Securing and Preserving Electronic Evidence guideline

Information Security Guideline

Introduction

  1. The purpose of this guideline is to provide University IT Support Staff guidance on the handling of electronic evidence when responding to computer security incidents.
  2. This guideline has been issued by the Chief Information Officer to supplement the Reporting Information Security Incidents standard. Compliance with this guideline is recommended, but not mandatory. Questions about this guideline may be referred to information.security@ubc.ca.

Create a Case Log

  1. Create a detailed and accurate case log of the handling of evidence that includes the times and dates steps were taken, names of those involved, and any communication that was undertaken.
  2. Maintain the chain of custody and keep an accurate record.
  3. Document everything.

Investigate on a ‘Need to Know’ Basis

  1. Proceed if investigation in an area is warranted in order to handle a case properly. Don’t investigate if it is not relevant to the case or inappropriate to do so.

Securing a Computer as Evidence

  1. Do not use the computer or attempt to search for evidence of malware, breaches, etc. within the operating system (OS) or computer applications – Never do anything to modify the OS, logs or active memory of a computer that is being investigated.
  2. Photograph the front and back of the computer as well as all cords and connecting devices, as they are found. Photograph the surrounding area prior to moving any evidence.
  3. If the computer is ‘ON’ and the screen is blank (or screensaver is displayed), move the mouse or press the spacebar to display the active image on the screen. Photograph the screen after the image appears.
  4. If the computer is ‘OFF’ do not turn it ‘ON’.
  5. Disconnect the computer from the network by changing the network port on the switch to point to a null VLAN. Windows based systems tend to fill up log files if their network cable is disconnected – this bypasses that problem.
  6. Engage a computer forensics company to assist with the investigation.
  7. The forensics company or qualified personnel should:
    1. Capture all memory for forensics analysis.
    2. Disconnect all power sources. Do not use the operating system to shut the computer down. If a laptop does not shut down when the power is removed, locate and remove the battery pack.
    3. Make a bit-wise copy of the data drives/volumes for forensic analysis. Never modify or change data on the original drive/volume.
  8. Document all activities in the case log.

Related Documents and Resources

  1. Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
  2. Reporting Information Security Incidents standard

Last Revised: 2021-02