The immediate reaction of many organizations when they discover that a system may be infected with a virus or malware is to remove, erase, and rebuild the potentially infected system as quickly as possible in an effort to clean the environment. Doing so without taking proper steps to preserve evidence, however, may make it difficult to reconstruct whether and what information was lost . Without answers to those questions, the organization may not be able to comply with legal obligations or to accurately identify the level of risk that the breach posed to the organization or to its employees. It also may make it difficult to accurately determine the scope of the breach and ensure notification of the breach to affected employees. In addition, without knowing what happened and how it happened, it may be difficult to have a high level of confidence that the same incident will not happen again.
As a result, when dealing with an electronic breach, organizations must often balance the desire to contain the breach and prevent additional information from being lost with the need to preserve evidence and investigate what happened in the first place.
Your organization should consider utilizing the following five steps to preserve the type of evidence that might be needed to fully investigate an incident.
Keep or forensically image computers: If a computer (including a laptop, tablet, or mobile device) is potentially infected with malware, your IT department may be considering re-imaging the computer. However, that would be a mistake because re-imaging effectively deletes all of the information and programs on the device. While re-imaging a computer may render it clean and provide a level of confidence that it can be returned to use, it may also destroy evidence that might help determine whether information has been lost, and, if so, how much and what type of information. Instead, consider creating a forensically sound image of the device before it is re-imaged. A forensically sound image uses software to create an exact “copy” of the device that can be analyzed in the future as part of an investigation. Alternatively, consider issuing the employee a new computer and keeping the potentially infected device segregated in case it needs to be examined in the future.
Don’t turn your computer off: One of the most common mistakes that companies make when they suspect that a computer may be infected with malware is to turn off the computer or disconnect it from its power source. Some types of malware exist only in the computer’s active memory – i.e., the memory that exists only when the computer is powered on. When the computer is powered off, the information that is in active memory (including the malware) may be deleted. If that occurs, it may be more difficult for an investigator to determine what initially infected the computer and what the malware did while the computer was infected.
Disconnect computers from the network: Instead of turning a computer off, consider disconnecting the computer from your network and/or disconnecting it from the internet. If malware is present on the computer, and the computer has been sending information out of your organization, disconnecting it should (1) prevent the computer from infecting other computers on your network, (2) prevent a bad actor from contacting the computer, and (3) prevent the computer from sending additional information to a bad actor.
Suspend logs and backup tapes from being overwritten. Most organizations have systems in place that record events that happen within the organization’s network in “logs.” Unfortunately, some logs can be voluminous and most organizations retain their logs for only a limited amount of time, after which the logs are overwritten by more current information. If you identify a security incident, consider taking steps to stop your logs from being overwritten or lost. This may be as simple as having your IT department change the settings on certain devices, such as firewalls, so that the systems no longer overwrite logs. In other cases, it may require finding space for the additional logs by either (1) increasing your organization’s storage space, (2) purchasing additional storage space with third parties that host, or store, your logs, or (3) exporting logs that may exist on your network to external media for storage.
Consider enhanced monitoring. While most organizations have systems in place that monitor some of the activities that occur on their network, often the level of monitoring is limited. For example, many organizations monitor the points at which their network communicates with the interest (their “perimeter”) with a firewall which should provide them with an indication of which IP addresses are communicating with the computers within their organization. A firewall typically does not tell the organization the substance of what is being communicated. Firewalls also can’t track actions that are occurring within an organization’s network. If a security incident occurs, consider deploying additional technology that is designed to increase your organization’s visibility as to what is happening on your computers. For example, network packet capture systems physically inspect the data leaving a network so that an organization knows what has left in addition to where it has gone. End-point monitoring applications are designed to monitor the activities of devices within your network and to detect suspicious patterns of communication between and among your own machines.
TIP: If you believe that one of your computers is infected with a virus or malware, do not turn it off. Instead, disconnect the ethernet cable that connects the computer to your network (or turn off WiFi). By isolating a computer, instead of turning it off, you can preserve evidence while ensuring that the computer cannot leak data.