Forensic Readiness

The Communications-Electronic Security Group (CESG) in the UK defined forensics readiness as “The achievement of an appropriate level of capability by an organization in order for it to be able to collect, preserve, protect and analyze digital evidence so that this evidence can be effectively used in any legal matters, in disciplinary matters, in an employment tribunal or court of law” (Digital Continuity Project,  2011). 

This means the ability for an investigator to successfully process and find digital evidence can be greatly affected by actions an organization has or has not taken to prepare for an attack or data breach. For example, what if the organization hasn’t taken steps to ensure log files are captured in all relevant areas of the network, servers, and applications for an appropriate amount of time? What if a computer is shared without separate log-in credentials for each user? These policies can greatly affect an investigator’s ability to determine what activities took place and who is responsible.

It is important for the organization to have plans in place and to practice forensic investigations before a breach occurs. If members of the organization do not practice, how will they know how long it takes to respond to an incident? How will they know how effective their procedures and tools are? Is it sufficient to back up activity logs but never actually practice recovering and analyzing them? Probably not.

References

Tan, J. (2001). Forensic readiness. https://isis.poly.edu/kulesh/forensics/docs/forensic_readiness.pdf

Digital Continuity Project. (2011). Digital continuity to support forensic readiness. Retrieved from http://www.nationalarchives.gov.uk/documents/information-management/forensic-readiness.pdf

Resources