A great article by Andrew Parsons at Womble Bond Dickinson looking at the requirement to forensically secure evidence of a data breach to comply with GDPR. Not being a lawyer, I cannot comment on the legal requirements, but from a technical perspective we always advise clients to forensically secure evidence.
This brings up an interesting debate, specifically in relation to data breaches, about how to go about collecting relevant evidence in a forensic manner whilst not allowing the compromise to continue or worsen. The main debate centres on whether to capture transient data from a system's memory as well as what is on the hard drives. The challenge here is the necessity to leave the systems running to capture the data in memory which could expose the organisation to further or on-going risk/damage. There are steps you can take to minimise that, but often the initial response is to turn off and disconnect.
Ideally, you would want to preserve this transient data in order to aid the investigation, as many of the 'tools' used in these situations only reside in memory rather than on hard drives. But, unless the company has group-wide forensic tools or resources available, this can take time and add to the risk. But again, ideally, it would be captured in a forensically sound manner as part of the investigation.
Unless there is extreme damage or disruption being done by the attacker, we would not generally advise systems to be shut down, as you can learn a lot about the intrusion and the hacker by conducting covert investigations and containment. If systems are left on during the investigation and containment phases of a response, it is very important to make yourself invisible to the intruders as they could commence disruptive techniques should they sniff opposition or think they’ve been discovered. This is, of course though, a risk management decision.
When it comes to the hard drives and other relevant media, then we would always recommend that these are captured in a forensically sound manner. Not only does this allow for a more robust investigation but it also preserves the integrity of any evidence located which could be required in any subsequent legal or regulatory actions. In addition to this, there will generally also be network and other relevant log files that need to be incorporated into an investigation of a data breach.
We deal with these situations on a regular basis and if you'd like to learn more, please reach out to me or my colleague Kevin Hall.
The Information Commissioner's Office (ICO) has recently issued a £500k penalty against Cathay Pacific Airways Limited (Cathay Pacific) for a series of hacks that exposed the personal information of £9m customers. The ICO's penalty notice cites twelve contraventions including that "Forensic evidence was no longer available during the Commissioner's investigation. " This briefing looks at whether a failure to secure evidence can in itself amount to a breach of the GDPR. Many forensic experts may advise that you switch off and isolate infected devices once a breach is discovered, particularly if it involves a virus or ransomware. The devices can then be forensically imaged and air-gapped so that they can be safely investigated. It is rare that the first step is to simply wipe the system clean. Doing so could prevent an organisation finding out what actually happened, leaving a vulnerability in a system that could be exploited again. It may also destroy the evidence trail preventing law enforcement taking action and limiting an organisation's ability to respond to regulatory investigations.