For the most part, digital forensics investigations are still being performed in reaction to an event or incident where organizations must work quickly to gather and process digital evidence. Ultimately, the availability of relevant and meaningful digital evidence is a critical requirement to effectively manage business risk.
When conducting investigations in reactive mode, there is increased risk that the evidence necessary to establish credible facts and conclusions may not exist. Where organizations have identified opportunities to proactively gather digital evidence in anticipation of an event or incident, they will be better equipped to manage the impact of an event or incident, support litigation matters, or demonstrate regulatory compliance.
Digital forensics readiness is the ability of an organization to proactively maximize their prospective use of electronically stored information (ESI). By following a systematic and proactive approach to gather and preserve potential digital evidence, the added value of a digital forensics readiness program will be realized through reduced investigative cost and gains in operational efficiencies.
Maintain a Business-Centric Focus
One of the most significant barriers to implementing digital forensics readiness is that organizations don’t effectively communicate their business risks to those who work with their IT systems. Essentially, making progress towards a successful implementation means following an approach established from a risk-based methodology.
As discussed in Chapter 1 cybercrime continues to evolve as technology increasingly becomes more deeply entrenched in both our business and personal lives. In response to this evolution, the traditional “wall-and-fortress” approach continues to focus on technology aspects where each specific threat is addressed as it emerges. A successful digital forensics readiness implementation requires organizations to ensure their approach is adequately balanced to understand the business reasons (who should be involved under what circumstances) for executing this program to properly and sufficiently support its technical elements (how do go about performing forensics).
Even if not formally acknowledged, many organizations already perform some activities, such as proactively gathering and preserving ESI, relative to a digital forensics readiness program. The systematic and proactive approach achieved from digital forensic readiness is complementary to many business operations and functions within an organization, such as:
• Enhancing the overall effectiveness of managing business risk;
• Demonstrating the organization’s due diligence in meeting legal and/or regulatory requirements;
• Determining the need for preserving digital evidence in support of business functions such as incident response and business continuity; and
• Improving identification and detection of security events to mitigate potential impact.
Integrating the elements of digital forensic readiness should not have to be a process that is started from the ground up. Included throughout this book is a collection of industry best practices, references, methodologies, and techniques that can be used to achieve digital forensic readiness. The investment in time, effort, and resources to accomplish digital forensic readiness must be focused on what is required for its successful implementation, and not on re-creating materials that are available for use.
Implementing a digital forensics readiness program requires organizations to follow the systematic methodology outlined throughout this book. Decisions to skip, substitute, or not invest the required amount of time, effort, and resources into the digital forensics readiness methodology will most certainly result in a failed, incomplete, or misaligned digital forensics readiness program.
For these reasons, it is extremely important that organizations take their time to fully understand how digital forensics readiness creates value in mitigating business risks and what bearing it will have on their budgetary needs. As found throughout this book, the assessment of costs versus benefits is not limited to just one aspect of digital forensics readiness and should be a recurring process to ensure that the goals of the program are achieved at a reasonable cost.
Like how organizations understand the importance and need for having proper disaster recovery and business continuity plans in place, it is equally important to have understand the need to have proper digital forensic readiness planning. The continuing trend to take a reactive approach to dealing with security events or incidents is both disruptive and riskier to business operations in terms of digital evidence being altered, lost, or incorrectly handled.
Digital forensic readiness is an organization’s capability to proactively maximize use of digital evidence while minimizing investigative costs. Organizations that understand the importance of establishing proactive controls to maintain the forensic viability and admissibility of digital evidence have a better chance of ultimately surviving and prospering in the evolving threat landscape.
As stated previously, the intention of this book is to provide readers with a business perspective of the digital forensics discipline. This book was written from a non-technical business perspective and is intended as an implementation guide for preparing your organization to enhance its digital forensic readiness by becoming more proactive with investigations and moving away from the traditional reactive approach to events and/or incidents. The methodology discussed throughout this book is also an effective way for organizations to demonstrate their due diligence and good corporate governance over their assets and business operations.