Chapter 15

Accomplishing Forensic Readiness

Abstract

Digital forensic readiness is an organization's capability to proactively maximize their use of digital evidence while minimizing investigative costs. The 10 steps toward achieving digital forensic readiness, as proposed throughout this book, involve approaching the subject area from the business content that details the need for administrative, technical, and physical components.

Keywords

Business risk; Cost benefit; Digital forensic readiness; Industry references; Successful implementation

 

Digital forensic readiness is an organization’s capability to proactively maximize their use of digital evidence while minimizing investigative costs. The 10 steps toward achieving digital forensic readiness, as proposed throughout this book, involve approaching the subject area from the business content that details the need for administrative, technical, and physical components.

Introduction

For the most part, digital forensic investigations are still being performed in reaction to an incident where organizations must work quickly to gather and process digital evidence. Ultimately, the availability of relevant and meaningful digital evidence is a critical requirement to effectively manage business risk.

When conducting investigations in a reactive mode, there is increased risk that the evidence necessary to support the investigation may or may not exist; resulting in difficulties in establishing credible facts about what occurred. Where organizations have identified opportunities to proactively gather digital evidence in anticipation of an incident, they will be better equipped to validate the impact, support litigation matters, and demonstrate regulatory compliance.

Digital forensic readiness is the ability of an organization to proactively maximize their prospective use of electronically stored information.¹ By following a systematic and proactive approach to gathering and preserving potential digital evidence, the added value of a digital forensic readiness program will be realized through reduced investigative cost and gains in operational efficiencies.

Maintain a Business-Centric Focus

One of the most significant barriers to implementing digital forensic readiness is that organizations do not effectively communicate their business risks to those who work with their IT systems. Essentially, making progress towards a successful implementation means following an approach established from a risk-based methodology.

As discussed in chapter “Understanding Digital Forensics,” cybercrime continues to evolve as technology increasingly becomes more deeply entrenched in our business and personal lives. In response to this natural evolution, the traditional “wall-and-fortress” approach continues to focus on the technology aspect where each specific threat is addressed as it emerges. A successful digital forensic readiness implementation requires organizations to ensure that their approach is adequately balanced to (1) understand the business reasons (who should be involved under what circumstances) for executing this program to properly and (2) sufficiently support its technical elements (how do go about performing forensics).

Do Not Reinvent the Wheel

Even if not formally acknowledged, many organizations already perform some information security activities, such as proactively gathering and preserving digital information, relative to a digital forensic readiness program. The systematic and proactive approach achieved from digital forensics readiness is complimentary to many business operations and functions within an organization, such as:

• enhancing the overall effectiveness of managing business risk

• demonstrating the organization’s due diligence in meeting legal and/or regulatory requirements

• determining the need for preserving digital evidence in support of business functions, such as incident response and business continuity

• improving identification and detection of security events to mitigate potential impact

Integrating the elements of digital forensics readiness should not have to be a process that is started from the ground up. Included throughout this book is a collection of industry best practices, references, methodologies, and techniques that can be used to achieve digital forensics readiness. The investment in time, effort, and resources to accomplish digital forensics readiness must be focused on what is required for its successful implementation, and not on re-creating materials that are readily available for use.

Understand the Costs and Benefits

Implementing a digital forensic readiness program requires organization to follow the systematic methodology as outlined throughout this book. Decisions to skip, substitute, or not invest the required amount of time, effort, and resources into the digital forensic readiness methodology will most certainly result in a failed, incomplete, or misaligned digital forensic readiness program.

For these reasons, it is extremely important that organizations take their time to fully understand how digital forensic readiness creates value in mitigating their business risks and what bearing it will have on their budgetary needs. As found throughout this book, the assessment of costs versus benefits is not to be limited to just one aspect of digital forensic readiness and should be a recurring process to ensure that the goals of the program are achieved at a reasonable cost.

Summary

Similar to how organizations understand the importance and need for having proper disaster recovery and business continuity plans in place, it is equally important that there is an understanding of the need to have proper digital forensic readiness planning. The continuing trend to take a reactive approach to dealing with incidents is both disruptive and riskier to business operations in terms of digital evidence being altered, lost, or incorrectly handled.

Digital forensic readiness is an organization’s capability to proactively maximize their use of digital evidence while minimizing investigative costs. Organizations that understand the importance of establishing proactive controls to maintain the forensic viability and admissibility of digital evidence have a better chance of ultimately surviving and prospering in the continuously evolving threat landscape.

As stated previously, the intention of this book is to provide readers with a business perspective of the digital forensic discipline. This book was written from a nontechnical, business perspective and is intended as an implementation guide for preparing your organization to enhance its digital forensic readiness by becoming more proactive with investigations and moving away from the traditional reactive approach to incident. The methodology discussed throughout this book is also an effective way for organizations to demonstrate their due diligence and good corporate governance over their assets and business operation.

Taxonomy

1 Electronically stored information, for the purpose of the Federal Rules of Civil Procedure, is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.