Skip to contentCYBERINFO
|

Control 5.28 : Collection of Evidence

Summary

The organization should establish and implement procedures for the identification, collection, acquisition, and preservation of evidence related to information security events. This ensures that data is handled in a way that is legally defensible and useful for forensic analysis.

Applicability

In-Scope: Essential for organizations that may need to pursue legal action or comply with law enforcement requests. It is critical for maintaining the chain of custody for digital artifacts.

Out-of-Scope: Only potentially reducible for organizations with zero legal or regulatory obligations to preserve evidence, which is effectively impossible for a modern business.

Implementation Guidance

Microsoft 365 / Entra ID

  • Legal Hold: Utilize Microsoft Purview eDiscovery (Premium) to place a litigation hold on mailboxes, OneDrive files, and Teams chats to prevent deletion.

  • Log Preservation: Configure Microsoft Sentinel or Azure Monitor to archive audit logs to immutable cold storage (Azure Blob) to prevent tampering.

  • Forensic Acquisition: Use Microsoft Defender for Endpoint to collect investigation packages from compromised machines, including memory strings and active process lists.

Evidence Checklist

  • Evidence Handling Procedure: A documented guide on how to collect and store digital evidence without contaminating it.

  • Chain of Custody Logs: Records showing who handled specific evidence artifacts and when.

  • Storage Records: Evidence that logs and forensic data are stored in a secure, tamper-proof environment.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What steps are taken to ensure that digital evidence is not inadvertently modified during the collection process?

  • How do you maintain a chain of custody from the moment an incident is detected until the evidence is handed to authorities?

  • Can you demonstrate the process for placing a specific user's data on a legal hold in Microsoft 365?

  • How do you ensure that your log retention periods meet the legal requirements for your specific industry or jurisdiction?