2

Currently Law enforcement agencies (LEA) take your entire server (or perhaps all servers) in a VPS/Cloud or multi-tenant situation.

Have we thought of any policy guidelines where VM images/snapshots can be kepts and provided as evidence in lieu of the actually hardware?

Is there any group advocating policy change with technological alternatives to the sledgehammer approach?

intiha
  • 121
  • 1
  • Don't get into this situation in the first place, if possible. Have an acceptable use policy and enforce it vigorously. – Michael Hampton Oct 04 '12 at 18:10
  • but what if one of our VPS system is hacked into and used for wrongful purposes? – intiha Oct 05 '12 at 04:34
  • Memory dumps and other things can be just as important, if not more important, than VM/disk snapshots. You need an expert incident handler -- not a forensics disk monkey or piece of forensics software. – atdre Oct 05 '12 at 14:33

1 Answers1

4

Law enforcement do not care about your uptime. Law enforcement do not care about your losses. They want to preserve chain of custody and integrity of evidence. If your gear is seized as part of a raid, they'll take your whole machine. If you want to prosecute someone for breaking into your box, they'll demand a provably identical image of the drive, obtained via a method that is known to be forensically sound. For this reason, companies like Guidance will send someone to defend their forensic software in court for free, if you require it.

Law enforcement will not accept a VMWare image, because they have to prove to a judge that they have a 100% accurate copy of the data. Trying to defend a non-standard process when they've got defence lawyers staring them in the face is not something they want to try. The notion of the technicality is a common one.

At the end of the day, you need to ensure that you can make a forensic copy of the drive, and maintain chain of custody on the evidence. A defence lawyer will ask you how you know that the copy was accurate, and how you can prove that the copy or original drive was not tampered with. If you can't answer that, they'll tear your case apart.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • thanks, this is really insightful... but my question still remains... have we thought of policy decisions that can make the claim of provable accurate copies of the machine for the agencies so that the issue gets resolved. Are there no advocacy groups working on it? if not shouldnt there be? – intiha Oct 05 '12 at 04:51
  • We already can make the claim, but the original device (hard disk at minimum) is evidence. It's got nothing to do with making copies. You wouldn't dream of walking into a murder trial with an exact copy of the murder weapon instead of the real thing - don't expect special treatment because your case is about digital forensics. Without an exact original, with hard drive serial numbers and the rest, you *cannot* prove, to the extent that is required by law, that the first copy is exact. The whole point of copies is to do forensic investigation on, so if you break it you just run `dd` again. – Polynomial Oct 05 '12 at 07:21
  • If you've got an hour or so to spare, listen to [LiquidMatrix Security Podcast episode 0xF](http://www.liquidmatrix.org/blog/2012/09/18/liquidmatrix-security-digest-podcast-episode-f/) - there's an awesome section in there about digital forensics and proving your case in court. All of the guys on there have done this. – Polynomial Oct 05 '12 at 07:24
  • You'd do better to stand the problem on it's head - assuming that your vm itself isn't at fault/illegal, then you're free to continue using it going forward on new hardware - but the original poster has it right - chain of custody and integrity of evidence are key, and nothing will be allowed to interfere with that – Mark Mullin Oct 06 '12 at 03:34