Organizations need to get ready with Digital Forensic : Part 1

Most commonly, forensic investigation of digital evidence is done as a post-event response to a serious information security incident and given an option, IT department of most of the orgnizations would prefer to avoid it given the timeframe, cost and wide range of staff impacted with such investigations.

However, monitoring, analyzing and investigating digital evidences as a standard practice can actually help organizations to avoid any serious incident from occurring or reduce the time and cost by detecting and preserving digital evidences. For e.g:

• Monitoring many emails on a particular subject line from an employee who is not related in that matter can suspect to any fraud and avoid any potential crime
• Cyber insurance companies may actual need the evidences from organizations about occurrence of incident under stated clause or evidences for actual downtime or monetary losses etc. before awarding the claims
• In the situations where the risk is highest from insiders, especially where staff have to be trusted with high value assets, effective deterrence may be achieved with forensic readiness.

This can be achieved by adopting Forensic readiness practice. 

Forensic readiness is defined as the ability of an organization to maximise its potential to use digital evidence whilst minimising the costs of an investigation

Benefits of Forensic Readiness

Digital forensic readiness is a way organizations can record activities and data in such a manner that the records are sufficient in their extent for subsequent forensic purposes. 

Being prepared to gather and use evidence can have benefits to organizations such as:

• Digital evidence can support a legal defence
• Support a claim to IPR
• Verify the terms of a commercial transaction and remove commercial disputes
• Support to internal disciplinary actions
• It can be used as a deterrent. A good deal of crime is internal. A company showing that it has the ability to catch and prosecute this type of insider attacker will dissuade them
• In the event of a major incident, an efficient and rapid investigation can be conducted and actions taken with minimal disruption to the business
• A systematic approach to evidence storage can significantly reduce the costs and time of an internal investigation
• It demonstrates due diligence and good corporate governance of the company’s information assets
• It can demonstrate that regulatory requirements have been met
• It can improve and facilitate the interface to law enforcement, if involved
• Forensic readiness can add value to many existing processes and leverage such activities as incident response, business continuity, and crime prevention.

Becoming a Forensic ready organization

Forensic readiness is a security process which is more procedural and staff- intensive than technological.

The most significant barrier to forensic readiness is that companies rarely communicate the business risks well enough to allow those who are monitoring the IT systems to collect the most appropriate data.

In forensic readiness, it is necessary to assume that an incident will occur, even if a risk assessment says it should not.

It requires an understanding of:

• the possible evidence sources
• how to gather evidence legally and cost-effectively
• when to escalate a suspicious event into a formal forensic investigation
• how to put together a case with the possible involvement of law enforcement agencies.

A wide range of staff will be involved with, impacted by, or responsible for, evidence and investigations; for example: 

• The investigating team
• Corporate HR department; 
• Corporate PR department;
• “Owners” of business processes or data; 
• Corporate security; 
• IT staff; 
• Legal advisers

Once an organization recognises that it requires some form of investigative capability, the next step is to ensure the efficiency and competency of that capability