17.3.13 Data Forensics

Data forensics is the practice of identifying, extracting and examining data in response to incidents. This may include data held in on IT assets, e-mail, SharePoint, or any other digital repositories.

Data forensics are routinely performed after consultation with and consent from the owner of the data. In cases where the data owner does not consent, or where legal or other requirements prevent seeking the consent of the data owner, the approval of the President is required.

The incidents triggering data forensics, along with the data and IT assets involved, are often sensitive or confidential in nature. The purpose of the Data Forensics Procedure is to ensure that data forensics activities are conducted appropriately. The procedure requires that appropriate approvals take place, that the privileges of the parties involved are segregated, and that access to data is limited to only that relevant to the incident.

Request
The data forensics investigation request form is completed by the individual tasked with performing the examination of the data (the investigator), or responsible for the transfer of custody of the data in cases involving the police. The request for details;

• The reasoning behind the request
• The data to be targeted as part of the request
• The duration for which access to the data will be required​

Approval
The form must be approved by one of the Vice-Presidents, Deans, Secretary General, Provost or General Counsel, with further approval by and either the data owner or the President.

Verification
The CIO or delegated representative will receive the request and verify that appropriate approvals have been given. They will then appoint a member of IT to extract the relevant data.

Extraction
The member of IT Division performing the investigation will extract a data to an encrypted, dedicated temporary PC, and give custody to the CIO or delegated representative.

Access
The CIO or delegated representative will then give custody of the temporary PC and associated access credentials to the investigator.

Deletion
Once the access duration period has expired, the CIO will ensure the temporary PC is returned and all extracted data is securely erased.

Reporting
The CIO will prepare and send a final report to the President which describe the result of the data forensics activity, and confirms the date of deletion of the data extracted.

Filing
The request form will be filed within IT, along with the final report.

Responses to IT security incidents are not covered here, and are instead covered under PRP 17.3.12, Information Security Incident Response [Link: 17.3.12].