Saturday, November 2, 2013

Is a forensic image a corporate record?

The topic of records retention came up today as it relates to evidence image files of corporate hard disk drives (hdd)  and the entire product created as a result of the internal corporate investigation involving such hdd.

The discussion asked, “is a forensic image of an employee’s corporate hdd a record?” Do the forensic images fall under the governance of the corporate records retention policy?

At first, at least to a forensic examiner, the answer may seem obvious, a resounding yes I suspect. I’m sure an examiner does not want his forensic images deleted after he is done, seems obvious right! However, your records retention policy, and the legal folks will define what a record is. As an example, a record in terms of the business unit creating records (data), see’s a record as data that contains customer information from various sources. This can be names, addresses, NPPI, PCI, PII, transaction history related data, data that is created as part or doing business. This is not difficult to understand. So, when it comes to forensic images, do they fall under the same corporate records retention policy, or should they be treated differently?

To emphasize the question again, we are just trying to understand if the images are corporate records and fall under the record retention policy, we are not discussing the data within them.

There are investigations that absolutely dictate the images must be retained. For example, employee fraud comes to mind. If every forensic image that is created falls under the policy, then we have some serious long-term storage equipment to purchase, and then we need to manage that environment and all its associate costs.

Here is another example; a machine becomes infected, analysis is performed, it was discovered the machine was the victim of a drive by from a legitimate website, a report is written up with the RCA, case closed and desktop is re-imaged. Now, do you really need to keep the 150Gb image for this investigation? The report will be archived but the image? See the dilemma?

You could be collecting needless amounts of data simply because your record retention policy states your work is a record regardless of the investigation type and outcome. Let me know your thoughts on this topic, I will be interested to hear them.

Until next time, take care.

Mr. Orinoco






Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)