Digital Forensic Readiness

Digital forensic readiness is about developing forensic capability in an organisation that assist them in the event of a forensic investigation. For an organisation to be forensic ready, they should have a forensic programme in house, which should aim to train and equip some of their employees (especially, the SPOC group)- Single Point of Contact group about forensic (computer and network) process and techniques to obtain, share and handle digital evidence (crime scene evidence).

Here are some of what may be contained in a forensic readiness programme:

1) Forensic readiness policy - this policy must exist in the organisation, and should state precisely what should trigger a forensic investigation, the capability target of the organisation within a timeline (e.g., an organisation's present capability may be 'elementary' meaning they are still in the embroynic stage, or it may be 'standard' meaning the organisation have made some progress with traning staff and equipping them with tools to do the work; or 'enhanced' meaning the organisation have made some advancements in the forensic process, trained their staff and can support complex forensic investigations, such as those affecting business partners or involving various personnel.

2) Forensic readiness procedure - this procedure should outline who deals with forensic investigation in an organisation, such as the SPOC, the reporting of incidents, how escalations should be reported to Senior Management, the Police or the Law enforcement etc. The procedure should also outline how personnel monitoring and investigation should be carried out.

3) Rules of evidence - this explains how evidence should be handled, including 'storage', distribution and destruction of digital forensic evidence. It should also include how to present (admissible) evidence in a court of law.

4)Forensic investigation process - this outline the 5-step of forensic investigation, namely, evidence gathering, preservation, analysis, review and presentation. It is pertinent to note that digital evidence must be preserved, and must not be tampered, otherwise it wont be admissible in a court of law. To analyse forensic evidence, it's a rule of thumb to bitstream copy evidence, and work on the duplicate copy while still retaining the original copy untampered (without manipulation.

5)Chain of custody - this is a document accomplaining all digital evidence that provides assurance in the form of witness to crime scene evidence gathered. A chain of custody should show date evidence was collected, names of people that witnessed the evidence gathering/collection, who evidence was collected from, and photo of what was siezed and collected etc.

6) Training - Staff must be trained especially on forensic policy, procedure and the process of handling their in-house investigation. Evidence handling, sharing and destruction must be thought, especially, rules of evidence, how evidence can be presented to a court of law (admissible), and tools to be used to analyse evidence collected.

7) SPOC - A Single Point of Contact must be appointed to deal with forensic investigation. This group are the 'need to know' who shall carry out investigation, report or escalation investigation to law enforcement and manage incident and preserve evidence.

There are many things to be included in a forensic readiness programme, and in the next couple of weeks, I'll be sharing them as I have the time to blog. Enjoy it :-)