eBook - ePub
Implementing Digital Forensic Readiness
From Reactive to Proactive Process, Second Edition
- 480 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Implementing Digital Forensic Readiness
From Reactive to Proactive Process, Second Edition
About this book
Implementing Digital Forensic Readiness: From Reactive to Proactive Process, Second Edition presents the optimal way for digital forensic and IT security professionals to implement a proactive approach to digital forensics. The book details how digital forensic processes can align strategically with business operations and an already existing information and data security program.
Detailing proper collection, preservation, storage, and presentation of digital evidence, the procedures outlined illustrate how digital evidence can be an essential tool in mitigating risk and redusing the impact of both internal and external, digital incidents, disputes, and crimes. By utilizing a digital forensic readiness approach and stances, a company's preparedness and ability to take action quickly and respond as needed. In addition, this approach enhances the ability to gather evidence, as well as the relevance, reliability, and credibility of any such evidence.
New chapters to this edition include Chapter 4 on Code of Ethics and Standards, Chapter 5 on Digital Forensics as a Business, and Chapter 10 on Establishing Legal Admissibility. This book offers best practices to professionals on enhancing their digital forensic program, or how to start and develop one the right way for effective forensic readiness in any corporate or enterprise setting.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Implementing Digital Forensic Readiness by Jason Sachowski in PDF and/or ePUB format, as well as other popular books in Computer Science & Management. We have over one million books available in our catalogue for you to explore.
Information
Enhancing Digital Forensics
II
Understanding Digital Forensic Readiness | 6 |
Introduction
Digital forensics investigations are commonly performed in reaction to an event or incident. During the post-event response activities, investigators must work quickly to gather, process, and present digital evidence. Subjective to the environment where an investigation is conducted, the evidence necessary to support the investigation may or may not exist, leading to complications with arriving at a solid conclusion of what happened.
In the business context, the opportunity to gather digital evidence in advance is more prevalent than the ability to gather evidence in a law enforcement setting. If digital evidence has not been gathered to start with, there is a greater chance that it may not be available when needed. Any organization that depends on, or utilizes, technology should have a balanced concern for information security and forensics capabilities.
Digital evidence is fundamental in helping organizations to manage the impact of business risk, such as validating or reducing the impact of an event or incident, supporting litigation matters, or demonstrating compliance. Regardless of the business risk, there are situations where a simple event or incident can escalate into something much more serious. Digital forensics readiness is the ability of an organization to proactively maximize the prospective use of electronic information to reduce the cost of the digital forensics investigative workflow.
What Is Digital Forensics Readiness?
The concept of a forensics readiness program was first published in 2001 by John Tan. Through a forensics readiness program, an organization can make appropriate and informed decisions about business risks to make the most of its ability to proactively gather digital evidence. Under a forensics readiness program, Tan outlines that the primary objectives for an organization are to:
ā¢ Maximize the ability to collect credible digital evidence; and
ā¢ Minimize the cost of forensics during an event or incident.
In the 2001 Honeynet Project, John Tan participated as a judge, and he discovered the most remarkable finding in this exercise was the cost of the incident.
During email communications with Dave Dittrich, head of the Honeynet Project, John and Dave identified that the time spent by intruders (approximately 2 hours) significantly differed from the time spent to clean up after them (between 3 and 80 hours).
This led to the conclusion that every 2 hours of intruder time resulted in 40 billable hours of forensics investigative time. However, this estimation did not include intrusion detection (human element), disk image acquisition, restoration and hardening of compromised system(s), network scanning for other vulnerable systems, and communications to stakeholders.
Forensics readiness emphasizes anticipating that an event or incident will occur by enabling an organization to make the most efficient use of digital evidence, instead of concerning itself with the traditional responsive nature of an event or incident. It is a business requirement of any organization that requires key stakeholders to serve a broad role in the overall investigative workflow, including:
ā¢ The investigative team
ā¢ Senior/executive management
ā¢ Human resources and employee relations
ā¢ Privacy and compliance
ā¢ Corporate security
ā¢ IT support staff
ā¢ Legal
By having key stakeholders involved in the overall investigative workflow, forensics readiness enables an overall organizational approach to digital evidence. As an overall strategy, the objectives of forensics readiness can be summarized as āthe ability to maximize potential use of digital evidence while minimizing investigative costs,ā with the purpose of achieving the following goals:
ā¢ Legally gather admissible evidence without interrupting business functions
ā¢ Gather evidence required to validate the impact incidents have on business risks
ā¢ Permit investigations to proceed at a cost that is lower than the cost of an event or incident
ā¢ Minimize the disruption and impact to business functions
ā¢ Ensure evidence maintains positive outcomes for legal proceedings
Costs and Benefits of Digital Forensics Readiness
Management will be cautious of the costs related to implementing a forensics readiness program. While cost implications will be higher where organizations have immature information security programs and strategies, the cost is lessened for organizations that already have a good handle on their information security posture. In either case, the issues raised by the need for a forensics readiness program must be presented to senior management, where a decision can be made.
Cost analysis of a forensics readiness program should be weighed against the value-added benefits the organization will realize once implemented. To make an educated and informed decision about whether implementing a forensics readiness program is practical, organizations must be able to perform an apples-to-apples comparison of the tangible and intangible contributors to the program. The starting point of this task is to document the individual security controls that will be aligned to the forensics readiness program through a service catalog.
Addendum B, āService Catalog,ā as found in the Addendum section of this book, further discusses the service catalog to better understand how to hierarchically align individual security controls into the forensics readiness program.
Cost Assessment
Forensics readiness consists of costs involving administrative, technical, and physical information security controls implemented throughout the organization. Through the service catalog, each of these controls is aligned to a service where all cost elements can be identified and allocated appropriately. While not all controls and services will contribute to forensics readiness, the following will directly influence the overall cost of the forensics readiness program:
ā¢ Governance document maintenance is the ongoing review and updating of the information security and evidence management frameworks (e.g., policies, standards, guidance, procedures).
ā¢ Education and awareness training provides for continued improvements to:
ā¢ Information security awareness of staff indirectly involved with the information security discipline
ā¢ Information security training of staff directly involved with the information security discipline
ā¢ Digital forensics training of staff directly involved with the digital forensics discipline
ā¢ Incident management involves the activities of identifying, analyzing, and mitigating risks to reduce the likelihood of re-occurrence.
ā¢ Data security includes the enhanced capability to systematically gather potential evidence and securely preserve it.
ā¢ Legal counsel provides advice and assurance that methodologies, operating procedures, tools, and equipment used during an investigation will not impede legal proceedings.
The inclusion of a service as a cost contributor to the forensics readiness program is subject to the interpretation and/or appetite of each organization. Knowing which services, where controls are aligned, contribute to the forensics readiness program is the starting point for performing the cost assessment. From the service catalog, the breakdown of fixed and variable costs can be used as part of the cost-benefit analysis for demonstrating to management the value of implementing the program.
Benefits Analysis
With forensics readiness, it is necessary to assume that an incident will occur, even if a thorough assessment has determined that residual risk from defensive information security controls is minor. Depending on the impact from this residual risk, organizations need to implement additional layers of controls to proactively collect evidence to determine the root cause of an event.
With the realization that some type of investigative capability is required, the next step an organization must take is to address this need through efficient and competent capabilities. Forensics readiness that is designed to address the residual risk and enhance proactive investigative capabilities offers organizations the following benefits:
ā¢ Minimizing costs: Operating with an anticipation that an event or incident will occur, the organization will minimize disruption to business functions and support investigative capabilities that are much more efficient, quicker, and more cost effective. With digital evidence already having been collected, the investigative workflow becomes much simpler to navigate, as more focus can be placed on the processing and presentation phases.
ā¢ Control expansion: In response mode, the capabilities and effectiveness of information security controls provide functionality limited to notification, containment, and remediation. Where proactive monitoring is utilized, organizations are able to expand their implementation of these information security controls to identify and mitigate a much wider range of cyber threats before they become more serious incidents or events.
ā¢ Crime deterrent: Proactive evidence gathering, combined with continuous monitoring of this information, increases the opportunity to quickly detect malicious activity. As word of proactive evidence collection becomes more widely known, individuals will be less likely to commit malicious activities because the probability of being caught is much greater.
ā¢ Governance and compliance: With an information management framework in place, organizations can better demonstrate their ability to conduct incident prevention and response. Showing this maturity not only provides customers with a sense of security and protection when it comes to safeguarding their assets, but investors will also have more confidence in the organizationās ability to minimize threats against their investments.
ā¢ Law enforcement: Ensuring compliance with laws and regulations encourages good working relationships with both law enforcement and regulators. When an incident or event occurs, the job of investigators is much easier because the organization has taken steps to gather digital evidence before, during, and after an incident or event.
ā¢ Legal preparations: International laws relating to electronic discovery (e-discovery), such as the Federal Rules of Civil Procedure (FRCP) in the United States and Canada, and Practice Direction 31B in the United Kingdom, require that digital evidence be provided quickly and in a forensically sound manner. Information management in support of e-discovery involves activities such as incident response, data retention, disaster recovery, and business continuity policies, all of which are enhanced through a forensics readiness program. When an organization enters into legal proceedings, the need for e-discovery is significantly reduced because digital evidence will already be preserved, increasing the probability of success when it is used to contribute to legal defense.
ā¢ Disclosure costs: Regulatory authorities and/or law enforcement agencies may require immediate release or disclosure of electronically stored information (ESI) at any time. An organizationās failure to produce the requested ESI in an appropriate and timely manner can ...
Table of contents
- Cover
- Half Title
- Title Page
- Copyright Page
- Table of Contents
- Preface
- Acknowledgments
- Introduction
- Author
- Section I ENABLING DIGITAL FORENSICS
- Section II ENHANCING DIGITAL FORENSICS
- Section III INTEGRATING DIGITAL FORENSICS
- Section IV ADDENDUMS
- Section V APPENDIXES
- Section VI TEMPLATES
- Bibliography
- Resources
- Glossary
- Index