Chapter 4

Understanding Forensic Readiness

Abstract

The importance of proper collection, preservation, and presentation of digital evidence has been recognized as important in reducing potential business impact as a result of digital crimes, disputes, incidents, and/or events. With a digital forensic readiness approach, the preparedness becomes established as a business goal and consists of administrative, technical, and physical actions that enhance the ability to use digital evidence.

Keywords

Benefit; Cost; Information security; Overview; Proactive; Reactive

 

This chapter provides an introduction to digital forensic readiness by exploring the purpose and scope behind the program, the high-level goals of the program, the business benefits realized from implementing the program, and codependence on an information security program.

Introduction

Digital forensic investigations are commonly performed in reaction to an event or incident. During postevent response activities, investigators must work quickly to gather, process, and present digital evidence. Depending on the environment where an investigation is conducted, the evidence necessary to support the investigation may or may not exist leading to complications with arriving at factual and credible conclusions.

Within a business environment the opportunity to proactively gather digital evidence is more prevalent than the ability to gather evidence in a law enforcement setting. If digital evidence has not been gathered to start with, there is a greater chance that it may not be available when needed. Any organization that depends on, or utilizes, technology should have a balanced concern for information security and digital forensic capabilities.

Digital evidence is fundamental in helping organizations to manage the impact of many different business risks; such as validating the impact of an event or incident, supporting litigation matters, or demonstrating compliance. Regardless of the business risk, there are situations where an event or incident can escalate into something much more serious. Digital forensic readiness is the ability of an organization to proactively maximize the prospective use of electronically stored information (ESI) to reduce the cost of the digital forensic investigative workflow.

Digital Forensics and Information Security

As technology advances to become more and more pervasive within both personal and business uses, so do the opportunities for committing cybercrime. Through evolved, advanced, and perfected techniques, cybercriminals are focused on harvesting the volumes of digital information that is generated from our every interaction, making an effective and efficient information security program essential.

Many organizations have established an information security program, architectures, and strategies in place to mitigate the risk of losing information and information assets. However, an information security program is only as strong as its weakest link and incidents will happen. When they do occur, it is essential that organizations work quickly to contain the business impact recover business functions, and investigate the root cause of the incident.

By default, gaining access to relevant digital evidence during this time is more challenging because there is greater potential it has been damaged, dismissed, or simply overlooked. Organizations commonly develop their information security program and strategies based on industry best practices¹ that, for the most part, do not consider the importance of putting appropriate controls or procedures in place to ensure the investigation is successful. Even though digital forensics and information security are separate and uniquely distinct disciplines, commonalities do exist where specific activities overlap across both.

Proactive Activities

Within information security, the primary focus is to reduce the potential for damage or loss to information and information assets. To support this, security controls can be implemented to include, but are not limited to, the following:

• Information security management framework (ie, policies, standards, guidance);

• Administrative, technical, physical control mechanisms (eg, operating procedures, programmatic solutions, specialized technical skills);

• Security awareness training (ie, stakeholder, general user);

• Organizational, regulatory, and legal compliance requirements.

Within digital forensics, the primary focus is to minimize disruption to business functions while maintaining the meaningfulness, relevancy, and admissibility of evidence. To support this, controls that can be implemented include, but are not limited to, the following:

• Evidence management framework (ie, policies, standards, guidance);

• Administrative, technical, physical control mechanisms (eg, operating procedures, tools and equipment, specialized technical skills);

• Digital forensic training (ie, knowledge, skills);

• Organizational, regulatory, and legal compliance requirements.

Reactive Activities

Within information security, the primary focus is to achieve a level of assurance that the damage or loss to information and/or information assets is minimized and ongoing risk is mitigated. To support this, controls that can be implemented include, but are not limited to, the following:

• Incident response capabilities;

• Security incident response team (SIRT);

• Computer (security) incident response team (CIRT/CSIRT).

• Disaster recovery planning (DRP);

• Business continuity planning (BCP);

• Information security gap analysis and recommendations.

Within digital forensics, the primary focus is to perform an investigative root-cause analysis of an incident by gathering and processing digital evidence. To support this, controls that can be implemented include, but are not limited to, the following:

• Incident response capabilities;

• Security incident response team (SIRT);

• Computer (security) incident response team (CIRT/CSIRT).

• Disaster recovery planning;

• Business continuity planning;

• Supplemental digital forensic operating procedures.

A proper balance must be made to adapt information security best practices to include all aspects of digital forensics so containment and recovery activities are properly balanced with the gathering and processing of digital evidence. Digital evidence is required wherever it can be used to manage business risk; and organizations require access to digital evidence to demonstrate and support their acceptable risk posture. However, digital information does not become digital evidence until a crime has been committed and the data is needed in an investigation.

What Is Forensic Readiness?

The concept of a digital forensic readiness program was first published in 2001 by John Tan. Through a digital forensic readiness program, organizations can make appropriate and informed decisions about business risks to make the most of its ability to proactively gather digital evidence. Tan outlines that the primary objectives for an organization to implement a digital forensic readiness program are to:

1. maximize the ability to collect credible digital evidence and

2. minimize the cost of forensics during an event or incident.

In the 2001 Honeynet Project, John Tan participated as a judge where he discovered the most remarkable finding in this exercise was the cost of the incident.

During e-mail communications with Dave Dittrich, head of the Honeynet Project, John and Dave identified that the time spent by intruders (approximately 2 hours) significantly differed from the time spent to clean up after them (between 3 and 80 hours).

This led to the conclusion that every 2 hours of intruder time resulted in 40 billable hours of forensic investigative time. However, this estimation did not include intrusion detection (human element), disk image acquisition, restoration and hardening of compromised system(s), network scanning for other vulnerable systems, and communications to stakeholders.

Digital forensic readiness places emphasis on the anticipation that an incident will occur by enabling organizations to make the most efficient use of digital evidence; instead of concerning itself with the traditional responsive nature of an incident. It is a business requirement of any organization that requires key stakeholders to serve a broad role in the overall investigative workflow, including, but not limited to:

• The investigative team;

• Senior/executive management;

• Human resources and employee relations;

• Privacy and compliance;

• Corporate Security;

• IT support staff;

• Legal.

By having key stakeholders involved in the overall investigative workflow, digital forensic readiness enables an overall organizational approach to proactively gathering digital evidence. As an overall strategy, the objectives of forensic readiness can be summarized as “the ability to maximize potential use of digital evidence while minimizing investigative costs”; with the purpose of achieving the following goals:

• Legally gather admissible evidence without interrupting business functions;

• Gather evidence required to validate the impact events of incident have on business risks;

• Permit investigations to proceed at a cost that is lower than the cost of an event or incident;

• Minimize the disruption and impact to business functions;

• Ensure evidence maintains positive outcomes for legal proceedings.

Cost and Benefit of Forensic Readiness

Management will be cautious of the cost for implementing a digital forensic readiness program. While cost implications will be higher where organizations have immature information security programs and strategies, the cost is lessened for organizations that already have a good handle on their information security posture. In either case, the issues raised by the need for a digital forensic readiness program have to be presented to senior management where a decision can be made.

Cost analysis of a digital forensic readiness program has to be weighed against the value-added benefits that the organization will realize once implemented. To make an educated and informed decision about whether implementing a digital forensic readiness program is practical, organizations must be able to perform an “apples-to-apples” comparison of the tangible and intangible contributors to the program. The starting point of this task is to document the individual security controls that will be aligned to the digital forensic readiness program through a service catalog. Appendix D: Service Catalog further discusses the service catalog to better understand how to hierarchically align individual security controls into the forensic readiness program.

Cost Assessment

Forensic readiness consists of costs involving administrative, technical, and physical information security controls implemented throughout the organization. Through the service catalog, each of these controls will be aligned to a service where all cost elements can be identified and allocated appropriately. While not all controls and services will contribute to digital forensic readiness, the following will have direct influences to the overall cost of the digital forensic readiness program:

• Governance document maintenance is the ongoing review and updating to the information security and evidence management frameworks (eg, policies, standards, guidance, procedures);

• Education and awareness training provides continued improvements to:

• information security awareness of staff indirectly involved with the information security discipline;

• information security training of staff directly involved with the information security discipline;

• digital forensic training of staff directly involved with the digital forensic discipline.

• Incident management involves the activities of identifying, analyzing, and mitigating risks to reduce the likelihood of reoccurrence;

• Data security includes the enhanced capability to systematically gather potential evidence and securely preserve it;

• Legal counsel provides advice and assurance that methodologies, operating procedures, tools, and equipment used during an investigation will not impede legal proceedings.

The inclusion of a service as a cost contributors to the digital forensic readiness program is subject to the interpretation and appetite of each organization. Knowing which services, where controls are aligned, contribute to the digital forensic readiness program is the starting point for performing the cost assessment. From the service catalog, the breakdown of fixed and variable costs can be used as part of the cost-benefit analysis for demonstrating to manage the value of implementing the program.

Benefits

With digital forensic readiness, it is necessary to assume that an incident will occur, even if a thorough assessment has determined that residual risk from defensive information security controls is minor. Depending on the impact from this residual risk, organizations need to implement additional layers of controls to proactively collect evidence to determine the root cause.

When organizations come to the realization that some type of investigative capability is required, the next step is to address this need through efficient and competent capabilities. Digital forensic readiness that is designed to address the residual risk and enhance proactive investigative capabilities offers organization with the following benefits:

• Minimizing costs: Operating on the anticipation that an event or incident will occur, organization will minimize the disruption to business functions and support investigative capabilities that are much more efficient, quick, and cost effective. Having precollected digital evidence, the investigative workflow becomes much simpler to navigate through as more focus can be placed on the processing and presentation phases.

• Control expansion: In response mode, the capabilities and effectiveness of information security controls provide functionality limited to notification, containment, and remediation. Where proactive monitoring is utilized, organizations are able to expand their implementation of these information security controls to identify and mitigate a much wider range of cyberthreats before they become more serious incidents or events.

• Crime deterrent: Proactive evidence gathering, combined with continuous monitoring, of this information increases the opportunity to quickly detect malicious activity. As word of proactive evidence collection become more widely known, individuals will be less likely to commit malicious activities because the probability of being caught is much greater.

• Governance and Compliance: With a good information management framework in place, organizations can better demonstrate their ability to conduct incident prevention and response. Showing this maturity not only provides customers with a sense of security and protection when it comes to safeguarding their assets, but investors will also have more confidence in the organizations ability to minimize threats against their investments.

• Law enforcement: Ensuring compliance with laws and regulations encourages good working relationships with both law enforcement and regulators. When an incident or event occurs, the job of investigators is much easier because the organization has taken steps to gathering digital evidence before, during, and after an incident or event.

• Legal preparations: International laws relating to electronic discovery (e-discovery), such as the Federal Rules of Civil Procedure in the United States, Rules of Civil Procedure in Canada, or the Practice Direction 31B in the United Kingdom, require that digital evidence is provided quickly and in a forensically sound manner. Information management in support of Electronic Discovery (e-discovery) involves activities such as incident response, data retention, disaster recovery, and business continuity policies; all of which are enhanced through a digital forensic readiness program. When an organizations enters into legal proceedings, the need for e-discovery is significantly reduced because digital evidence will already be preserved, increasing the probability of success when used as part of legal defense.

• Disclosure costs: Regulatory authorities and law enforcement agencies may require immediate release or disclosure of electronically stored information (ESI)² at any time. An organization’s failure to produce the requested ESI in an appropriate and timely manner can result in considerable financial penalties for being noncompliant with mandated information management regulations. A digital forensic readiness program also helps to strengthen information management strategies, including data retention, disaster recovery, and business continuity, by having digital evidence proactively gathered in a forensically sound manner makes it possible for organizations to easily process and present ESI when required.

In June 2005, AMD launched a lawsuit against its rival Intel, claiming that Intel engaged in unfair competition by offering rebates to PC manufacturers who agreed to eliminate or limit the purchase of AMD microprocessors.

As part of e-discovery, AMD requested the production of e-mail evidence from Intel to demonstrate this claim. Intel failed to produce the e-mail evidence due to (1) a fault in e-mail retention policy and (2) failing to properly inform employees that their ESI was required as evidence through legal hold.

Due to this failure to produce evidence, in November 2009, Intel agreed to pay AMD $1.25 billion as part of a deal to settle all outstanding legal disputes between the two companies.

Appendix E: Cost-Benefit Analysis further discusses how to perform a cost-benefit analysis to determine if implementing a forensic readiness program is valuable to an organization.

Implementing Forensic Readiness

Digital forensic readiness provides a “win–win” situation for organizations because it is complementary to, and an enhancement of, the information security program and strategies. Even if not formally acknowledged, many organizations already perform some information security activities, such as proactively gathering and preserving digital information, relative to digital forensic readiness.

Making progress with a digital forensic readiness program requires a risk-based approach that facilitates a practical implementation to manage business risk. The chapters to follow will examine the key activities within information security that are relevant to implementing an effective digital forensic readiness program. Specifically, the inclusion of certain aspects of digital forensic readiness as a component of information security best practices will be discussed in the following steps:

1. Define the business risk scenarios that require digital evidence;

2. Identify available data sources and different types of digital evidence;

3. Determine the requirements for gathering digital evidence;

4. Establishing capabilities for gathering digital evidence in support of evidence rules;

5. Develop a framework to govern digital evidence management;

6. Design targeted security monitoring controls to detect events;

7. Specify the criteria for escalating incidents into formal digital investigations;

8. Conduct ongoing training to educate stakeholder on their organizational role;

9. Document and present evidence-based findings and conclusions;

10. Ensure legal review to facilitate event or incident response actions.

Summary

Digital forensic readiness enables organizations to maximize their proactive investigative capabilities. By completing a proper cost-benefit analysis, the value add of an enhanced level of readiness can be demonstrated through investigative cost reduction and operational efficiencies gains.

Taxonomy

1 Best practice is a method or technique that has consistently shown results superior to those achieved with other means, and that is used as a benchmark.

2 Electronically stored information (ESI), for the purpose of the Federal Rules of Civil Procedure, is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.