A great article by Andrew Parsons at Womble Bond Dickinson looking at the requirement to forensically secure evidence of a data breach to comply with GDPR.  Not being a lawyer, I cannot comment on the legal requirements, but from a technical perspective we always advise clients to forensically secure evidence.

This brings up an interesting debate, specifically in relation to data breaches, about how to go about collecting relevant evidence in a forensic manner whilst not allowing the compromise to continue or worsen.  The main debate centres on whether to capture transient data from a system's memory as well as what is on the hard drives.  The challenge here is the necessity to leave the systems running to capture the data in memory which could expose the organisation to further or on-going risk/damage.  There are steps you can take to minimise that, but often the initial response is to turn off and disconnect. 

Ideally, you would want to preserve this transient data in order to aid the investigation, as many of the 'tools' used in these situations only reside in memory rather than on hard drives. But, unless the company has group-wide forensic tools or resources available, this can take time and add to the risk.  But again, ideally, it would be captured in a forensically sound manner as part of the investigation. 

Unless there is extreme damage or disruption being done by the attacker, we would not generally advise systems to be shut down, as you can learn a lot about the intrusion and the hacker by conducting covert investigations and containment. If systems are left on during the investigation and containment phases of a response, it is very important to make yourself invisible to the intruders as they could commence disruptive techniques should they sniff opposition or think they’ve been discovered. This is, of course though, a risk management decision.

When it comes to the hard drives and other relevant media, then we would always recommend that these are captured in a forensically sound manner.  Not only does this allow for a more robust investigation but it also preserves the integrity of any evidence located which could be required in any subsequent legal or regulatory actions.  In addition to this, there will generally also be network and other relevant log files that need to be incorporated into an investigation of a data breach.

We deal with these situations on a regular basis and if you'd like to learn more, please reach out to me or my colleague Kevin Hall.