Snort as Legal Evidence in the U.S.
Problem
We have been dealing with law enforcement on a case involving our network. How should we handle our data when using it as legal evidence in a case?
Solution
Simply follow the guidelines and suggestions stated earlier. For example, if your site is involved in interstate business, any compromise is automatically a federal case under the Computer Fraud and Abuse Act (U.S. Code Title 18, section 1030) as a protected computer. Also, with the passing of the USA Patriot Act, section 217 allows for organizations to monitor their networks for trespassers. There are several sections of the U.S. Code Title 18 that step through all parts of an investigation about which your organization might have questions. If you are unsure of your bounds, either check with your legal department or contact your local FBI infraguard chapter at http://www.infraguard.net.
Document and demonstrate to law enforcement and officers of the court that your data goes through as few hands as possible. It is also important to demonstrate that your data can't be read/tampered with easily. One possible method is through use of encryption, digital signatures, out of band infrastructures, and/or detection through normal means that are documented.
Discussion
Another thought would be to make sure that your corporate legal department has signed off on your organization's acceptable use and consent to monitoring documentation. This can really help for internal issues such as firing and termination of employees and contractors.
Use the previous example script, or create your own to sign and store your logs securely. For example, if your organization can afford an ESM/SIM, get the vendor to accept the log hashes or store them somewhere yu can easily gather and maintain them. For example, some ESM/SIM vendors offer custom reports. So create a report called Law Enforcement and have that report not only pull the IDS logs but print the hashes for the logfiles that law enforcement is going to gather. This way, you can hand them a hard copy, and then they can physically sign off and show that the data was maintained from your team to theirs, such as in the following. However, one would hope your vendor would have a much cleaner and prettier report, if for no other reason than to show to management:
######################################################## # TEXT REPORT FOR 10 October,2004 # # # # INCIDENT NUMBER: 2004-09 Porn use (internal) # # # # Created by: John Simpleton (Day shift - Analyst) # # FOR: John Q. Law (FBI) # # # # Incident description: # # IDS events triggered on possible company violation # # (porn) when investigated discovered law enforcement # # was needed to be involved. # # # # # # IDS LOGS: # # File name MD5 Hash on file # # snort.08102004 d332lhl4hj43hhl3hl3hl24hl4khlkh # # snort.09102004 kj4khj4lkl4khk3lhkl5jl5j6kl7j56 # # session.log.08102004 33kj4klj534kl53kl6jk5lj6l5k4j6 # # session.log.08102004 4j5klj43lk5j6lkj45l65kj4k74k # # # # _ _ _ _ _ _ _ _ _ _ Date # # _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ IDS personnel # # # # _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ LE personnel # # # # (Print and store hard copy in file 13) # # # ########################################################
See Also
Recipe 7.11
Snort as Evidence in the U K
|