Back

Collect evidence from the incident scene.


CONTROL ID
02236
CONTROL TYPE
Business Processes
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a digital forensic evidence framework., CC ID: 08652

This Control has the following implementation support Control(s):
  • Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report., CC ID: 08679
  • Refrain from altering the state of compromised systems when collecting digital forensic evidence., CC ID: 08671
  • Follow all applicable laws and principles when collecting digital forensic evidence., CC ID: 08672
  • Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence., CC ID: 08675
  • Secure devices containing digital forensic evidence., CC ID: 08681


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must investigate and identify the root cause of an incident or failure and take action to prevent its reoccurrence. This is a control item that constitutes a greater risk to financial information. This is an IT general control. (App 2-1 Item Number IV.2(12), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • During the recovery process, the organization should collect data that may be necessary for explaining and analyzing the unauthorized access. (T48.1(2).2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Ascertain the conditions involved, such as intrusion routes, intrusion times, extent of damage, etc. (P19.2. ¶ 1(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should notify the accreditation authority if it is considering allowing intrusion activity to continue under controlled conditions in order to scope the intrusion. (Control: 1212, Australian Government Information Security Manual: Controls)
  • The organization must seek legal advice if it is considering allowing intrusion activity to continue under controlled conditions to find further information or evidence. (Control: 0137, Australian Government Information Security Manual: Controls)
  • APRA envisages that a regulated institution would develop appropriate processes to manage all stages of an incident that could impact on services including detection, identification, containment, investigation, evidence gathering, resolution, return to business-as-usual and reducing the risk of simi… (¶ 71, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness regarding cybersecurity; (Article 11 3 ¶ 1(d), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authori… (Art. 19.1. ¶ 4, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • policies and procedures to detect activities that may impact firms' information security (eg data breaches, incidents, or misuse of access by third parties) and respond to these incidents appropriately (including appropriate mechanisms for investigation and evidence collection after an incident); an… (§ 7.11 Bullet 12, SS2/21 Outsourcing and third party risk management, March 2021)
  • Is there an attempt to trace the source of the attack? (Table Row XII.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Can the organization determine the servers from which the intruder data was sent? (Table Row XII.6, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the Incident Response policies and procedures address evidence collection? (Table Row XII.8.a, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The preliminary investigator should preserve and document the incident scene, including physical evidence and information from witnesses. The preliminary investigator should determine the type of incident, identify witnesses, and separate witnesses so they don't talk to each other. Documentary evide… (Revised Volume 4 Pg 1-VIII-3, Revised Volume 4 Pg 1-VIII-12, Protection of Assets Manual, ASIS International)
  • The Information Security policy should require that tampering with evidence in the case of Information Security incidents that might require forensic investigation is prohibited. (CF.01.01.03g, The Standard of Good Practice for Information Security)
  • Evidence should be collected with the intention of possible legal action. (CF.11.04.03a, The Standard of Good Practice for Information Security)
  • Evidence should be collected with respect for individuals' privacy and human rights. (CF.11.04.03b, The Standard of Good Practice for Information Security)
  • Evidence should be collected from Information Technology sources relevant to the information security incident (e.g., active, temporary, and deleted files on storage media, e-mail, or Internet usage, memory caches, and event logs). (CF.11.04.03c, The Standard of Good Practice for Information Security)
  • Evidence should be collected from non-information techology sources relevant to the information security incident (e.g., CCTV recordings, building access logs, and eyewitness accounts). (CF.11.04.03d, The Standard of Good Practice for Information Security)
  • Evidence collected should include passwords and encryption keys needed to access password protected or encrypted areas of storage containing electronic evidence. (CF.11.04.04, The Standard of Good Practice for Information Security)
  • The Information Security policy should require that tampering with evidence in the case of Information Security incidents that might require forensic investigation is prohibited. (CF.01.01.03g, The Standard of Good Practice for Information Security, 2013)
  • Evidence should be collected with the intention of possible legal action. (CF.11.04.03a, The Standard of Good Practice for Information Security, 2013)
  • Evidence should be collected with respect for individuals' privacy and human rights. (CF.11.04.03b, The Standard of Good Practice for Information Security, 2013)
  • Evidence should be collected from Information Technology sources relevant to the information security incident (e.g., active, temporary, and deleted files on storage media, e-mail, or Internet usage, memory caches, and event logs). (CF.11.04.03c, The Standard of Good Practice for Information Security, 2013)
  • Evidence should be collected from non-information techology sources relevant to the information security incident (e.g., CCTV recordings, building access logs, and eyewitness accounts). (CF.11.04.03d, The Standard of Good Practice for Information Security, 2013)
  • Evidence collected should include passwords and encryption keys needed to access password protected or encrypted areas of storage containing electronic evidence. (CF.11.04.04, The Standard of Good Practice for Information Security, 2013)
  • The incident handling team should familiarize themselves with the laws about handling evidence and understand concepts such as chain of custody and what constitutes legally admissible evidence. (Action 1.9.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization shall identify the cause of a failure when a delivered service fails to comply. (§ 6.4.9.3(d)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization performs timely collection of relevant data, as well as advanced and automated analysis (including use of security tools such as antivirus, IDS/IPS) on the detected events to: (DE.AE-2.1, CRI Profile, v1.2)
  • The organization has the capability to assist in or conduct forensic investigations of cybersecurity incidents and engineer protective and detective controls to facilitate the investigative process. (RS.AN-3.1, CRI Profile, v1.2)
  • The organization performs timely collection of relevant data, as well as advanced and automated analysis (including use of security tools such as antivirus, IDS/IPS) on the detected events to: (DE.AE-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has the capability to assist in or conduct forensic investigations of cybersecurity incidents and engineer protective and detective controls to facilitate the investigative process. (RS.AN-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (IR-5(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must document relevant security incident information according to the CMS Computer Security Incident Handling Procedures. (CSR 1.6.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data. (IR.5.106, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Under all service types including SaaS, when a CSP discovers a cyber-incident has occurred within infrastructure and/or CSO for which they are responsible, in conjunction with initial incident reporting, the CSP shall capture, preserve, and protect images and state of all known affected systems/serv… (Section 6.5.4.2 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Incidents and compromises will happen. When they do, they must be reported and then forensically analyzed to gain detailed information regarding how it occurred how to prevent it or protect the system in the future, and potentially who is responsible. Incident information must be gathered and handle… (Section 6.5.4 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Under SaaS, the CSP must perform the capture, preserve, and protect functions in conjunction with their CSSP. The CSP will then share their results with the Mission Owner's organization performing MCD Actions. (Section 6.5.4.2 ¶ 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Under PaaS and SaaS, a Mission Owner, their organization performing MCD Actions, or the CSP may detect an incident. Each party must work with the others to collect the necessary forensic information from the areas of the service each manages. It may be unlikely that the Mission Owner will be able to… (Section 6.5.4.2 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Under IaaS, when a Mission Owner discovers a cyber-incident has occurred within their systems/applications/virtual networks, they will work with their organization performing MCD Actions and CSP to capture, preserve, and protect images and state of all known affected virtual machines which they mana… (Section 6.5.4.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Evidence shall be collected, retained, and presented to conform to the rules of evidence when follow-up action after an information security incident involves legal action. (§ 5.3.2.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Collect incident information from those individuals for coordination and sharing among other organizations that may or may not be affected by the incident. (§ 5.3.1.1.2 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Where a follow-up action against a person or agency after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). (§ 5.3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Where a follow-up action against a person or agency after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). (§ 5.3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (IR-5(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. (IR-5(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Does the Credit Union Security Incident Response policy include the preservation of evidence (making 2 copies of the hard drive of the compromised system)? (IT - Policy Checklist Q 36, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The main reason to gather evidence is to resolve an incident; however, it also may be needed for legal proceedings. When evidence is collected, it should be collected according to procedures that meet legal and regulatory requirements and that are developed from discussions with legal staff and law … (§ 3.3.2, § 4.4.2, § 5.4.2, § 6.4.2, § 7.4, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. (IR-5(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Forensics are performed (RS.AN-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Forensics are performed (RS.AN-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Forensics are performed. (RS.AN-3, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (IR-5(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. (T0241, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations. (T0120, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems. (T0170, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Process crime scenes. (T0193, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost). (T0238, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine and develop leads and identify sources of information to identify and/or prosecute the responsible parties to an intrusion or other crimes. (T0453, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collect intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. (T0278, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Process image with appropriate tools depending on analyst's goals. (T0396, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Organizations should collect data for forensics using a consistent process and approach. (§ 3.5, NIST 800-86: Guide to Integrating Forensic Techniques into Incident Response, August 2006)
  • Containers are typically connected to each other using virtualized overlay networks. These overlay networks frequently use encapsulation and encryption to allow the traffic to be routed over existing networks securely. However, this means that when investigating incidents on container networks, part… (6.2 ¶ 4, NIST SP 800-190, Application Container Security Guide)
  • The organization should use automated mechanisms to aid in tracking security incidents and for collecting and analyzing the incident information. (SG.IR-6 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (App F § IR-5(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations. (T0120, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Process crime scenes. (T0193, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost). (T0238, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collect intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. (T0278, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Process image with appropriate tools depending on analyst's goals. (T0396, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems. (T0170, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Determine and develop leads and identify sources of information to identify and/or prosecute the responsible parties to an intrusion or other crimes. (T0453, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. (T0241, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (IR-5(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (IR-5(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. (IR-5(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. (IR-5(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Incident data and metadata are collected, and their integrity and provenance are preserved (RS.AN-07, The NIST Cybersecurity Framework, v2.0)