Forensic Investigations

Owned by Rebecca.Dewey
Last updated: Jun 18, 2012Version comment

Forensic Investigations

Forensic investigations are only conducted after a security incident response is conducted. University counsel must issue written authorization for any forensic investigations. If there is an incident which you believe may warrant a forensic investigation, please follow the Personal Information Incident Response Workflow below. 

Personal Information Incident Response Workflow

Version 1.0
Date September 22, 2010
Process managed by University Counsel and UIT/Information Security

Note
As you proceed, you must minimize the number of parties who receive information about events of potential concern discussed here; only tell people about an event if required by this procedure or if they absolutely need to know. Communications should first be coordinated through the Office of University Counsel wherever possible.

After your initial work, and then a more thorough investigation, senior management will determine whether an event is an incident---and whether an incident is a data breach.

PHASE 1: Discovery and Initial Determination of Likely Risk

  1. An IT Support Specialist becomes aware of a suspicious event or other system performance anomaly that may indicate the compromise of a computing resource. An IT Support Specialist  can discover the event directly or be notified by the End User, UIT/Information Security, or another entity.
  2. The IT Support Specialist, using the risk analysis method contained in Appendix A, works with the End User to determine the probability that Personal Information resides on the computing resource.
  3. If the analysis indicates the computing resource probably does not have personal information, the IT Support Specialist undertakes normal procedures to diagnose the root cause of the event and takes appropriate action, using available resources, to fix the computing resource, restore any lost data and return to normal operational status.
  4. If initial determination indicates the computing resource probably contains personal information, the IT Support Specialist must immediately: Notify his or her Information Steward, who should notify University Counsel;## immediately disable the network connection(s) and work with UIT/Information; Security to properly isolate the machine, without modifying the computing resource in any way. Attempting to diagnose or repair the computing resource will overwrite critical forensic evidence.
    1. in coordination with UIT/Information Security, capture the data residing in live memory and deliver the original hard drive from the computing resource and respective storage media.
    2. The IT Support Specialist must not take any further action that will prevent proper forensic investigation of the computing resource. This includes any and all additional activity, including logging in or out, turning the power off, attempting to fix the problems, browse or erase any files, run Identity Finder, etc.

After delivering the original media to UIT/Information Security, the IT Support Specialist should provision a new disk and system image for the End User, so that the End User can get back to work as quickly as possible. If the only copy of the End User’s data is on the original (now forensically isolated) disk, every effort will be made to provide access to that data as soon as practicable.

PHASE 2: Notification and Initial Response

  1. The Information Steward notifies the business or academic unit’s Senior Manager that a potential breach of personal information has occurred.
  2. The Information Steward, working in close collaboration with the business or academic unit’s Senior Manager, must formally document all actions taken by the End User, IT Support Specialist, Information Steward, and Senior Manager in conjunction with this incident response event.
  3. The Information Steward and Senior Manager notify University Counsel of the incident by sending an email message to uc-notify@tufts.edu. The notice should be sent by high priority email, marked “Privileged and Confidential” and include:## the name and department of the End User;## the nature of the breach (to the extent known at this stage);
    1. the date the breach was discovered; and
    2. responses to the four “triage questions” included in Appendix A.
  4. University Counsel sends acknowledgement of receipt of the incident notice to the Information Steward and Senior Manager and notifies UIT/Information Security of the incident.
  5. UIT/Information Security creates a forensic image of the computing resource to provide a distinct environment in which to perform its forensic analysis without affecting the original device or storage media. UIT/Information Security collects other relevant data as needed and works with the IT Support Specialist to restore any lost data for the user.
  6. UIT/Information Security runs Identity Finder or similar tools on the forensic image only to determine the actual presence of personally identifiable information.
  7. If personally identifiable information is not detected, UIT/Information Security notifies the IT Support Specialist to undertake normal procedures to fix the computing resource and this workflow process is terminated.
  8. If the presence of personally identifiable information is confirmed, UIT/Information Security informs University Counsel. Such notice shall include a recommendation as to whether an outside Forensic Consultant should be engaged to assist in the analysis of the evidence or whether UIT/Information Security will handle the analysis internally. If the forensic analysis will be done internally, UIT/Information Security advises University Counsel as to the anticipated timetable for continued analysis.
  9. If required, University Counsel retains an outside Forensic Consultant with appropriate credentials, experience and certifications.
  10. University Counsel advises the Incident Response Management Team, comprised of the following parties, about the status of the matter:## Senior Manager of the affected business or academic unit;## University Advancement, if the personal information is thought to involve students, alumni, or other donors;
    1. Office of the Vice Provost, if the compromised data involves human research subjects;
    2. Audit and Management Advisory Services;
    3. Executive Vice President;
    4. Vice President for University Relations;
    5. Campus Director of Public Relations;
    6. Vice President for Information Technology and/or Director of UIT/Information Security; and
    7. Director of Risk Management.

PHASE 3: Breach Analysis and Response

  1. UIT/Information Security or the Forensic Consultant performs an analysis using the forensic image of the potential breach along with other techniques and forwards its findings to University Counsel. The analysis should attempt to ascertain, to the extent feasible, whether personal information was exported from the device.
  2. University Counsel reviews analysis data with the Incident Response Management Team and reaches a determination and recommendation as to what response is required under applicable law.
  3. UIT/Information Security or the Forensic Consultant extracts a copy of the files that were identified, via Identify Finder or similar tool, as potentially containing personal information. UIT/Information Security or the Consultant encrypts and securely transfers the files to the Information Steward. The Information Steward and Senior Manager:## review the data to identify affected individuals; and## begin to compile the affected individuals’ contact information.
  4. University Counsel and the Incident Response Management Team coordinate an incident notification plan that includes:## notification to affected individuals to the extent required by law;## preparation of standby statement for media inquires;
    1. preparation of a written analysis of the cause and circumstances of the breach and any corrective actions to prevent recurrence;
    2. a communications plan which includes information about the breach and guidelines for how Tufts staff should respond to inquiries about potential breaches, as well as a response mechanism for affected individuals;
    3. obtaining credit monitoring for affected individuals, if deemed appropriate by the Incident Response Management Team (coordinated through Purchasing); and
    4. determination of departmental responsibility for costs incurred by the breach.
  5. University Counsel coordinates required reporting of the incident to federal, state and local officials, including police reports.

PHASE 4: Post-Incident Review

  1. The Information Steward and Senior Manager review the circumstances of the breach with the End User, IT Support Specialist, University Counsel, UIT/Information Security, Audit and Management Advisory Services, and the DCA/RM Program and suggest appropriate improvements. This post-incident review should include recommendations of technology or procedural changes that need to be implemented to prevent a recurrence of the incident and a discussion of other areas of the University’s computing environment that may exhibit similar vulnerabilities.
  2. Each party involved in a response should retain their incident documentation until notified by University Counsel that such documentation is no longer required (at which time it should be securely destroyed).
  3. An Inter-Departmental Requisition is submitted to transfer funds for costs of the incident.

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.