Chain of custody

10.4.1 Policy
Logging policies need to include the following:
1. Identify—There are three parts to the “Identify” requirement: (i) Identify the devices
and the types of logs they provide. (ii) Identify the types of logs that require support
such as Windows Event Logs, syslogs, etc. (iii) Identify regulatory and policy
requirements such as HIPPA, PCI, HR Policies, etc. The “Identify” questions above
need to be answered prior to any logging policy or system established. If the network
consists of a “hodgepodge” of different supported equipment, the logging system may
become complex.
2. Review—Establish who can review log data. Review requirements may need to include
individuals outside of the IT department, such as compliance officers, project
managers, etc. If there is a possibility of legal action or law enforcement
investigations, a “chain of custody” may be required. Reviewing log data is critical to
network security and health.
3. Access—Determine who requires access to the logs (locally and centralized) and
determine what is their purpose. Establish procedures to prevent alteration and
deletion of the logs and ensure that all log access is logged. Creating a centralized
server (sometimes more than one maybe required) where all devices off-load their
logs. Access to the central servers can be restricted and reports can be generated and
given to reviewers, thus restricting access further.
The first phase involves all the forensics involved with the collection
of data, while the second phase involves defending the data collected, the means by which
it was collected, and chain of custody applied from the original collection until court. The
initial goal was to obtain survey input from local city leaders. Although individuals from
the governor’s office, Montgomery Police Department, and district attorney’s office were
willing to assist, their busy schedule prevented their office from providing input to the
digital forensics survey. Fortunately, a co-author had contacts at some law enforcement
offices, and they agreed to make personnel available for the survey and eventual follow-
up [96, 100].
CYBER-RISK INFORMATICS
Engineering Evaluation with Data Science MEHMET SAHINOGLU, PH.D.
Auburn University at Montgomery