Not surprisingly, forensic readiness sounds a daunting challenge to most organisations, but it doesn't necessarily mean paying for expensive digital-forensic software or third-party services. It is important, however, to develop a level of forensic readiness that matches your business needs.
The main objectives of forensic readiness or a computer forensics policy are to maximize the usefulness of legally gathered admissible evidence and to minimise any costs and interruptions to the business. The policy extends the immediate business continuity needs of containment, eradication and recovery to forensic investigation and evidence preservation. This is best achieved by developing a policy that details how particular scenarios will be handled and what resources, including human, software and third-party, can be called upon in the event of an incident.
Crafting the forensic readiness policy
You will need to appoint someone at a director level to take ownership and responsibility for the forensic readiness policy to ensure it is given the resources and attention it needs. The next task is to define the business scenarios that would require digital evidence, such as a successful network intrusion, malicious or inappropriate activity by a member of staff, or contract, IPR and copyright disputes.
For each scenario, identify all the different types of possible evidence available and its location. All forms of potential evidence should be considered, such as CCTV cameras, personnel records and access control systems, not just log files and hard drives. For example, evidence of a breach of your Internet acceptable usage policy (IAUP) will involve collecting the employee's signed acceptance of the IAUP, records of awareness training the employee received covering the IAUP and the network logs showing the activity in question along with his or her system logon and logoff times. If the organisation has CCTV surveillance, tapes showing the employee's presence in the building will also be of relevance. You may need specialist help for scenarios requiring the involvement of law enforcement to determine the exact evidence collection requirements and how you're going to securely gather it so it remains admissible.
Include in your policy the procedures for securely storing and handling potential evidence to prevent vital information from being lost or overwritten if you fail to collect and preserve it in a timely manner. Also, the information you collect has plenty of uses other than as evidence. Data from a network intrusion, for example, can be used not only as evidence in a prosecution, but also to help formulate plans for recovering from the incident, such as restoring and hardening a compromised system and targeting scans for other vulnerable systems.
Your logs will always play a key role in any evidence-based investigation, as they help to preserve evidence and shorten investigation times. Deploying multi-tiered logging for the same piece of equipment will help frustrate any attackers' attempts to amend or delete audit logs of their actions. As logging can be used to detect events other than system attacks -- such as the inappropriate use of email or the Internet -- your systems administrators should ensure monitoring is targeted to detect and deter all potential areas of risk to the business. It is not just a case of installing an intrusion detection system, but also of combining a range of techniques, including door swipes, access control and CCTV, among others.
A wide range of staff may become involved in an investigation and thus will need to be trained in their roles. To collect admissible evidence, the organisation should review the legality of any monitoring it undertakes. Employees must understand how digital evidence can be gathered and under what circumstances it could trigger a full, formal investigation. Ensure the organisation has established a contact point with the police, and be aware that a major incident may become public knowledge, so company lawyers and media managers may need to be part of the investigation plan.
A forensic readiness policy is an important part of any comprehensive security incident response procedure. It demonstrates good corporate governance and compliance with regulatory requirements. A structured and systematic approach to evidence collection and storage can significantly reduce the costs and time of an internal investigation or any court-ordered disclosure. It greatly improves the prospects of a swift and successful outcome in any legal, commercial or internal disputes, while minimising disruption to the business.
After any incidents where the policy is activated, take the opportunity to conduct a 'lessons learned' exercise so the organisation can improve its ability to deal with any future events. Being prepared to conduct a digital forensic investigation to gather and use evidence -- and making that preparedness known -- can in itself act as a deterrent to would-be miscreants both in and outside of the organisation.
About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in January 2011