Securing and Preserving Electronic Evidence guideline

Print-friendly version

Information Security Guideline

Introduction

  1. The purpose of this guideline is to provide University IT Support Staff with direction on how to handle electronic evidence when responding to Cybersecurity Incidents.
  2. This guideline has been issued by the Chief Information Officer to supplement the Reporting Cybersecurity Incidents standard. Compliance with this guideline is recommended, but not mandatory. Questions about this guideline may be referred to information.security@ubc.ca.

Begin a Case Log

  1. Create a detailed and accurate case log of the handling of evidence that includes the times and dates of when steps were taken, names of those involved (including those creating log entries), and any communication that was undertaken.
  2. Maintain the chain of custody and keep an accurate record.
  3. Minimize any interaction with the system.

Securing a Physical Device as Evidence

  1. Do not use the device or attempt to search for evidence of malware, breaches, etc. within the operating system (OS) or computer applications – never do anything that might modify the operating system, logs, or active memory of a device that is being investigated.
  2. Photograph the front and back of the device as well as any cords and connecting devices, as they are found. Photograph the surrounding area prior to moving any evidence.
  3. If the computer is ‘ON’ and the screen is blank (or screensaver is displayed), move the mouse or press the spacebar to display the active image on the screen. Photograph the screen after the image appears.
  4. Provide photos to security@ubc.ca for the investigation.
  5. If the device is ‘OFF’ when discovered, do not turn it ‘ON.’
  6. Disconnect the device from the network by changing the network port on the switch to point to a null VLAN or use an ethernet crossover cable; Windows based systems tend to fill up log files if their network cable is disconnected.
  7. UBC Cybersecurity will assess whether to engage UBC’s contracted third-party digital forensics and incident response (DFIR) services. The affected department or faculty will be responsible for any costs associated with the incident.
  8. The forensics company or qualified personnel may:
    1. Capture all memory for forensics analysis.
    2. Disconnect all power sources. Do not use the operating system to shut the computer down. If a laptop does not shut down when the power is removed, locate and remove the battery pack.
    3. Make a bit-wise copy of the data drives/volumes for forensic analysis. Never modify or change data on the original drive/volume.
  9. Document all activities in the case log.

Securing a Virtual Machine (VM) as Evidence

  1. Create a snapshot of the VM to preserve all running processes and the network status. Include the VM’s memory in the snapshot if the option is available when creating the snapshot.
  2. Export the snapshot to file.
  3. Disconnect all network interface cards on the VM.
  4. Suspend the VM to prevent any further communication if it was connected to a Command-and-Control server as part of the cybersecurity incident.
  5. UBC Cybersecurity will assess whether to engage UBC’s contracted third-party digital forensics and incident response (DFIR) services. The affected department or faculty will be responsible for any costs associated with the incident.
    1. When working with a forensics company provide them with a copy of the exported VM snapshot.
  6. Document all activities in the case log.

Related Documents and Resources

  1. UBC Cybersecurity Incident Response Plan (with CWL credentials)
  2. Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
  3. Reporting Cybersecurity Incidents standard

Guideline Last Revised: 2025-03

This page was last updated on Tuesday, March 11, 2025