Tools Are Weapons – Only If Configured Properly
Forensic Readiness Assessment
Every corporate is a victim of direct or indirect information security threat that happens around them it may be a corporate espionage, financial fraud, insider threat, ipr issues and many more for any of these threats the end target is your digital data. Protecting them most advanced techniques like encryption and all will protect the data but is that data stored and can it be retrieved whenever required safely by experts. Now-a-days most of the corporates is undergoing in investigating the threat happened, but the time and cost that they keep in investigation is more. To help to complete investigation more effectively in reduced time with reduced cost Forensic Readiness Assessment can be implemented.
Forensic readiness assessment defines the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of investigation. Digital evidence helps in dealing with legal defence, ipr issues, financial frauds and insider threat issues which may impact the business risks, many times we are not so sure of the evidence that has to be collected but when we realise the importance of that specific piece of information it may not be available to avoid such situations even E-discovery will help you to maintain the preservation process where it makes your digital evidence available from the time of legal hold.
Forensic Readiness assessment is done in a systematic, formalised and legal manner to ensure the integrity of the evidence preserved. A forensic investigation for a digital evidence is done as a post incident process most of the times where the integrity of evidence is questionable because of the preservation process done by the IT team. To avoid those kind of issues a processed approach is to be followed which enhances the support for forensic team below (fig 1.1) is the example for a processed approach.
A typical approach for an incident response is mentioned above but identifying the potential evidence for the incidents is a key responsibility below is the list of potential areas where we can search for the traces of digital evidences based on the incident.
- Backup Tapes
- Employee records
- Security devices
Any evidence without proper information is invaluable, so for every evidence before considering it’s important to verify the below factors and also these are the factors considered for your investigation time.
- How information is stored
- Any backup is done and how is it happening
- How logging is done
- What fields are logged
- How the evidence is handled
- How it can be acquired
When we consider the above factors the major concern is how preservation takes place. It is important to maintain a chain of custody form. Most of the times when preservation is considered it wouldn’t be a standard instructions as the evidence may vary. As a part of incident response the major part of evidence would be Logs of network communication, and event logs from the identified machine however it differs from case to case.
While dealing with corporate networks the major challenge is to get the proper logs from the sources as the staff configuring the communication logs at the endpoints may not be aware of certain features or high level crimes that’s happening. Considering the type of evidence for the incident like logs from access control systems and testing environment or Honeypots.
Benefits of Forensic Readiness Assessment
The need of Forensic Readiness assessment is more for the corporates for whom insider theft, financial frauds and information security attacks is more. For these organizations digital evidence would be very evidentiary and useful. Before approaching Forensic readiness assessment it is good to have a thorough risk assessment. When considering digital evidence like server data and end-user data for financial or corporate frauds it is a good practise to follow ESI map for more details refer the ISO draft 27050. Fig1.2 refers different best practices before having Forensics readiness assessment to be done.
While conducting incident response activity the major areas that any analyst looks is for Logs and the major fields considered are like source ip, destination ip, hostname, date with time stamp , url info and for some of the log monitoring tools capture the packets transferred in the network however it is a challenge to maintain such information but any trace which can be captured like how much data has been transferred will help the analyst to notice the packet size represents the log format.
As a part of incident response the collection of data is another important source of data from which the root cause of the incident can be identified however it depends from case to case but preserving the state of evidence is always important and ensuring the secure method to collect the information to protect the integrity of the evidence.
Steps for Forensic Readiness Assessment
Conclusion - Any tool in the market is not perfect, until it is configured properly with proper settings and rules, similarly any network without proper ESI Map or incident handling capabilities is not perfect because of the incidents happening around us. Forensic readiness assessment gives the ability to the organization to use digital evidence when required, and it can minimise the cost and time of an investigation. Forensic readiness assessment is an appropriate process where digital evidence is involved and a risk assessment is done it can be a part of an organization information security policy.
Authored by Pardhasaradhi Chintalapati