A Ten Step Process for Forensic Readiness

A forensic investigation of digital evidence is commonly employed as a post-event response to a serious information security incident. In fact, there are many circumstances where an organisation may benefit from an ability to gather and preserve digital evidence before an incident occurs. Forensic readiness is defined as the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation. The costs and benefits of such an approach are outlined. Preparation to use digital evidence may involve enhanced system and staff monitoring, technical, physical and procedural means to secure data to evidential standards of admissibility, processes and procedures to ensure that staff recognise the importance and legal sensitivities of evidence, and appropriate legal advice and interfacing with law enforcement. This paper proposes a ten step process for an organisation to implement forensic readiness.

[1]  Atif Ahmad,et al.  The forensic chain-of-evidence model: Improving the process of evidence collection in incident handling procedures , 2002 .

[2]  Atif Ahmad,et al.  Incident Handling: Where the need for planning is often not recognised , 2003, Australian Computer, Network & Information Forensics Conference.

[3]  Eugene H. Spafford,et al.  Getting Physical with the Digital Investigation Process , 2003, Int. J. Digit. EVid..

[4]  Tom Killalea,et al.  Guidelines for Evidence Collection and Archiving , 2002, RFC.

[5]  Alec Yasinsac,et al.  Policies to Enhance Computer and Network Forensics , 2001 .

[6]  Peter Stephenson A comprehensive approach to digital incident investigation , 2003, Inf. Secur. Tech. Rep..

[7]  Hank Wolfe Evidence analysis , 2003, Comput. Secur..

[8]  Atif Ahmad Improved event logging for security and forensics : developing audit management infrastructure requirements , 2003 .

[9]  George M. Mohay,et al.  ECF - Event Correlation for Forensics , 2003, Australian Computer, Network & Information Forensics Conference.

[10]  Malcolm Smith,et al.  Code of practice for legal admissibility and evidential weight of information stored electronically , 1998 .

[11]  John Patzakis New Accounting Reform Laws Push for Technology-Based Document Retention Practices , 2003, Int. J. Digit. EVid..

[12]  Marshall T. Rose,et al.  Reliable Delivery for syslog , 2001, RFC.

[13]  Peter Stephenson End-to-End Digital Forensics , 2002 .

[14]  Jeni Wolfe-Wilson Management strategies for implementing forensic security measures , 2003, Inf. Secur. Tech. Rep..