Organizations exist in many different contexts (i.e., size, geography, industry) and within each there are different and unique requirements when it comes to digital forensics capabilities. There are some organizations that, given their operating model and corporate profile, leverage external managed services to supply a digital forensics team when required. The remaining organizations, have decided that having a digital forensics team in-house is the best strategy for given their operating model and corporate profile. After making this decision, the organization needs to kick-start their long-term digital forensics program by implementing a series of administrative, technical, and physical strategies.
The Role of Digital Forensics in an Enterprise
From previous chapters covered in this section of this book, we know that digital forensics is the application of science to law and consists of scientifically proven principles, methodologies, and techniques. While the technical execution of digital forensics within an enterprise environment resembles that seen in other organizations, the purpose and roles it serves can be somewhat different. Consider that, for the most part, when law enforcement agencies are performing digital forensics they are doing so in response to criminal activity. True, enterprises also use digital forensics as a reactionary process, but there are many more opportunities to extend the use and application of digital forensics proactively.
With the opportunity to have both proactive and reactive digital forensics capabilities, first and foremost it is important that organizations follow a systematic approach so that their digital forensics capabilities are properly aligned to business and organizational needs. Throughout this chapter are methodologies organizations can use when exploring in-house digital forensics capabilities.
Starting a Digital Forensics Program
What drives an organization to decide it needs in-house digital forensics capabilities? Largely, this need is determined by both internal and external factors that can include the following:
• Countries or regions that have specific laws and regulations that require a process for dealing with incidents leveraging forensics analysis or investigation; for example, the Sarbanes–Oxley Act (SOX) in the United States
• Regulated industries (e.g., financial, healthcare, insurance) that have specific requirements governing the use, transmission, or storage of information; for example, Payment Card Industry Data Security Standards (PCI DSS)
• Assisting legal and compliance teams with the discovery of electronically stored information (ESI) for production as evidence
• Facilitating human resources (HR) or employee relations (ER) with evidence supporting employee misconduct or other disciplinary actions (e.g., termination)
• Analyzing and correlating ESI to determine root cause or potential of data breaches
In any case, establishing in-house digital forensics capabilities requires following a systematic approach by which implementation is aligned to the organization’s needs, with the technical execution aspects following afterward. Below are the steps organizations should follow to answer “who, where, what, when, why, and how” in-house digital forensics capabilities will be implemented.
Step #1: Understand Business Risks
Before implementing digital forensics in an enterprise environment, it is important to take a step back and understand the need for investing time, money, and resources. Doing so requires that organizations clearly understand what their business is (i.e., financial, health, etc.) and the risks that can (in)directly result in any form of business impact.
The type of risks that can potentially impact an organization depends on each organization (e.g., size, geography, industry) and should not be seen as universally equivalent. Generally, risks can be described as any threat event, whether internal (can be controlled within the boundaries of the organization) or external (can occur outside the organization and cannot be controlled), that occurs in one of five major groupings:
• Strategic risk is associated with business functions and commonly occurs because of:
• Business interactions where goods and services are purchased and sold, varying supply and demand, adjustments to competitive structures, and the emergence of new or innovative technologies
• Transactions resulting in asset relocation from mergers and acquisitions, spin-offs, alliances, or joint ventures
• Strategies for investment relations management and communicating with stakeholders who have invested in the organization
• Financial risk is associated with the financial structure, stability, and transactions of the organization.
• Operational risk is associated with the organization’s business, operational, and administrative procedures.
• Legal risk is associated with the need to comply with the rules and regulations of the relevant governing bodies.
• Other risks are associated with indirect, non-business factors such as natural disasters and others as identified based on the relevant circumstances of the organization.
The approach for how to determine business risk is done by completing a risk assessment as an output of the organization’s overall risk management program. Determining the need for investing time, money, and resources in digital forensics capabilities comes from completing both qualitative and quantitative risk assessments to ensure that a thorough understanding of the potential risks is achieved. Following these assessments, a complete picture of all potential risk can be used to perform a cost-benefit analysis that will ultimately determine whether it is feasible to implement in-house digital forensics capabilities.
At the end of this step, organizations will have answered the question of “why” they need in-house digital forensics capabilities.
Step #2: Outline Business Scenarios
Generally, if a business risk exists and there is a positive return on investment (ROI) then implementing appropriate digital forensics capabilities is beneficial. As stated previously, every organization is unique and has a different business profile that presents different requirements for in-house digital forensics capabilities. Enhancing digital forensics capabilities within an enterprise must also take into consideration the (in)direct influences of business operations so that strategies can be developed to adequately manage risk.
Outlined below are multiple business scenarios where digital forensics can be applied to manage business risk. While the applicability of all scenarios outlined below might not fit the profile of every organization, it is important that each is illustrated and understood so that they can be considered for relevancy.
Reducing the impact of cybercrime: With information technology (IT) playing an integral part of practically every business operation, the evolving threat landscape continues to increase risks associated with organizational assets. Using a threat modeling methodology, organizations can create a structured representation of the different ways a threat actor can go about executing attacks and how these tactics, techniques, and procedures can be used to create an impact. The output of this exercise can be put to practical use by implementing appropriate countermeasures that create potential digital evidence.
Validating the impact of cybercrime or disputes: When a security incident occurs, organizations must be prepared to quantify impact. To obtain a complete and accurate view of the entire cost of an incident, both direct and indirect contributors must be included in the impact assessment. This means incorporating logs generated from different type of controls (e.g., preventive, detective, corrective) or the overhead cost of managing the incident (e.g., people and technology expenses).
Producing evidence to support organizational disciplinary issues: A business code of conduct document promotes a positive work environment that, when signed, strengthens the confidence of employees and stakeholders by establishing an accepted level of professional and ethical workplace behavior. When the guidelines set out in this document have been violated, employees can be subject to disciplinary actions. Where disciplinary actions escalate into legal problems, organizations must approach the situation fairly and reasonably by gathering and processing credible digital evidence.
Demonstrating compliance with regulatory or legal requirements: Compliance is not a one-size-fits-all process. It is driven by factors such as an organization’s industry (e.g., financial services) or the countries where business is conducted (e.g., Canada). Evidence documenting that compliance standards are met must be specific to the requirements of both the regulation or law, and the jurisdiction.
Effectively managing the release of court ordered data: Regardless of how diligent an organization is, there will always be times when disputes end up before a court of law. With adequate preparation, routine follow-ups, and a thorough understanding of what is considered reasonable in a court of law, organizations can effectively manage this risk by maintaining the admissibility of ESI, such as the requirements described within the U.S. Federal Rules of Evidence. Ensuring compliance with these requirements demands that organizations implement safeguards, precautions, and controls to ensure their ESI is admissible in court and that it is authenticated to its original source.
Supporting contractual and commercial agreements: From time to time, organizations are faced with disagreements that extend beyond disputes that involve employees. With most of today’s business interactions conducted electronically, organizations must ensure they capture and electronically preserve critical metadata about their third-party agreements. This would include details about the terms and conditions or the date the agreement was co-signed. Contract management system can be used to standardize and preserve metadata needed to provide sufficient grounds for supporting a dispute.
In addition to the above scenarios, there are “non-forensics” scenarios where digital forensics techniques and skills can be used to support other business operations and functions, such as recovering data from old or failed media (e.g., hard drives, floppy disks). Even though these “non-forensics” scenarios do not have the same requirements for maintaining legal admissibility, they can present business risks if there is no other means of performing these functions within the organization.
At the end of this step, organizations will have answered the questions of “where and what” in-house digital forensics capabilities are needed, which is further discussed in Chapter 7, “Defining Business Risk Scenarios.”
Step #3: Establish Governance Framework
Generally, an enterprise governance framework involves the administration, management, enforcement, and control of policies, standards, and procedures specific to the discipline. It is designed to provide strategic direction by ensuring the successful completion of organizational goals and objectives from a top-down approach. The concept of a governance framework includes several layers of governance sub-disciplines, all of which have relationships with digital forensics.
Figure 5.1 Enterprise governance framework.
Illustrated in Figure 5.1 are the relationships between the different governance disciplines implemented throughout the organization, including the following:
• Enterprise governance, as the top-level governance discipline, is very broad and is an all-inclusive mechanism to ensure the well-being of the entire organization. It is designed to establish relationships between the organization and its shareholders by defining the strategic direction, objectives, and goals.
• Information technology (IT) governance focuses on the use of IT throughout the enterprise to support business operations and functions. It contains a series of documents that are designed to establish how the organization will direct, manage, and control the use of IT resources to support the strategic direction, objectives, and goals.
• Information security (IS) governance manages risks relating to information assets that have been entrusted to the organization. It establishes and maintains control of the environments by which information assets are used, transmitted, and stored.
Given the business risks faced by organizations, it is necessary for all stakeholders throughout the organization to understand the importance of digital forensics and the requirements for utilizing key resources to support its integrated business capabilities. Executive management, with involvement from key stakeholders such as legal, privacy, security, and human resources, work to define a series of documents that describe exactly how the organization will go about aligning digital forensics capabilities to address the pre-defined business risk scenarios.
Figure 5.2 Governance documentation hierarchy.
Governance over digital forensics capabilities is essential within corporate environments looking to enable in-house capabilities. Figure 5.2 illustrates the hierarchy of governance documentation and the relationships shared between those specific to direct influence and those that take precedence over others. The implementation of these documents serves as the administrative groundwork for indirectly supporting the subsequent phases where digital evidence is involved. The sections to follow explore these documents individually and provide specifics on the types that contribute to digital forensics.
Enforcing governance over in-house digital forensics capabilities is crucial, considering the legal and regulatory implications involved. Not only will having a governance framework instill trust in the organization’s digital forensics capabilities, it will also help to:
• Clearly define the roles and responsibilities of stakeholders throughout the organization
• Reduce the resources (time, effort, cost) required to effectively support service delivery and operating models
• Maintain the legal admissibility of digital evidence using consistent, repeatable, reproducible, verified, and validated processes, techniques, and methodologies
• Properly align risk management strategies that deliver business value
At the end of this step, organizations will have answered the questions of “when, where, and how” their in-house digital forensics capabilities will be needed.
Refer to Chapter 16, “Ensuring Legal Review,” for further discussion about laws and regulations.
Refer to Chapter 3, “Digital Evidence Management,” for further discussion about enterprise governance framework.
Step #4: Enable Technical Execution
Far too often, figuring out how to achieve a desired outcome comes first, resulting in misaligned, insufficient, or unrelated deliverables. Like the approach followed as part of project management, it is important to clearly understand scope (why, what, when, where) before proceeding with procurement or implementation. Translating this concept over to digital forensics, before a forensics toolkit can be purchased the team needs to first understand:
• Why digital forensics is needed;
• What role it has in digital forensics;
• When digital forensics is required;
• Where digital forensics is used; and
• How digital forensics is administered.
The concept of a “forensics toolkit” is not limited to only those hardware and software technologies that will help to perform and automate digital forensics tasks, but also includes those physical and administrative components that are needed to support technologies. Within an enterprise environment, there is greater opportunity to develop the forensics toolkit to be more controlled and specific to the organization; as opposed to law enforcement that will need to have a broader toolkit.
Through this methodology, having completed the previous steps will have already addressed most administrative components that are required as part of a forensics toolkit. Next, organizations need to assess the physical components of their toolkit before they can identify those technical components that are needed.
At the end of this step, organizations will have answered the question of “how” their in-house digital forensics capabilities will be provided.
Refer to Chapter 3, “Digital Evidence Management,” for further discussion about planning, designing, and building a forensics lab environment and toolkit.
Step #5: Define Service Offerings
Implementing digital forensics principles, methodologies, and techniques according to applicable business risk scenarios requires translating technical components (i.e., tools) of the discipline into a business language that can be clearly and easily understood. Achieving this is done through the creation of an enterprise service catalogue that is designed to align all technical components into the business functions that support the risk scenarios.
A service catalog provides a centralized way to see, find, invoke, and execute digital forensics services from anywhere throughout the organization. Once implemented, organizations will start seeing the benefits of having a service catalog because it:
• Positions overall digital forensics capabilities to be run like a business
• Provides a platform for better understanding and communicating the business need for digital forensics
• Helps to market the enterprise awareness and visibility into digital forensics as a means of building stronger business relationships
Most likely, a service catalog already exists within the organization and can be amended to include digital forensics services. If it has not been created, proper enterprise governance and oversight need to be in place to ensure the efficient use of resources, that is, that time and money are not wasted in creating service catalogs that are not effective. Refer to Template 5, “Service Catalog,” for further discussion about the methodology for building a service catalog.
At the end of this step, organizations will have answered the question of “who” provides their in-house digital forensics capabilities.
Maintaining a Digital Forensics Program
Building an in-house digital forensics program is, to some extent, a linear process whereby many steps outlined above are performed once. However, once all steps to build the program are completed, there is the matter of ongoing care and feeding to ensure what was built is, to some degree, sustained but also goes through varying levels of continuous improvement transformation.
For a digital forensics program to not just operate at its maximum capability, but to also remain at the peak of its capabilities, there must be a systematic approach in place to make intelligent and informed decisions for improving the overall program.
A common question posed to those in the digital forensics discipline is what type of knowledge and training is needed to get into the field, and subsequently what education is needed for career advancement. The reality is that there is no one best way for someone to gain their digital forensics education, acquire new skills, and keep current those skills they already have.
Instead of setting out a professional development plan that digital forensics practitioners should follow, a better strategy is to illustrate the building blocks needed for different types and levels of education a person can gain.
Refer to Chapter 14, “Establish Continuing Education,” to find discussions on the knowledge and experience required in accordance with the scientific principles, methodologies, and techniques of the digital forensics profession.
At this point, the lab environment has been built with all tools and equipment implemented to support the organization’s digital forensics capabilities. Ongoing maintenance and upkeep to the lab and equipment are essential in maintaining the required standards for guaranteeing the integrity, authenticity, and legal admissibility of digital evidence. Doing so requires routine inspections to be performed to provide assurance that the lab environment continues to operate within the established level of security controls and necessary operating standards. These reviews should be performed by objective, independent parties who are not directly involved with the digital forensics team to:
• Determine if structural issues are present within the walls, doors, floor, and ceiling
• Inspect all access control mechanisms to ensure they are not damaged and continue to function as expected
• Review physical access logs for both approved individuals and visitors
• Analyze tracking logs to identify issues with continuity and integrity of evidence
With advancements in technology, tools and equipment used within the portfolio of the digital forensics toolkit also need to be maintained to ensure it continues to operate at the required level for guaranteeing the integrity, authenticity, and legal admissibility of digital evidence. Within the scope of the ongoing maintenance and support required for forensics toolkit components, the following activities should be performed regularly:
• Digital forensics workstations must operate at the required security baseline, including:
• Operating system (OS) patches and updates applied frequently
• Security applications, such as anti-malware technologies, updated and scheduled scans of the full system enabled
• File systems defragmented to improve workstation performance
• Verified data wiping tools used to securely remove temporary and cached files or files located in slack or unallocated space
• Digital forensics software and hardware upgraded and patched following appropriate validation; verification processes completed
Aside from the technology aspects of maintaining the digital forensics toolkit, there is the business side that cannot be overlooked or forgotten. With all tools and equipment, whether software or hardware based, there are ongoing maintenance support agreements with vendors and manufacturers to ensure that professional services are available when required. Paying the ongoing maintenance support, as a requirement for maintaining the digital forensics toolkit, ensures that organizations have access to upgrades and support resources (when or if needed).
Key Performance Indicators (KPI)
Once the digital forensics program is implemented and its services are being used throughout the organization, it should not be left to operate in its current state indefinitely. Relevant KPIs are the cornerstone for tracking, measuring, and reporting on how the digital forensics program is being delivered and help personnel make informed decisions about where improvements are needed.
Generally, a relevant KPI is significant and attributable to the metric it measures. However, developing relevant KPIs for the digital forensics program can be somewhat of a challenging task because many of the metrics are focused solely on the execution and operation of the digital forensics program. When developing KPIs, the following can be used as guidelines:
1. Relate measurable metrics to the purpose and priorities.
2. Link organizational goals and objectives to the services offered.
3. Use them to influence the organization’s decision-making process related to digital forensics capabilities.
4. Use industry best practices and benchmarks for measuring the organization’s digital forensics service offerings.
5. Ensure they are meaningful and useful to the organization’s digital forensics capabilities.
Every organization operates under different contexts (e.g., industry, size) and has unique requirements for implementing in-house digital forensics capabilities, and selecting the most accurate and appropriate KPIs is unique to each organization, depending on its business profiles. Before measuring any KPI, it is important to first calculate the base formulas that will be used universally to measure multiple KPI parameters, including:
• Full-time equivalents (FTEs) are calculated as the total number of employees who support the organization’s digital forensics investigations service.
• Work hours (WH) are the total number of work hours during which FTE are dedicated to supporting the organization’s digital forensics investigations service. WH is calculated as:
Work hours (WH) = (t * hours)
where hours represents the number of hours in a work day and t represents the number of days in the evaluation period. The evaluation period applied to this ratio should be dynamic to allow for measurement adjustments over different reporting periods (e.g., monthly, quarterly, yearly).
• Overhead time (OT) is the total number of work hours allocated to non-investigative functions (e.g., meetings, education, support). The OT ratio is calculated as:
Overhead time (OT) = WH – (t * hours)
• Investigative time (IT) is the total number of work hours allocated to investigative functions. The IT ratio is calculated as:
Investigative time (IT) = WH – OT
Using the above values as input for KPIs measurements, the following is an example of a ratio that an organization should consider when measuring the effectiveness of its digital forensics program related to the organization’s continuous improvement strategies.
The traditional approach to measuring resource capacity is to define and assign tasks, including estimating work effort and availability, on an individual basis. However, modern approaches to resource capacity management, such as with the Agile perspective, are oriented toward the team as a collective rather than individuals. This current approach assumes that different types of work require different skills and, through the combined experiences and skills of the collective team, the work required to support the organization’s digital forensics program can be achieved more effectively than through individual efforts.
Therefore, calculating the resource capacity ratio, represented as RC, will be done for the entire team rather than on an individual basis. Resource capacity should consider the following factors as components of its measurement:
• The number of workdays in the period, represented as t
• The number of team members, represented as FTE
• The total non-investigative work hours, represented as OT
• Planned time off for each team member
• The total investigative work hours, represented as IT
The approach to calculating the RC ratio is completed as:
1. Multiply the number of workdays, or t, in the time by the number of hours per day, represented by hours. Let’s assume a one week period with five working days at eight hours per day:
2. Subtract the total time allocated for the non-investigative activities and tasks to determine the availability for investigative activities and tasks. Let’s assume that collectively the team spends one day per week in meetings:
3. To calculate the RC ratio, this step involves three sub-routine calculations:
a. Subtract availability and time off for each team member, then multiply the result by availability to get individual capacity.
Table 5.1 Resource Availability and Time Off
b. Add the individual team members’ capacities to get the entire team capacity in work hours and divide by 8, the assumed work hours per day value, to get the team’s capacity in workdays.
c. Divide the team’s work hour capacity by the total work hours to get the team resources value.
Outlined in Table 5.1, the total work hours for team members has been added to sum 124.16 work hours, or 15.5 workdays, for the team collectively.
Naturally, implementing a digital forensics program into an enterprise environment comes with challenges. There is no prescriptive way that outlines exactly how enterprise digital forensics programs must be implemented because the reality is, as stated previously, every organization is unique and its own requirements for digital forensics capabilities. Below are areas where organizations need to answer questions before they can successfully implement their digital forensics program.
There is no right answer for to whom within any (or every) enterprise an in-house digital forensics service should hierarchically report. In some instances, for example, digital forensics could report to the information technology (IT) division, information security (IS), risk management, legal, or even compliance. Going a step further, there is a question of whether digital forensics capabilities should be centralized to a single department or should be distributed amongst different regions and business lines.
Generally, the placement of digital forensics in the enterprise goes back to the size and the business risk scenarios outlined previously. Small and medium-sized business (SMB) environments might decide to centralize their digital forensics capabilities given that their operations are limited in size and geographic diversity. However, large organizations may decide that it is more effective to have multiple teams in respective department to facilitate a specific business risk, such as support the legal team with electronic discovery (e-discovery) collections or within the incident response (IR) team to facilitate incident recovery tasks.
With a distributed approach, there will be varying degrees of responsibilities and involvement of digital forensics practitioners depending on the scope of their role, such as leadership, consultant, or advisor. While the team and functions have been decentralized, it is important that the organization establish a direct reporting relationship for the team to a common department where digital forensics governance, management, and strategies are defined and communicated outwards. This approach will ensure that even though the organization has distributed its capabilities, all teams will follow consistent principles, methodologies, and techniques when supporting digital forensics capabilities throughout the enterprise.
Different laws, standards, and regulations govern the operations of organizations conducting business in different industries. Depending on the regulations applicable to an organization’s business, there might be a requirement to have specific digital forensics capabilities support throughout the enterprise. Refer to Chapter 16, “Ensuring Legal Review,” for further discussion on laws, standards, and regulations.
For example, regulatory development such as the Sarbanes–Oxley (SOX) Act of 2002 requires organizations to develop and implement a series of plans and processes that specifically address how the organization handles fraud incidents using digital forensics. Additionally, the Payment Card Industry Data Security Standard (PCI DSS) has established the PCI Forensics Investigator (PFI) certification that identifies organizations and other entities that in compliance with all regulatory requirements for conducting investigations relating to the compromise of cardholder data.
The regulations applicable to any specific organization are subjective to their industry and must be known to ensure that digital forensics capabilities can be adapted accordingly. As outlined in the beginning of this chapter, regulatory compliance is not one-size-fits-all. As a business risk scenario supported by digital forensics, demonstrating compliance with regulatory requirements requires the production of factual evidence documenting that standards have been met.
Political jurisdictions can vary between countries and region around the world. Generally, the laws established through these countries and regions were created to bridge the gap between risk (i.e., criminal activity) and technology (i.e., fruit or tool) within the scope of the jurisdiction’s perspective on digital crime and subsequent access, transmission, and storage of ESI as digital evidence.
Where organizations have a presence in multiple countries and regions, their investigations are increasingly becoming international in nature. Where digital evidence needs to be gathered and processed from many countries and regions, a decision must be made as to how respective data protection laws allow for these activities to occur. For example, the European Union Data Protection Directive 95/46/EC outlines the requirement to protect individuals with regards to the processing of personal data specific to data flow transmission across borders.
Most often, organizations that don’t consider these political influences find themselves in situations where quick decisions are made, which can result in laws being circumvented or disregarded. However, political influences do not have to impede an organization’s ability to conduct international investigations if the right approach is taken and many of the political considerations are addressed early on when establishing the governance framework.
Enabling digital forensics in an enterprise environment requires a systematic approach that is designed to answer “who, where, what, when, why, and how” in-house digital forensics capabilities will be successfully implemented and continuously improved. While the technical execution of digital forensics within an enterprise environment resembles that seen in other organizations and agencies, the purpose and roles it serves are somewhat unique. Before digital forensics can be readily enabled in an enterprise environment, it is important to understand the role and function it serves to the organization’s business.