Recently, the University of Arizona in Tucson, AZ informed almost 10,000 current and former students about a supposed break-in to one of their servers. The server, which was operated by the College of Law on the campus, stored a variety of information which included Social Security Numbers, home addresses, and other personal information that could be used to steal an identity. What is interesting about this case? The breach itself was discovered on July 29th of 2013, and the students were not informed until October 16th 2013. Although campus police and the FBI have been working on this case since its discovery, many might ask how much information was exposed before the breach was discovered.
Here the school acted swiftly and appropriately in maintaining and preserving evidence for investigation. When the breach was discovered the server was immediately taken offline and turned over to law enforcement, who took the reins from there. Whenever someone brings a case to Evidence Solutions, Inc. we always ask questions such as “When did this event occur approximately?” “Has the device been in use since that time?” “Other than yourself or the person in question, who else in that timeframe could have had access to this device?” All of these questions are important when determining whether we can find evidence of the event or not. Even though computers will store deleted information long after it has been deleted, it can still be lost over time if not properly handled. That’s why it is important to speak with a digital forensics expert as soon as the incident occurs to preserve as much evidence as possible.
