Digital forensics is the act of assisting an investigation by accumulating evidence from digital artifacts. These digital artifacts include computers, network, cloud, hard drive, server, phone, or any endpoint system connected to the infrastructure. The activity also includes collecting information from emails, SMS, images, deleted files, and much more. In short, the responsibility of a digital forensic investigator is a threefold process:
• Preserving or recording the state of a digital device
• Analyzing the state of digital device
• Reporting retrieved information
In the case of cybercrime, a digital forensic examiner analyzes digital devices and digital data to gather enough evidence to help track the attacker.
• The proper protocol should be followed for the acquisition of evidence irrespective of whether it physical or digital. Gentle handling should be exercised for those situations where the device may be damaged.
• Special handling may be required for some situations. E.g., when the device is actively destroying data through disk formatting, it may need to be shut down immediately to preserve the evidence. On the other hand, in some situations, it would not be appropriate to shut down the device so that the digital forensics expert can examine the device’s temporary memory.
• All artifacts, physical and/or digital should be collected, retained and transferred using a preserved chain of custody.
• All materials should be date and time stamped, identifying who collected the evidence and the location it is being transported to after initial collection.
• Proper logs should be maintained when transferring possession.
• When storing evidence, suitable access controls should be implemented and tracked to certify that the evidence has only been accessed by authorized individuals.
Forensic readiness helps an organization streamline its activities, so that retrieval of digital evidence becomes streamlined and more efficient. Meaning, the digital evidence is appropriately recorded and stored even before an incident takes place, without interruption of operations. The following is a sample list of scenarios where digital evidence would become necessary:
• Disputed transactions
• Allegations of employee misconduct
• Showing legal and regulatory compliance
• Avoidance of negligence and breach-of-contract charges
• Assisting law enforcement investigations
• Meeting disclosure requirements in civil claims
• Supporting insurance claims when a loss occurs
Forensic readiness planning is part of a quality information risk management approach. Risk areas have to be identified and assessed, and measures must be taken to avoid and minimize the impact of such risk. Organizations with a good risk assessment and information security framework would find it easier to adopt a forensic readiness plan. A forensic readiness plan should have the following goals:
• To gather admissible evidence legally without interfering with business processes
• To gather evidence targeting potential crimes and disputes that could have an adverse impact on an organization
• To allow investigations to proceed at costs proportional to the incident
• To minimize interruption of operations by investigations
• To ensure that evidence impacts positively on the outcome of any legal action
The benefits of forensic readiness planning include:
• Preparing for the potential need for digital evidence. In the event that an organization has to go to litigation where digital evidence is required, there will be a need for electronic discovery (e-discovery).
• Minimizing the cost of investigations. Because evidence is gathered in anticipation of an incident, costs, as well as the disruption of operations, are minimal, and investigations are efficient and rapidly completed.
• Blocking the opportunity for malicious insiders to cover their tracks. When individuals become aware that evidence is being constantly gathered, they are deterred from carrying out malicious activities for fear of being caught.
• Reducing the cost of regulatory or legal requirements for disclosure of data. Having the evidence easily at hand and preserved in an acceptable manner makes it possible for it to be easily presented when and as required.
• Showing due diligence, good corporate governance, and regulatory compliance. Having good information management policies, such as a forensic readiness policy, shows an organization is on top of incident prevention and response. This helps garner goodwill for the organization, providing customers with a feeling that their transactions are secure and protected.
• Uncovering bigger cases. In monitoring acceptable usage of endpoints, malware may be discovered to have infiltrated a system and its source subsequently traced, helping to protect against such attacks in the future.
A forensic readiness plan is meant to prepare an organization for an event the occurrence of which cannot be predicted. In preparation, an organization should review and analyze security - technical controls, policies, procedures and skill set. This can be carried out by a skilled forensic investigator, who can recommend proper amendments and action that can be taken to improve upon what is in place and ensure a good forensic readiness plan.
"Organizations with a good risk assessment and information security framework would find it easier to adopt a forensic readiness plan"
The plan should contain a forensic readiness checklist:
• Define the business scenarios that would require digital evidence.
• Identify potential evidence sources and the types of evidence.
• Determine evidence collection requirements.
• Establish capability for secure evidence gathering and collection in a forensically sound manner.
• Establish a policy for proper chain of custody.
• Ensure monitoring targets detection and deterrence of major incidents.
• Specify the circumstances at which point the escalation of a full formal digital investigation should commence.
• Educate and train staff on incident response and awareness to ensure that they comprehend their role in the digital evidence process and the importance and sensitivity of it.
• Document evidence-based cases, describing the incident and its impact.
• Ensure legal review to facilitate appropriate action in response to an incident.
By following a reactive approach to digital forensic investigations, organizations foster a perception that they lack is initiative for managing risk. Conversely, when organizations implement strategies to proactively gather potential sources of digital evidence in support of the business risk scenarios, they showcase their ability to effectively manage risk.
As the world continues to immerse deeper and deeper into digital technologies and devices, it will be critical for organizations to develop a well thought out strategy for digital forensics. An understanding of this space and an appropriately crafted approach can help organizations attain positive outcomes in the cases and investigations involving electronic evidence.