For organisations, wether big or small, the priority when an Information Security incident happens is to resume operations as quickly as possible and minimise disruption. What is very often overlooked is the management of digital evidence generated by an incident, whatever its nature. The sessions endeavoured to explain how to integrate organically digital forensics into management systems and how to reconcile it with business and operational needs. Special attention was devoted to the special case of SMEs, which constitute the backbone of many countries’ industrial sector. The definition of “digital evidence” and an overview of the digital forensics workflow, together with a quick review of the available international guidelines on the subject introduced the subject.
In the model workflow of forensics, preparation (pre-acquisition) activities are not at the forefront, but in a corporate environment, forensic readiness allows for the collection and management of forensically sound evidence (volatile as it may be) while at the same time not infringing on business processes. On the contrary, it helps to generate value and mitigate cyber risks. The forensic readiness process presented is built upon a thorough security assessment and includes a focused risk analysis. The goal of the whole plan is to have procedures in place able to effectively select, acquire and analyse sound digital evidences in the aftermath of an incident, avoiding spoliation and guaranteeing integrity.
Minimal interference with the quick resuming of regular operations, compliance with applicable regulations and cost minimisation are of course other requirements. After the preliminary assessment, the ideal process entails an inventory of potential evidence sources and a review of possible sources not yet activated, followed by detailed procedures for the individuation and acquisition of evidence as part of incident response. In support of the latter, technical means should be prepared and – most importantly – personnel should be already aware of forensic necessities, trained on the basic concepts and have clear escalation triggers for when to ask the help of specialised teams. These teams should have training on how to acquire evidence in a forensically sound manner and be responsible for maintaining a clear and documented chain of custody. Thorough documentation, as well as post incident reviews complete the process and allow the organisation to refine its level of readiness.