Digital forensics investigations are commonly performed in reaction to an event or incident. During the post-event response activities, investigators must work quickly to gather, process, and present digital evidence. Subjective to the environment where an investigation is conducted, the evidence necessary to support the investigation may or may not exist, leading to complications with arriving at a solid conclusion of what happened.
In the business context, the opportunity to gather digital evidence in advance is more prevalent than the ability to gather evidence in a law enforcement setting. If digital evidence has not been gathered to start with, there is a greater chance that it may not be available when needed. Any organization that depends on, or utilizes, technology should have a balanced concern for information security and forensics capabilities.
Digital evidence is fundamental in helping organizations to manage the impact of business risk, such as validating or reducing the impact of an event or incident, supporting litigation matters, or demonstrating compliance. Regardless of the business risk, there are situations where a simple event or incident can escalate into something much more serious. Digital forensics readiness is the ability of an organization to proactively maximize the prospective use of electronic information to reduce the cost of the digital forensics investigative workflow.
What Is Digital Forensics Readiness?
The concept of a forensics readiness program was first published in 2001 by John Tan. Through a forensics readiness program, an organization can make appropriate and informed decisions about business risks to make the most of its ability to proactively gather digital evidence. Under a forensics readiness program, Tan outlines that the primary objectives for an organization are to:
• Maximize the ability to collect credible digital evidence; and
• Minimize the cost of forensics during an event or incident.
In the 2001 Honeynet Project, John Tan participated as a judge, and he discovered the most remarkable finding in this exercise was the cost of the incident.
During email communications with Dave Dittrich, head of the Honeynet Project, John and Dave identified that the time spent by intruders (approximately 2 hours) significantly differed from the time spent to clean up after them (between 3 and 80 hours).
This led to the conclusion that every 2 hours of intruder time resulted in 40 billable hours of forensics investigative time. However, this estimation did not include intrusion detection (human element), disk image acquisition, restoration and hardening of compromised system(s), network scanning for other vulnerable systems, and communications to stakeholders.
Forensics readiness emphasizes anticipating that an event or incident will occur by enabling an organization to make the most efficient use of digital evidence, instead of concerning itself with the traditional responsive nature of an event or incident. It is a business requirement of any organization that requires key stakeholders to serve a broad role in the overall investigative workflow, including:
• The investigative team
• Senior/executive management
• Human resources and employee relations
• Privacy and compliance
• Corporate security
• IT support staff
• Legal
By having key stakeholders involved in the overall investigative workflow, forensics readiness enables an overall organizational approach to digital evidence. As an overall strategy, the objectives of forensics readiness can be summarized as “the ability to maximize potential use of digital evidence while minimizing investigative costs,” with the purpose of achieving the following goals:
• Legally gather admissible evidence without interrupting business functions
• Gather evidence required to validate the impact incidents have on business risks
• Permit investigations to proceed at a cost that is lower than the cost of an event or incident
• Minimize the disruption and impact to business functions
• Ensure evidence maintains positive outcomes for legal proceedings
Costs and Benefits of Digital Forensics Readiness
Management will be cautious of the costs related to implementing a forensics readiness program. While cost implications will be higher where organizations have immature information security programs and strategies, the cost is lessened for organizations that already have a good handle on their information security posture. In either case, the issues raised by the need for a forensics readiness program must be presented to senior management, where a decision can be made.
Cost analysis of a forensics readiness program should be weighed against the value-added benefits the organization will realize once implemented. To make an educated and informed decision about whether implementing a forensics readiness program is practical, organizations must be able to perform an apples-to-apples comparison of the tangible and intangible contributors to the program. The starting point of this task is to document the individual security controls that will be aligned to the forensics readiness program through a service catalog.
Addendum B, “Service Catalog,” as found in the Addendum section of this book, further discusses the service catalog to better understand how to hierarchically align individual security controls into the forensics readiness program.
Forensics readiness consists of costs involving administrative, technical, and physical information security controls implemented throughout the organization. Through the service catalog, each of these controls is aligned to a service where all cost elements can be identified and allocated appropriately. While not all controls and services will contribute to forensics readiness, the following will directly influence the overall cost of the forensics readiness program:
• Governance document maintenance is the ongoing review and updating of the information security and evidence management frameworks (e.g., policies, standards, guidance, procedures).
• Education and awareness training provides for continued improvements to:
• Information security awareness of staff indirectly involved with the information security discipline
• Information security training of staff directly involved with the information security discipline
• Digital forensics training of staff directly involved with the digital forensics discipline
• Incident management involves the activities of identifying, analyzing, and mitigating risks to reduce the likelihood of re-occurrence.
• Data security includes the enhanced capability to systematically gather potential evidence and securely preserve it.
• Legal counsel provides advice and assurance that methodologies, operating procedures, tools, and equipment used during an investigation will not impede legal proceedings.
The inclusion of a service as a cost contributor to the forensics readiness program is subject to the interpretation and/or appetite of each organization. Knowing which services, where controls are aligned, contribute to the forensics readiness program is the starting point for performing the cost assessment. From the service catalog, the breakdown of fixed and variable costs can be used as part of the cost-benefit analysis for demonstrating to management the value of implementing the program.
With forensics readiness, it is necessary to assume that an incident will occur, even if a thorough assessment has determined that residual risk from defensive information security controls is minor. Depending on the impact from this residual risk, organizations need to implement additional layers of controls to proactively collect evidence to determine the root cause of an event.
With the realization that some type of investigative capability is required, the next step an organization must take is to address this need through efficient and competent capabilities. Forensics readiness that is designed to address the residual risk and enhance proactive investigative capabilities offers organizations the following benefits:
• Minimizing costs: Operating with an anticipation that an event or incident will occur, the organization will minimize disruption to business functions and support investigative capabilities that are much more efficient, quicker, and more cost effective. With digital evidence already having been collected, the investigative workflow becomes much simpler to navigate, as more focus can be placed on the processing and presentation phases.
• Control expansion: In response mode, the capabilities and effectiveness of information security controls provide functionality limited to notification, containment, and remediation. Where proactive monitoring is utilized, organizations are able to expand their implementation of these information security controls to identify and mitigate a much wider range of cyber threats before they become more serious incidents or events.
• Crime deterrent: Proactive evidence gathering, combined with continuous monitoring of this information, increases the opportunity to quickly detect malicious activity. As word of proactive evidence collection becomes more widely known, individuals will be less likely to commit malicious activities because the probability of being caught is much greater.
• Governance and compliance: With an information management framework in place, organizations can better demonstrate their ability to conduct incident prevention and response. Showing this maturity not only provides customers with a sense of security and protection when it comes to safeguarding their assets, but investors will also have more confidence in the organization’s ability to minimize threats against their investments.
• Law enforcement: Ensuring compliance with laws and regulations encourages good working relationships with both law enforcement and regulators. When an incident or event occurs, the job of investigators is much easier because the organization has taken steps to gather digital evidence before, during, and after an incident or event.
• Legal preparations: International laws relating to electronic discovery (e-discovery), such as the Federal Rules of Civil Procedure (FRCP) in the United States and Canada, and Practice Direction 31B in the United Kingdom, require that digital evidence be provided quickly and in a forensically sound manner. Information management in support of e-discovery involves activities such as incident response, data retention, disaster recovery, and business continuity policies, all of which are enhanced through a forensics readiness program. When an organization enters into legal proceedings, the need for e-discovery is significantly reduced because digital evidence will already be preserved, increasing the probability of success when it is used to contribute to legal defense.
• Disclosure costs: Regulatory authorities and/or law enforcement agencies may require immediate release or disclosure of electronically stored information (ESI) at any time. An organization’s failure to produce the requested ESI in an appropriate and timely manner can result in considerable financial penalties for being non-compliant with mandated information management regulations. A forensics readiness program strengthens an organization’s information management strategies—including data retention, disaster recovery, and business continuity. Having digital evidence proactively gathered in a sound manner makes it possible for organizations to easily process and present ESI when required.
In June 2005, AMD launched a lawsuit against its rival Intel, claiming that Intel engaged in unfair competition by offering rebates to PC manufacturers who agreed to eliminate or limit the purchase of AMD microprocessors.
As part of e-discovery, AMD requested the production of email evidence from Intel to demonstrate this claim. Intel failed to produce the email evidence due to (1) a fault in email retention policy and (2) failing to properly inform employees that their ESI was required as evidence through legal hold.
Due to this failure to produce evidence, in November 2009 Intel agreed to pay AMD $1.25 billion as part of a deal to settle all outstanding legal disputes between the two companies.
Addendum C, “Cost-Benefit Analysis,” as found in the Addendum section of this book, further discusses how to perform a cost-benefit analysis to determine if implementing a forensics readiness program is valuable to an organization.
Implementing Forensics Readiness
Forensics readiness provides a “win-win” situation for organizations because it is complementary to, and an enhancement of, the information security program and strategies. Even if not formally acknowledged, many organizations already perform some information security activities, such as proactively gathering and preserving digital information, relative to forensics readiness.
Making progress with a forensics readiness program requires a risk-based approach that facilitates a practical implementation to manage business risk. The chapters found throughout this section of the book will examine the key activities within information security that are relevant to implementing an effective forensics readiness program. Specifically, the inclusion of certain aspects of forensics readiness as a component of information security best practices will be discussed in the following steps:
1. Define the business risks and scenarios that require digital evidence.
2. Identify available data sources and types of digital evidence.
3. Determine the requirements for gathering digital evidence.
4. Establishing capabilities for gathering digital evidence in support of evidence rules.
5. Develop an information security framework to govern digital evidence management.
6. Design security monitoring controls to deter and detect event and incidents.
7. Specify the criteria for escalating events or incidents into formal digital investigations.
8. Conduct security awareness training to educate stakeholders on their organizational role.
9. Document and present evidence-based findings and conclusions.
10. Ensure legal review to facilitate event or incident response actions.
Digital forensics readiness enables organizations to maximize their proactive investigative capabilities. By completing a proper cost-benefit analysis, the value-add of an enhanced level of readiness can be demonstrated through investigative cost reduction and operational efficiencies gains.