Digital Forensics
What is Digital Forensics?
The term Digital Forensics covers both Informal and Formal digital forensic investigations of a computing environment and the data stored or in transit.
Informal digital forensics investigations in the Cyber Security environment are those investigations that are carried out in response to an alert or an incident. These operational digital forensic investigations may include both Intrusion (data entering) & Extrusion (data leaving) the environment. Activities may include Pen Testing, Malware Analysis, Code Reversing and Data Recovery. An informal investigation may also lead to a formal investigation.
Formal digital forensic investigations are those investigations that are carried out either internally or externally in support of a criminal or fraud investigation. Investigations can cover Law Enforcement (LE) investigations, eDiscovery/eAudit and Data Recovery.
The Challenge
The requirement for digital forensic investigations is increasing and will continue to rise the more integrated our computing becomes with our business and the more we connect to the online environment.
Most organisations do not have internal staff with the skills or knowledge to carry out digital forensic investigations.
Instigation of a digital forensic investigation may take place at very short notice diverting staff away from current operations, external services are brought in at short notice at considerable cost.
The Solution
To implement a strategy based on Readiness and Flexibility.
- Forensic Readiness (FR) – the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation.
- Flexibility – by establishing a flexible skills & facilities strategy by maximising internal resource and have access to additional skills, capability and technical resources providing speed of response whilst maintaining costs control
At IAS we believe that establishing a Forensic Readiness is an integral part of the overall Cyber Security strategy and use the following process to establish your FR capability.
- Define the business scenarios that require digital evidence.
- Identify available sources and different types of potential evidence.
- Determine the evidence collection requirement.
- Establish a capability for securely gathering legally admissible evidence.
- Establish a policy for secure storage and handling of potential evidence.
- Identify monitoring requirements to detect and deter major incidents.
- Identify when escalation to a full formal investigation is required.
- Identify staffing skills and training needs.
- Identify the evidence-based case requirements for reporting an incident and its potential impact.
- Identify the legal review process for an investigation.
By working with the “Cyber Security Centre” (CSC) of De Montfort University (DMU) we have established a flexible skills and facilities capability. IAS along with the Cyber Security Centre also provides “Expert Witness” trained staff to support any digital investigation.