Preserving Evidence in Data Breach Investigations

D.

In the event of a data breach, the preservation of evidence is critical in identifying the root cause of the breach, assessing the extent of the damage, and potentially pursuing legal action against the perpetrator(s). The chain of custody is a crucial element of evidence preservation that ensures that evidence is collected, analyzed, and reported in a manner that maintains its integrity and admissibility in court.

If an IS auditor finds that a system administrator may have compromised the chain of custody, the first step that the administrator should have taken to preserve the evidence is to quarantine the system. This means that the system should be isolated from any network or communication channels to prevent any further tampering with the evidence.

Performing forensic discovery or notifying key stakeholders should not be done until the evidence is properly secured and isolated. Forensic discovery involves collecting, analyzing, and reporting digital evidence in a manner that is admissible in court. Without properly quarantining the system, any forensic evidence may be tainted or compromised, rendering it inadmissible in court.

Notifying key stakeholders, such as customers, partners, or regulatory bodies, should be done in a timely manner, but only after the evidence has been secured and analyzed. This ensures that stakeholders are informed of the breach, its impact, and any mitigation measures that have been taken.

Notifying the incident response team is also an important step, but it should be done after the evidence has been secured and analyzed. The incident response team will help identify the cause of the breach, contain it, and mitigate its impact, but without proper evidence, their efforts may not be effective.

In conclusion, the system administrator should have first quarantined the system to preserve the evidence, followed by performing forensic discovery, notifying key stakeholders, and notifying the incident response team.