Important First Steps
“I suspect they've copied my database - what should I do?”
Make a Plan
if you suspect a computer has been used during an intrusion or other incident that you've been tasked with looking into you need to make sure the steps you take won't destroy or spoil any electronic evidence that has been left behind.
One of the first things you need to do is calmly take stock and consider exactly what actions should follow. Unless your systems are currently under attack, it's unlikely that an additional ten minutes will significantly alter the outcome of the investigation. Use this time to set out a plan of action - this will really help you stay focussed and ensure that you carry out tasks in the correct order at the right time. It will also help you prepare any post incident report that you may need to present later.
Restrict information
The fewer people who know about the investigation, the better the chances of a successful outcome. Don't say or do anything to give the game away and don't tell anyone who doesn't have a direct need to know. In the early stages, this may include the owner of compromised data. More often than not, fraud and data theft is perpetrated by trusted individuals within the organisation who hold senior positions. Always hope for the best but assume and prepare for the worst.
Determine where the evidence is
The data helpful to your investigation may be spread across several systems and on different media - consider:
Door access logging systems and internal CCTV
The suspects own computer
The suspects network based data share
Removable media like USB memory sticks
Company email servers
Company Internet firewall logs
Mobile telephones and other mobile devices
Personal laptops and home computers
Internet based cloud storage services like 'Dropbox' and 'SkyDrive'
Preserve the crime scene
With most media like USB devices, simply sealing them in a plastic bag is sufficient to ensure that the data cannot be tampered with prior to copying and analysis by a forensics expert. The devices should be seized and stored in a secure locked place under your control.
Computers themselves are less straightforward.
Guidance on this topic has changed in recent years - simply switching off a computer may render the data on the disk inaccessible or destroy vital evidence like open documents, unsent email and memory resident malicious code.
The nature of the incident will have a significant bearing on what should be done. If vital evidence is in memory, then just switching the computer off will destroy this. If the computer is being controlled by an intruder who is attacking your systems from outside, then switching the computer off will warn the attacker or potentially destroy information relating to the attacker's location. If the attacker is actually copying critical or confidential information from your network, then you may have no option but to terminate their connection. Network information or encrypted malicious code stored in memory is irretrievably lost when the computer is switched off. In such a case it is helpful to simply remove network, broadband and other communications cables to ensure the flow of data is interrupted but that the evidence is preserved.
In the event that the computer's hard disk is encrypted with a password known only to the user or owner of the computer, then switching it off may mean this data cannot be accessed or analysed later.
There is no generally right or wrong answer and each case must be decided on its merits. If you're unsure what to do, call us at the number above for no-obligation, confidential and free advice about the best way to proceed.
When the computer is already switched off
If the computer is off, leave it off - do not switch it on.
Start making notes - record who you are, what you've been tasked with investigating, what authority you have and most importantly; record every step you carry out with the date and time you do it. It may take a year or more for a case to go to tribunal or to court so the better your notes are, then the better prepared you will be when the time comes. It also makes writing up a post incident report much easier. Give each computer or piece of media involved a unique name. It's usual to use your initials plus a number, e.g. JHC/1.
Make sure the computer is actually off and not just sleeping/hibernated or has a screen saver running. Move the mouse, press the shift key and check for lights on the keyboard and the base unit. Don't assume!
Take photographs of the computer from all sides and the general area it is located in. This should include any post-it notes nearby. Check your photographs are in focus and show what you intended before proceeding. You will not get another chance to take them.
Disconnect all and any leads, network, keyboard, mouse, power and monitor.
If it is a laptop, remove the battery.
Remove the computer from the location and store it securely, ideally in specialist tamper evident bags in a locked, secure cupboard or safe under your control.
Once again, if you're unsure what to do, call us at the number above for no-obligation free confidential advice about the best way forward.
When The computer is running
If the computer is switched on and running, depending the likelihood of evidence being in memory or the computer hard drive being encrypted, either:
Start making notes, using the guidelines above.
Take photographs per the guidance above.
Switch the computer off by simply removing the power cord from the back of the device. Don't use the off button to power the computer down and don't allow anyone to shut the computer down cleanly. The power button can be configured to execute custom programs which may destroy the evidence you're looking for. Likewise, shutdown scripts can be configured to carry out deletion and other evidence elimination actions. Simply pull the plug!
Disconnect all the cables attached to the computer.
Remove the computer from the location and store securely, using the guidelines above.
Consult a forensic expert.
Encrypted disks and Memory
If you think there is a possibility that the hard disk is encrypted or that a running computer has been compromised by malicious code, then you absolutely should consult a forensic expert to image memory and any encrypted data. Time is critical in these situations as data will be purged from memory as a normal part of computer's operation and log files will be over-written, either deliberately by the intruder or naturally. Consider removing the network cable and/or disabling any wireless/Bluetooth if the computer holds critical or sensitive information.
Don't forget digital and relevant evidence is located in more than just the computer - decide if it necessary to seize or forensically image USB devices, digital cameras, digital voice recorders, external hard drives, post-it notes containing passwords, CDs, home directories and profiles on file servers, event logs on network logon servers, door access logs, CCTV, firewall logs, Internet proxy servers and many other devices - if in doubt call us at the number above for no-obligation free confidential advice about the best plan of attack.
Other Considerations
If the subject of the investigation does not know he/she is being investigated keep it that way. In this case, consider covert forensic imaging - the process of making a copy for analysis without the user being aware.
Don't be tempted to have a quick look yourself
Well intentioned IT departments have been the cause of many cases collapsing very early on as they lack the specific training required to preserve the very fragile data. The evidential chain is also very important here. In the event your incident ever gets to an industrial tribunal or court, then the court will want to know who had access to the exhibits and what changes they may have made. Cases have been won and lost on this point alone.