Digital Forensics is not usually considered an important part of Information Assurance process and the management of Information Security, but it should, when we consider the big picture regarding Information Security and Cybersecurity.
Nowadays all organizations, be them private corporations, public bodies, NGOs etc need to approach Information Security knowing that when it comes to information security breaches it is not a matter of “if”, but of “when”. The inevitability of an attack should be incorporated in the security processes and that means planning, developing and deploying procedures and protocols for detecting, resisting and reacting to internal or external attacks (attacks or breaches from internal threats constitute the major part of all the incidents).
Digital forensics planning should be conducted alongside and integrate with the other areas of IA that deal with responding to an attack or, more generally, with a security incident, namely:
- Business continuity planning
- Disaster recovery
- Incident response
Among other guidelines ISO requirements for Information Security management systems specify a list of controls to be deployed in order to mitigate risks and in there a specific control process is devoted to the collection of evidence in case of a legal action (A.13.2.3, in ISO/IEC 27001, annex A and -in more detail- in ISO/IEC 27002).
Often after a security incident the priority is on restoring functionality of the systems in order to assure continuation of essential business activities at the cost of acquiring evidence. But without sound digital evidences it is going to be very hard to build a sound case and win. Having sound protocols in place before the fact allows the organization to collect the evidence rapidly without burdening the business continuity process and is also an important buttress in strengthening the evidence in court or in a negotiation with opposing counsel.
The place for digital forensics protocols and procedures is as part of the incident response planning (ISO 27001 agrees with that). They should contemplate protocols for:
- Evidence collection
- Evidence acquisition
- Evidence analysis
- Evidence interpretation
- Handling and preservation
Collection and acquisition inside an organization is somewhat easier than in the wild because information systems and technologies are known in advance, so proper configuration and acquisition activities can be planned in detail. Current trends that blur the perimeter of an organization IT systems should be however taken into consideration, among others the widespread use of employees’ own devices on the job (i.e. BYOD, “bring your own device”) and the diffusion of cloud computing services. These solutions can complicate digital forensics planning, not only technically but also legally.
Analysis and interpretation ideally should be conducted analyzing the legal scenarios with a legal team.
A note should be made on eDiscovery, a definition mainly used in the US, which is a concept often confused with digital forensics: eDiscovery mainly refers to civil litigations in the United Stated and applied to evidence–called “Electronically stored information” in this context– to be ultimately turned over to the opposing counsel according to US law. Americans tend to avoid the word “evidence” because it is a “loaded” term in legal proceedings, especially criminal ones. A new set of International ISO Standards in in the works — aside from ISO 27037 on acquisition — detailing the remaining phases and the principles of digital investigations and eDiscovery.Plugin: for integrating digital forensics procedures in an Information Assurance program a wide set of skill is necessary: if your organization does not posses those skills, an Infosec consultant with DF experience can be useful (note: English translations of the site are in the works; for a prompt response in English send mail to StudioAG at studio [at] studioag [dot] eu)