of electronic evidence
have been established.

Sequestration of assets
A full scale criminal investigation involving collection of electronic evidence is likely to involve disruption to business processes and
potentially the confiscation of IT equipment as evidence (sequestration of assets). The increased impact of cybercrime and new ways
of capturing electronic evidence without interrupting business processes (eg. enhanced forensic tools) have resulted in investigators
compromising with organisations to keep the impact of the investigation to a minimum and allow business operations to continue.

If a decision to produce electronic evidence has been taken, experts may need to be involved, especially if the dispute is to be settled
in a court of law. Organisations will often employ third party experts, who are often contracted on a contingency basis, or establish an
in-house team of experts dedicated to computer forensics and e-discovery in the organisation.

In-house experts Third party experts

Advantages: Advantages:
HOW do I respond?

• can understand the organisational context of the electronic evidence • typically more experienced
• have a familiarity with the organisational infrastructure and systems and can collect • perceived as independent
evidence efficiently. • may have more up-to-date tools and skills.

Disadvantages: Disadvantages:
• high cost of setting up and maintaining a specialist team • may not be familiar with the organisation
• may be seen as susceptible to organisational influence. • time to engage may result in evidence being lost.

Collecting, protecting and presenting electronic evidence needs to be managed in a consistent way. Organisations are advised to document
the handling of electronic evidence in a set of guidelines that have been approved by senior management and validated by the legal
department. The activities presented on the following pages should be considered when creating guidelines, but are not exhaustive, nor
are they intended to be followed as a sequential process.

COMMENTARY
The possibility of a legal dispute involving electronic evidence can often force an organisation to decide whether or not to produce
electronic evidence for a particular case. A decision against the production of electronic evidence may be taken after an initial
review of costs and the likelihood of finding quality electronic evidence. The decision is justified if the chances of finding electronic
evidence that would significantly contribute to a positive resolution of the dispute are particularly low, or if high costs and time
constraints for producing electronic evidence outweigh the costs associated with case settlement and legal or regulatory fines.
Ultimately the decision still revolves around the legal sustainability of the particular case, but in these instances, legal advice
should be sought as to whether there is legal precedent that can be used to balance the cost of producing electronic evidence
against the harm being considered.

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 Information security guidelines and responsibilities for the collection of electronic evidence
A. Collecting should be created and validated by the legal department and should include:

A1 Plan the collection of electronic evidence

• Identify all relevant sources of electronic evidence (eg event logs and media, both within the organisation and in third parties)
B. Protecting
• Create an inventory in which to document the attributes (eg type, owner and location of the device) of all sources of electronic evidence
to determine the most efficient approach for collection
• Obtain passwords and encryption keys needed to access password protected or encrypted areas of storage containing electronic
evidence.
C. Presenting
A2 Ensure all relevant electronic evidence is collected
• Examine all electronically stored information related to the case in a legal review (e-discovery) and collect the relevant evidence (typically
‘smoking gun’ and ‘metadata’)
• Collect ‘smoking gun’, ‘metadata’ and ‘negative evidence’ by taking forensic copies of individual storage devices, when in-depth
computer forensic investigation is required
• Record hardware, system and application configurations and any recent changes
• Establish a logical chain of events by examining the ‘audit trail’ type of evidence (eg all relevant event logs).

A3 Use specialist tools (typically third party) to collect electronic evidence in a safe and efficient way
• Deploy specialist e-discovery tools to shorten the lengthy process of searching through all significant business data
HOW do I respond?

• Use specialist computer forensic tools to preserve the contents of storage media without altering it (eg by using write-blockers, which
ensure that the device cannot overwrite storage).

A4 Adhere to legal constraints when collecting electronic evidence

• Create a list of possible privacy implications (Human rights, data protection)
• Identify constraints in employment legislation
• Use legally defined methods of conducting an investigation, and comply with legal conditions in which the investigation is allowed
(eg Regulation of Investigatory Powers Act 2000 (UK))
• Identify information that may be legally privileged and is therefore exempt from e-discovery (eg legal e-mails).

Interviewing techniques
Interviewing users to identify possible sources of electronic evidence can be a ‘double-edged sword’. Employees such as system
A.may
administrators Collecting
significantly assist the process of identifying sources of electronic evidence, whilst at the same time such an action
could alert a perpetrator who may attempt to destroy evidence.

In order to produce electronic evidence that is admissible in a legal dispute, organisations are
B. Protecting required to establish controls to protect the evidence from modification or destruction, and to
prove that it has not been changed in any way.

B1 Train employees to take appropriate first steps

Employees are often the first to discover an information security incident that may require a forensic investigation. Organisations are
C. Presenting
therefore advised to educate employees on appropriate initial steps that need to be taken to protect electronic evidence on the scene of
the incident and retain control of the situation:
• Immediately stop using all devices believed to be involved in the information security incident
• Do not power on / shutdown any of the devices believed to be involved in the information security incident
• Record any messages on the screen and unusual system behaviour on paper
• Report the incident to the appropriate department.

B2 Protect the sources of evidence before and during collection of the evidence
• Physically restrict access to the area where the electronic evidence is stored and record all accesses
• Institute ‘litigation hold’ to prevent deletion of existing documents and record archives which contain potential electronic evidence by
stopping relevant document ‘housekeeping routines’ such as deleting e-mails from the live e-mail server.

www.securityforum.org ISF Briefing: Electronic Evidence • Information Security Forum 

 B3 Establish integrity controls when collecting evidence
• Create a list of hash values (unique alphanumeric representation of the data, digital fingerprint) for each piece of electronic evidence to
allow verification of its integrity
• Sign the list of hash values using a digital signature to corroborate the chain of custody
• Demonstrate authenticity of all important electronic communications by implementing ‘digital stamping’ (automated hashing and
signing of every incoming and outgoing e-mail), so that they are more likely to be admissible as electronic evidence in court.

Using integrity tools

Digital Evidence Bags (DEBs) are a set of tools used to demonstrate the integrity of collected electronic evidence and continuity of the
records when capturing data real-time. They enclose the digital signature of the person and the organisation collecting evidence as
well as time or timeline of the capture. DEBs have the capability of recording any processes carried out on the collected evidence.

B4 Store electronic evidence in a secure manner after the evidence has been collected:
• Save electronic evidence to a write-once-read-multiple medium to prevent further writing and modifying
• Seal the storage device or medium containing original evidence in tamper-proof packaging
A. Collecting
• Store the storage device or medium containing electronic evidence in a safe, restricted place
• Ensure that evidence that is transmitted or sent to a third party (eg as the result of e-discovery order) is protected in transit.

Dealing with high volumes of evidence

In a number of cases the sheer quantity of electronic evidence that needs to be secured may preclude the use of normal protection
procedures – B. Protecting
HOW do I respond?

for example, where the amount of data cannot be copied onto removable media. In this type of case, legal advice should be
sought on other mitigating controls, and checks and balances should be established so that the integrity of the evidence can be assured.

When presented, electronic evidence should be placed into a context that will be understandable
C. Presenting by all parties of the dispute. This is typically the role of a lawyer. The role of information security
is to ensure that the evidence is understandable and has integrity, authenticity, credibility,
consistency and continuity.
C1 Create a report to support the testimony:
• Review collected electronic evidence and advise on the most pertinent evidence to be presented in court
• Format the selected evidence in a way that makes it understandable to a judge and jury
• Create a report (chain of custody) outlining all steps taken in collection, protection and presentation of electronic evidence to be used
as exhibits and summarise any other collected evidence
• Remove any unrelated sensitive business data from the report, or mask it (eg by censoring financial reports, by replacing personal details
with codes, or by cleaning up details in product schematics).

C2 Prepare to present in court:

• Ensure that staff are suitably trained to present credibly in court
• Know the laws governing electronic evidence
• Prepare to describe how organisational policies and practices related to electronic evidence were followed.
The ISF has produced a number of reports and tools in this area. These are listed below, and available on MX:
• Document Retention and Record Management
• Information Security Incident Management
• Security Event Logging
• Security and Legislation.

Further information on best practice when collecting, protecting and presenting electronic evidence can be found in:

• Association of Chief Police Officers (UK) – Good Practice Guide for Computer Based Electronic Evidence
• US Department of Justice – Forensic Examination of Digital Evidence: A Guide for Law Enforcement
• BSi BIP0008 – Code of practice for legal admissibility and evidential weight of information stored electronically
• ISO 15801 – Electronic imaging recommendations for trustworthiness
• ISO18492 – Long term preservation of electronic documents.

Contact:
grega.vrhovec@securityforum.org
nick.frost@securityforum.org

The Information Security Forum is an independent, not-for-profit association of leading organisations dedicated to clarifying and resolving key issues in information security and developing security
solutions that meet the business needs of its Members.

Reference: ISF 08 12 01 Copyright © 2008 Information Security Forum Limited. All rights reserved.