Jason Sachowski, in
Implementing Digital Forensic Readiness, 2016 Forensic readiness consists of costs involving administrative, technical, and physical information security
controls implemented throughout the organization. Through the service catalog, each of these controls will be aligned to a service where all cost elements can be identified and allocated appropriately. While not all controls and services will contribute to digital forensic readiness, the following will have direct influences to the overall cost of the digital forensic readiness program: Governance document maintenance is the
ongoing review and updating to the information security and evidence management frameworks [eg, policies, standards, guidance, procedures]; Education and awareness training provides continued improvements to: information security awareness of staff indirectly involved with the information security discipline; information
security training of staff directly involved with the information security discipline; digital forensic training of staff directly involved with the digital forensic discipline. Incident management involves the activities of identifying, analyzing, and mitigating risks to reduce the likelihood of reoccurrence; Data security includes the enhanced capability to systematically gather potential evidence and securely preserve it; Legal counsel provides advice and assurance that methodologies, operating procedures, tools, and equipment used during an investigation will not impede legal proceedings. The inclusion of a service as a cost contributors
to the digital forensic readiness program is subject to the interpretation and appetite of each organization. Knowing which services, where controls are aligned, contribute to the digital forensic readiness program is the starting point for performing the cost assessment. From the service catalog, the breakdown of fixed and variable costs can be used as part of the cost-benefit analysis for demonstrating to manage the value of implementing the program.Understanding Forensic Readiness
Cost Assessment
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128044544000046
Cloud security and forensic readiness
Chaz Vidal, Kim-Kwang Raymond Choo, in The Cloud Security Ecosystem, 2015
2.4 Digital forensic readiness assessment
Digital forensics readiness is the ability of organizations to respond quickly and collect digital evidence related to a security incident with minimal cost or interruption to the ongoing business. This involves being able to define digital evidence required so that security aspects in an organization such as programs or teams and infrastructure can be adapted and modified to provide this evidence in a timely manner [Trenwith and Venter, 2013].
There are several global standards to aid organizations in the processing of digital evidence. The International Standards Organization proposes a standard for the processing of digital evidence in a consistent manner [Standardization and Technical Committee ISO/IEC JTC1, 2012]. NIST also describes a process for the integration of digital forensics during the management of IT incidents [Kent et al., 2006]. Both standards provide a good starting point for organizations to understand the processes involved with collecting digital evidence. For example, the ISO standard goes through defined phases in digital evidence collection: identification, collection, and preservation. The NIST standard includes recommendations that involve the establishment of a forensic capability within the organization to better respond to security incidents requiring digital evidence.
In 2004, Rowlingson proposed a 10-step process that could be used by organizations as a means to improving their forensic readiness [Rowlingson, 2004]. The intent of this forensic readiness process is to increase an organization’s use of digital evidence but at the same time, minimize the cost of utilizing the data during a digital forensics investigation. This process generally includes improvements to system monitoring, technical and procedural and policy improvements to securing possible digital evidence, staff training and improvements of the interfaces with law enforcement.
Implementing digital forensics readiness should be incorporated as part of overall information security within an organization, and provides many benefits [Pangalos et al., 2010] [Rahman and Choo, 2015a]. IaaS providers should have the capability to conduct forensic investigations with minimal impact to the running of the service and to be able to respond quickly to requests for digital forensic evidence from law enforcement agencies or internal security teams.
Implementing forensic readiness may come at a cost, but for an existing organization which has already implemented a basic information security mechanism, the costs of extending existing information security mechanism to include forensic readiness activities are less expensive [Rowlingson, 2004].
The methodology used for judging forensic readiness is as follows:
1.Define the business scenarios that require digital evidence.
2.Identify available sources and different types of potential evidence.
3.Determine the evidence collection requirements.
4.Establish a capability for securely gathering legally admissible evidence to meet the requirement.
5.Establish a policy for secure storage and handling of potential evidence.
6.Ensure that monitoring is targeted to detect and deter major incidents.
7.Specify circumstances when escalation to a full formal investigation should be launched
8.Train staff in incident awareness.
9.Document an evidence-based case describing the incident and its impact.
10.Ensure legal review to facilitate action in response to the incident [Rowlingson, 2004].
Utilizing the above process, Company A was assessed and observations were made against each of these steps to determine the state of the organization’s forensics readiness.
2.4.1 Define business scenarios that require digital evidence
This step focuses on the purpose of digital evidence collection in the organization. The organization should know under what circumstances in the running of its business such data should be collected. In other words, this is a risk assessment activity to understand whether or not collecting digital evidence should be done and what costs and benefits it could bring.
Within Company A, there is already a mechanism in place for digital evidence collection in the IaaS service. Default logging configurations have been implemented on hypervisor systems and individual VMs. However, it is not clear on how logging data are chosen and whether the data currently collected are useful for digital investigations.
2.4.2 Identify available sources and different types of potential evidence
This step is to enable organizations to recognize the sources of potential evidence within the organization. Primary sources of evidence in an IaaS infrastructure include:
1.Hypervisor access and audit logs
2.VVM logs within the hypervisor
3.VM OS logs or logs generated by the virtualized operating systems
4.Firewall logs
5.Application and server monitoring logs
6.Storage area network logs
7.Virtualized disks and memory snapshots
8.VM backups
The above is not an exhaustive list of all the available data sources in Company A as there are other systems that contribute to the IaaS infrastructure such as e-mail systems, third-party vendor connections, and internal system administrator desktops.
2.4.3 Determining the evidence collection requirement
This step focuses on the identification of the evidence collection requirement within the organization collect needed to support digital investigations set out in Step 1.
In Company A, there is no observed documented security requirement for evidence collection from the IaaS infrastructure. IaaS systems administrators have configured data and log file storage utilizing default vendor parameters or previous institutional knowledge.
2.4.4 Establish a capability securely gathering legally admissible evidence to meet the requirement
After the establishment of the data collection requirement, this step is to understand how the required data can be collected without interfering with ongoing business processes and to ensure that collection of the required data is compliant with existing laws and regulations. Methods of securely gathering data include remote logging wherein systems that generate log data send this data to servers for storage rather than keeping logs local to the system [Ghorbani et al., 2010].
Within Company A, the IaaS infrastructure sends certain log data remotely to established servers within the organization’s network. System events for hypervisors are remotely logged but only for administration purposes in case of technical troubleshooting with no observed consideration for forensic uses. It is observed that majority, if not all, of these log files are not encrypted and no increased security is put on these log files with access controlled to standard organization means. There is also no observed log archiving to secure and encrypted media.
2.4.5 Establish a policy for secure storage and handling of potential evidence
This step takes into account that once data has been collected, it should be protected to ensure that it could be retrieved in a safe and secure manner which ensures the integrity of the data. This step is also concerned with ensuring the longer term availability of this information should it be needed for investigations at a later time.
Within Company A, there are facilities available for long-term data storage. Company A utilizes storage area networks that can be used for online data storage but also have the ability to send data to tapes for offline and longer term storage. There is, however, no observed policy on evidence handling for IaaS data.
2.4.6 Ensure monitoring and auditing is targeted to detect and deter major incidents
Aside from collecting data to support postincident investigations, it should be noted that monitoring plays a vital role in preventing or detecting security incidents that may be in progress. Establishing a monitoring and auditing facility such as an intrusion detection system would allow organizations to respond to and minimize the consequences of security threats and incidents [Bolt and Ficher, 2012].
Company A utilizes various monitoring tools that target parts of the IaaS infrastructure. There is hardware infrastructure monitoring that looks for errors and failures within the hardware housing the IaaS systems. There is operating system monitoring to alert on errors of the VM guest OS or threshold conditions such as disk space and CPU usage. There is also application-level monitoring for critical business applications performance. However, there is neither a monitoring and auditing mechanism to log and alert on suspicious access events nor an intrusion detection policy within the organization.
2.4.7 Specify circumstances when escalation to a full formal investigation is required
If a suspicious event is triggered or manually detected, such as detected intrusion or failed access events, the event needs to be reviewed and a process has to be established to decide which of the detected events need to be followed up with formal investigations and escalated to management for further action. This will involve an impact assessment of the event and the cost of investigation. If it is determined that further action is required, formal investigations involving the organization’s security teams and even law enforcement agencies should be considered [Grobler et al., 2010].
Within Company A, there does not appear to be a set policy dictating the escalation of security incidents that involve IaaS data, as there are existing policies for reporting all information security-related incidents. There is no observed policy or process for escalation of security incidents and this appears to be within the discretion of the case study organization’s security team and management on a case-by-case basis.
2.4.8 Train staff, so that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence
For organization personnel who may subsequently be involved with digital investigations, it is important that they are adequately trained to understand on digital forensics and digital investigation best practices [Grobler and Louwrens, 2006; Hooper et al., 2013]. This is important in order to preserve the integrity of the evidence being used as well as ensuring compliance with the applicable laws and regulations.
Company A does not have an observed training plan for the handling of digital evidence and digital investigations. It is observed that systems administrators within the case study organization are expected to have prior knowledge to ensure the integrity of evidence during the collection process.
2.4.9 Present an evidence-based case describing the incident and its impact
This step establishes the output of digital investigations in a readily available report or case file. This case file may be referenced by law enforcement agencies for further investigations or prosecutions of individuals responsible or to ensure that similar security incidents are avoided in the future [Casey, 2011, p. 508]. Such a case file could include the facts of the incident and findings from the analysis of the digital evidence.
Within Company A, there is no observed policy on the production of case files or security incident information. There are observed incident report mechanisms that provide details on specific IT issues or incidents. However, there is no established reporting mechanism for digital investigations within the case study organization.
2.4.10 Ensure legal review to facilitate action in response to the incident
During a digital investigation, it is important to obtain legal advice to ensure that the evidence collection process is forensically and legally sound and whether sufficient evidence has been collected to identify and prosecute the offenders. The legal team may also assist with assessing whether the cost of the investigation and prosecution is too high.
Within Company A, incidents involving other parts of the IT infrastructure [including IaaS service] require management review that may include legal advice. However, there is no formal process to seek legal review of security incidents and legal advice is sought on an as-needed basis.
2.4.11 Summary of observations
Our observations of Company A’s forensic readiness is summarized in Table 3.
Table 3. Forensic Readiness Summary
| Define business scenarios for evidence gathering | Partial. Logging is performed largely to support operational activities with no specific business scenarios in mind |
| Identify available sources | Partial. There are well-established sources for digital evidence but these are utilized primarily for support operations and not digital investigations |
| Determining evidence collection requirement | Partial. Although audit logs and similar information are used and collected, there is no evidence requirement |
| Establish evidence handling capability | Partial. Some log data is collected remotely but there is no observed capability and training to ensure forensically sound evidence collection |
| Storage of potential evidence | Yes. System logging is available to be stored on secure media |
| Monitoring policies | Partial. No monitoring for intrusions or anomalous network behavior |
| Escalation processes | Partial. There is no observed escalation process and escalation is undertaken on a case-by-case basis |
| Training for staff | No. There is no digital forensic or digital investigation training for staff |
| Evidence-based case | No |
| Legal review | Partial. Although not documented in policies, legal assistance and advice are sought on a case-by-base basis |
In the first instance, there is no documented scenario for incidents that would require a digital forensic investigation. In some cases where digital evidence is required from the IaaS infrastructure, it is to support technical troubleshooting or application issues rather than supporting investigations of criminal or malicious activity. Possible criminal or illegal scenarios have not been documented and made available to the IaaS support staff such that there is minimal comprehension of what risks to the IaaS infrastructure should be considered critical enough to warrant active management of possible evidentiary data.
Although the IaaS systems administrators are knowledgeable and maintain an understanding of all the possible sources of evidence within the IaaS infrastructure, there is no prioritization of which sources should be considered critical for evidence gathering purposes. This is a function of not understanding the scenarios required for possible investigation; therefore, only default configurations for logging have been enabled within the IaaS infrastructure which includes the hypervisor systems [VMware], the hardware elements [Blade servers and Blade enclosures], and SAN systems.
Because of the lack of requirements for gathering data for these sources of evidence, there is no established policy for gathering this data. Despite the capability within Company A’s for secure evidence collection and storage, without any guiding policies there is no proactive storage and collection of possible evidentiary data. Within the case study organization, backup and restore policies are in effect to store certain aspects of this data, and not all logs emanating from the hypervisors and IaaS infrastructure are saved for long-term retention and a rotating logging facility is in effect for many of these IaaS infrastructure logs.
Despite availability of monitoring for the IaaS infrastructure and associated services, there is no targeted monitoring for potential suspicious activity. Company A does not have production intrusion detection systems that could assist with identifying possible security breaches or provide automated monitoring of suspect activity. Most security incidents are reported manually through a security incident reporting process. Company A has extensive monitoring tools and capabilities from built-in IaaS-based monitoring and alerting to third-party element monitoring applications. If scenarios that require digital evidence can be established, then these monitoring tools can be configured appropriately to monitor these scenarios.
There is no specific training for IaaS personnel to prepare them for working with digital evidence and forensic investigations. This stems from the nonavailability of digital forensic requirements and, therefore, there is a lack of clarification of the roles and responsibilities of Company A’s employees during a digital forensic investigation. If evidence collection requirements are defined as part of the forensic readiness process, then it is expected that IaaS personnel should be trained for their roles within this process.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128015957000185
Integrating digital forensic practices in cloud incident handling
Nurul Hidayah Ab Rahman, Kim-Kwang Raymond Choo, in The Cloud Security Ecosystem, 2015
3 Cloud incident handling model: a snapshot
In our design of the proposed model [see Figure 2], we draw upon principles and practices from incident handling and digital forensics. The proposed model consists of six phases, namely, Preparation [integrated with forensic readiness principles], Identification, Assessment [integrated with forensic collection and analysis practices], Action and Monitoring, Recovery, and Evaluation [integrated with forensic presentation practices]. This model is an extension of our recently published conceptual Cloud Incident Handling Model in Rahman and Choo [2015]. The earlier work discussed the model in four major phases, namely, preparation, detection and analysis, incident response, and postincident, as well as the involved costs at each phase. In this study, the Detection and Analysis and the Incident Response phases are expanded to include Identification and Assessment, and Action and Monitoring, and Recovery, respectively.
Figure 2. Our proposed cloud incident handling model.
Preparation phase integrates forensic readiness requirements. The phase has a proactive element such as understanding and preparing the necessary tools or resources required to protect and secure a cloud’s systems or networks. Activities associated with forensic readiness include the identification of potential sources of evidential data [e.g., log files, network traffic records, CSU devices, off-site data centers, continually tracking authentication] in a cloud environment [e.g., CSPs, internet service providers, and third parties] and deciding where identified potential evidence sources should be stored.
Identification phase begins immediately after an incident or vulnerability is detected and reported, either by human [cloud users or CSP’s personnel] or automated tool. Unlike Preparation, this phase consists of reactive incident handling strategies.
In the Assessment phase, information from the received reports will be assessed to determine if the incident is a false alarm, and the potential impact[s] to the cloud’s core services and assets. If it is determined to be a false alarm, the process will be terminated. The integrated conceptual cloud forensic framework from Martini and Choo [2013] is implemented to enable forensic investigations. Forensic examiners will undertake the evidence collection process from the potential sources identified in the Preparation phase. Once the evidence has been preserved and collected, the forensic analysis process will then commence.
Action and monitoring phase involves the execution and monitoring of the appropriate response strategy in an effective and timely manner as determined in the incident escalation strategy. It is important to note that the response strategy [i.e., action] may vary between incidents and incidents assigned to different priority levels.
Recovery phase involves the restoration of system operation back to normal at both logical and physical levels. Evaluation phase involves a formal evaluation [e.g., postmortem meeting] where issues such as the nature of the incidents, a review of what had occurred, the intervention techniques, and the [in] effectiveness and lessons learnt are examined.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128015957000173
Domain 7: Security Operations [e.g., Foundational Concepts, Investigations, Incident Management, Disaster Recovery]
Eric Conrad, ... Joshua Feldman, in CISSP Study Guide [Third Edition], 2016
Embedded Device Forensics
One of the greatest challenges facing the field of digital forensics is the proliferation of consumer-grade electronic hardware and embedded devices. While forensic investigators have had decades to understand and develop tools and techniques to analyze magnetic disks, newer technologies such as Solid State Drives [SSDs] lack both forensic understanding and forensic tools capable of analysis.
Vassilakopoulos Xenofon discussed this challenge in his paper GPS Forensics, A systemic approach for GPS evidence acquisition through forensics readiness: “The field of digital forensics has long been cantered on traditional media like hard drive. Being the most common digital storage device in distribution it is easy to see how they have become a primary point of evidence. However, as technology brings digital storage to be more and more of larger storage capacity, forensic examiners have needed to prepare for a change in what types of devices hold a digital fingerprint. Cell phones, GPS receiver and PDA [Personal Digital Assistant] devices are so common that they have become standard in today’s digital examinations. These small devices carry a large burden for the forensic examiner, with different handling rules from scene to lab and with the type of data being as diverse as the suspects they come from. Handheld devices are rooted in their own operating systems, file systems, file formats, and methods of communication. Dealing with this creates unique problems for examiners.” [3]
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128024379000084
Determine Collection Requirements
Jason Sachowski, in Implementing Digital Forensic Readiness, 2016
Precollection Questions
Deciding on what the organization’s requirements are for proactively gathering digital evidence requires some preliminary activities to be completed before work can begin on creating an overall statement describing exactly what these requirements are. As the moderating factor to producing a requirements statement comes the need to complete a cost–benefit analysis [CBA].
Similar to how a CBA is used to determine if implementing a digital forensic readiness program is valuable to an organization, as discussed in chapter “Understanding Forensic Readiness,” this time around it is used to help organizations determine factors such as how much it will cost to gather the digital evidence and what benefit there is in collecting it. To determine if creating a requirements statement is beneficial, organizations have to answer several questions that focus on whether it can be done in a cost-effective manner.
Question #1: Can a forensic investigation proceed at a cost in comparison to the cost of an incident?
To get an accurate comparison, organizations have to factor in all monetary aspects associated with conducting an investigation in reaction to an incident against the resulting impact of an incident. As a starting point, organizations can pull cost elements from their service catalog, discussed further in Appendix D: Service Catalog, to understand how administrative, technical, and physical security controls contribute to conducting a forensic investigation. Examples of cost elements that organizations must consider to be included as part of this comparison includes ongoing maintenance of governance documentation [ie, standard operating procedures [SOP]]; resource allocation to facilitate both the incident management and continuous improvement activities; and the operational cost for all tools and technologies used to manage the business risk. With this initial analysis complete, a secondary comparison must be complete including all monetary aspects, tangible and intangible, associated with conducting an investigation having proactively gathered digital evidence against the resulting impact of an incident. Using results from the two comparative analyses, organizations can determine quantitative benefits of creating a requirements statement.
Question #2: Can the digital evidence be gathered without interfering with business functions and operations?
When conducted in reaction to an event, forensic investigations can require that organizations temporarily assigned several support resources to assist in the gathering of digital evidence. In some instances, the organization might realize that their ability to effectively and efficiently gather digital evidence in reaction to an incident is challenged by some type of roadblock [ie, restoration time delay]. Where potential digital evidence can be proactively gathered, organizations can benefit from having digital evidence readily available when needed and not having to re-allocate resources away from their day-to-day business operations to assist. This improvement in operational efficiencies can reduce the need for resources to be temporarily removed from their normal duties and avoid any lost productivity or degradation in service availability.
Question #3: Can a forensic investigation minimize the impact or interruption to business functions and operations?
The potential for an incident to result in the loss or degradation of day-to-day business operations is a realistic scenario that most organizations face. In reaction to these events, the organization’s ability to manage the incident has a direct dependency on their capability to quickly gather and process digital evidence to understand the content and context of the incident. Having digital evidence gathered and made readily available, not only can the organization improve on the amount of time needed to investigate but they can also enable the ability to conduct proactive investigations. In addition to supporting forensic investigations, the capability to perform proactive investigations in support of security control assessments or user behavior analytics can reduce the likelihood of an event resulting in impact or interruption to the business.
Question #4: Can the digital evidence make a positive impact on the likely success of any formal legal actions?
Producing digital evidence in support of legal matters requires that organizations ensure their electronically stored information [ESI]1 is admissible in a court of law. As discussed in chapter “Evidence Management,” the US Federal Rules of Evidence 803[6] describes that ESI is admissible as digital evidence in a court of law if it demonstrates business “records of regularly conducted activity”; such as an act, event, condition, opinion, or diagnosis. Determining the relevance and usefulness of ESI as digital evidence before creating a collection requirements statement ensures that organizations will not give way to overcollecting resulting in unnecessary downstream processing and review expenses.
Question #5: Can the digital evidence be gathered in a manner that does not breach the compliance with legal or regulatory requirements?
Laws and regulations can be imposed against organizations depending on several factors such as the industry they operate within [ie, financial] or the countries they conduct business [ie, the Unites States, India, Great Britain]. Organizations must have a good understanding of how these governing laws and regulations influence the way they conduct their business operations. To provide reasonable assurance there is adherence to these requirements, organizations may need to produce digital evidence of controls that demonstrate they are practicing a reasonable level of due care. Consideration must be given on how background and foreground digital evidence, as discussed in chapter “Identify Potential Data Sources,” will be proactively gathered and preserved in accordance with the compliance requirements.
Assessing the quantitative and qualitative implications of creating a collection requirements statement in advance helps organizations to determine if proactively gathering digital evidence will reduce investigative costs; such as selecting storage options, purchasing technologies, and developing SOPs. Appendix E: Cost-Benefit Analysis, further discusses how to perform a CBA in support of producing the digital evidence collection requirements statement.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128044544000071
Management of Forensics Evidence Handling
Leighton R. JohnsonIII, in Computer Incident Response and Forensics Team Management, 2014
eDiscovery
ediscovery is a term that is sometimes used interchangeably with the terms computer forensics or digital forensics, however, to use them interchangeably is inaccurate. eDiscovery, short for electronic discovery, is the term used to refer to any type of electronic evidence produced during the course of civil litigation. In essence, the difference between eDiscovery and computer forensics is a question of order, and in its most fundamental sense, the distinguishing characteristic is volume. Typically, large eDiscovery projects involve the reconstruction of massive quantities of documents, e-mails, and other information from systems, servers, and backup media to large databases and searchable formats. These items are then reviewed by legal document review experts that will decide whether or not the information is relevant to the case. Software developers continue to produce programs that are capable of organizing and managing these massive discovery projects to make review more efficient and simple. These programs can cost thousands of dollars to purchase.
The term is used particularly in this manner because it is more a legal term of art than a scientific term. Further, there is a plethora of case law surrounding large-scale and typically expensive litigation costs to produce eDiscovery projects. Forensic examiners assist in the process of eDiscovery by determining locations where evidence relative to the civil litigation may exist, copying it, and producing it to litigators in some type of understandable form. Oftentimes there is contentious debate about the scope of what a party in litigation is or is not entitled to from the other party. Rule 26 and 34 of the FRCP now deal with ESI. Private computer forensic practitioners, boutique firms, and the big five forensic consulting agencies all deal extensively with eDiscovery in civil litigation.
In US law, discovery is the pretrial phase in a lawsuit in which each party, through the rules of civil procedure, can obtain evidence from the opposing party by means of discovery devices including requests for answers to interrogatories, requests for production of documents, requests for admissions, and depositions. Discovery can be obtained from nonparties using subpoenas. eDiscovery is concerned with the identification, Preservation, collection, processing, review and production of electronic documents that exist across a system or corporate network. The term eDiscovery was initially a US term, and in the United Kingdom this process is known as Disclosure.
In the discovery process, data are identified as potentially relevant by attorneys and the data is placed on legal hold. A legal hold refers to a process which an organization uses to preserve all forms of relevant information when it reasonably anticipates some type of litigation against it. It is a restriction on a record that exists as a result of current or anticipated litigation, audit, government investigation or other such matter that suspends the normal disposition or processing of records. Evidence is then extracted and analyzed using digital forensic procedures, and is reviewed using a document review platform. A document review platform is useful for its ability to aggregate and search large quantities of similar type/formatted ESI. ESI is considered different from paper-based information because of its intangible form, volume, transience, and persistence. ESI is usually accompanied by Metadata that is not found in paper documents and that can play an important part as evidence [e.g., the date and time a document was written could be useful in a copyright case]. The preservation of Metadata from electronic documents creates special challenges to prevent spoliation.
The Electronic Discovery Reference Model [EDRM] diagram shown here represents a conceptual view of the eDiscovery process.
The EDRM1 was developed in 2005 to help create best practices and guidelines for those working in the field of eDiscovery [lawyers, eDiscovery vendors, organizations preparing for litigation, and so on]; and that it has become a standard of going through the eDiscovery process and aiding adherence to the US FRCP. The model as depicted in the figure above has nine phases as follows:
1.Information Management
2.Identification
3.Preservation
4.Collection
5.Processing
6.Review
7.Analysis
8.Production
9.Presentation.
Information Management
The way an organization manages its data and information is very crucial for eDiscovery when the need for eDiscovery arises. A good information management policy ensures that whenever discovery becomes necessary, data and information can be readily and easily made available in a forensically sound manner without unnecessary delay. Laws pertaining to eDiscovery [like the US FRCP] require digital evidence [ESI] to be prepared and presented quickly when request for and in an acceptable manner. Good information management policies, like document retention policies and forensic readiness policies, go a long way in ensuring ESI is available in a timely and forensically sound manner.
Identification
In this phase, ESI that will be relevant to a case and its location are determined. The location could be e-mail, hard drives, backup tapes, and so on. Identification of relevant ESI begins once litigation is reasonably anticipated. Prior to discovery, the lawyers of the two parties in a case usually have a meet and confer session or scheduling conference, where they agree on what ESI would be relevant, and the methods of identifying such ESI. The location of identified ESI is assessed to determine what needs to be preserved.
Preservation
Preservation begins immediately and relevant ESI is identified. Once there is a reasonable anticipation of litigation, identified ESI have to be preserved by the organization. The duty to preserve evidence is responsibility of which the organization may be held account for. Employees who have relevant information in their custody [custodians] and IT departments need to be informed that their ESI has become subject to discovery; hence they have to be issued a litigation hold. The litigation hold is to ensure that custodians do not tamper with the ESI that has become relevant evidence from then on, avoiding risk of modification or loss; the IT department is to ensure that such ESI are isolated from access by the custodians and properly safeguarded. Maintaining a proper chain of custody ensures proper documentation of how the digital evidence was collected, stored, handled, and analyzed—this can prove that ESI was properly preserved. In the AMD v. Intel case, part of Intel’s errors was a failure to properly communicate litigation hold to employees [relevant custodians of ESI].
Collection
This phase involves acquiring ESI that had been identified and preserved. Oftentimes, preservation and collection may take place simultaneously. The ESI is required to be collected in a forensically sound manner, should be proportionate, efficient, and targeted. The ESI could be collected by self- collection or forensic imaging.
Self-collection of ESI involves manual copying of files and/or forwarding e-mails by information custodians, the ESI having been identified as relevant to the case at hand and notice of litigation hold having been sent to the custodians and IT department. This method is risky in that employees may intentionally or unintentionally modify ESI during the collection process.
Forensic imaging involves making bit by bit copies of information storage media in a bid to preserve the ESI from alteration or contamination. This can also capture deleted items; hence there might be a need to review such images to ensure privileged information is not included [in the review process].
Processing
Collected ESI needs to be processed before moving it to the review stage. Processing involves indexing, searching, and de-duplicating the collected ESI to reduce nonrelevant material, while fulfilling the requirements of the requesting party as well as the court. Some ESI may have to be extracted from files like compressed folders [e.g., zip files]; there may also be need to convert some files form native format where such format is outdated and no longer in use, or the software required to view it is not available to the requesting party and the court. The files in such cases may be converted to formats that can be easily accessed by the other party.
Review
ESI is reviewed after having been processed. The review tries to determine if there is any privileged information contained in the ESI, and to ensure the ESI is relevant and meets the necessary requirements of the case. The review can be done using a native file review or using a TIFF-/PDF-based review.
In native file review, the files are reviewed in their native [original] format, usually in read-only mode so as to prevent contamination of the ESI arising from unintentional modification. That notwithstanding, the risk of modification is not eliminated. E-mails are, however, normally converted to HTML format for native file review.
Files are reviewed in an image format [like PDF or TIFF] in a TIFF/PDF review. Here, the files are converted or saved in such image format to prevent alteration or contamination. The downside is some data cannot be viewed; for example, if the native format was Excel, formulas would not be available for review, only the output would be available in the image format.
Analysis
Analysis is the next phase in the eDiscovery process, although in reality it normally takes place along with review. The ESI is further examined to ensure it is in line with the requirements of the requesting party and the litigation as a whole. Content of ESI are analyzed and the review could be enhanced using tools like concept searching tools. Concept searching tools extract content from ESI by using key concepts and subject matter to examine the ESI based on meaning of phrases and subject matter, as opposed to using keywords.
Production
In this phase, how, what, where and when ESI is produced to an opposing party is covered. The US FRCP Rule 34[b] gives the party requesting for ESI the right to determine what ESI should be produced, in what form and when. ESI could be produced on paper, in native form or image form. Paper production requires printing out the ESI on paper, which could be cumbersome and expensive [printouts could end up being stacked several meters high]. Native form production requires the ESI be produced in its original state, while image form requires production of the ESI in a duplicated form which could be in the form of TIFF/PDF or forensic images. Image form production is easier to handle without altering the ESI and is more commonly requested.
The produced data could be delivered to the requesting party either as a final production or a rolling production. The final production involves delivery of data at once after all previous phases have been carried out. A rolling production involves delivery of the data to the requesting party in phases.
Presentation
The final stage in the eDiscovery process from the EDRM model is the presentation of ESI at a trial or in settlement negotiations. ESI has to be presented in a way that nontechnical people [usually lawyers, judges, and jury members tend not to be tech savvy] can easily comprehend and appreciate the e-evidence. The e-evidence also has to be presented in a way that is professional and convincing in a bid to prove or disprove a claim. The chain of custody may also need to be confirmed during the presentation to support the fact that ESI is authentic and forensically sound. A presentation should look appealing, not too flashy, and should not be too technical such as to lose the judge or jury.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597499965000133
Internet of Things Forensics: A Review
Hany F. Atlam, ... Gary B. Wills, in Internet of Things, 2020
7.7 Forensic Readiness
Forensic readiness as defined by Mohay [85] as “ the extent to which computer systems or computer networks record activities and data in such a manner that the records are sufficient in their extent for subsequent forensic purposes, and the records are acceptable in terms of their perceived authenticity as evidence m subsequent forensic investigations”. Forensic readiness aims to allow a certain organization to have the required administrative, technical, and physical control that allows them to produce an efficient investigation. It is used to measure the ability of a certain organization to generate a digital investigation in a forensically sound way. The integration of forensics readiness in IoT systems remains a challenging topic and need more research to make IoT networks forensically ready [86].
Read full article
URL: //www.sciencedirect.com/science/article/pii/S2542660520300536
A survey of information security incident handling in the cloud
Nurul Hidayah Ab Rahman, Kim-Kwang Raymond Choo, in Computers & Security, 2015
3.3.1 Preparation + forensic readiness
Activities for forensic readiness involve the identification of potential sources of evidential data [e.g. log files, network traffic records, CSU devices, off-site datacentres, continually tracking authentication] in a cloud environment [e.g. CSPs, internet service providers and third parties]. Forensic readiness measure such as having dedicated digital forensic workstations and software will improve chances of evidence collection and minimise the cost of a forensic investigation. Potential work products in this phase include incident handling strategy manual/handbook, security and risk management policy, and awareness and training programmes report.
Investment cost [IC] refers to the cost of implementing Information Security [IS] infrastructure in an organisation. It comprises three main categories, namely: people, process, and technologies. People cost includes the cost of setting up a dedicated department and employing IS personnel, process cost includes the cost of establishing IS objectives, and technology cost includes procurement cost for IS protection technology. The Return on Investment [ROI] is typically used to evaluate investment strategies by comparing investment alternatives. In a security context, Return On Security Investment [ROSI] has been studied by various researchers such as Cavusoglu et al. [2004], Kheir and Cuppens-Boulahia [2010], Chai et al. [2011], Tsalis et al. [2013], and Bojanc et al. [2012] to understand the value of IS investment. An example ROSI formula is defined in Eq. [1] [Sonnenreich et al., 2006].
[1]ROSI=[[Risk Exposure ∗%Risk mitigated]−IC]]/IC
Higher values of ROSI indicate a more efficient security investment [Böhme, 2010].
Read full article
URL: //www.sciencedirect.com/science/article/pii/S0167404814001680
The complexity of internet of things forensics: A state-of-the-art review
Pantaleon Lutta, ... Benhur Bakhtiari Bastaki, in Forensic Science International: Digital Investigation, 2021
5.3 Digital forensic investigation framework for IoT [DFIF-IoT]
Proposed by [Kebande and Ray, 2016], this process model is based on a generic approach that analyses digital forensics data in the IoT setup through process concurrency. The model is presented to capture data at all the three levels of the IoT forensics.
Through the process concurrency, the model aims to establish IoT forensics readiness and increase the rate at which the digital evidence extracted is admissible in a court of law. From the readiness point of view, this model will require a momentous consideration to proactive scenario–driven activities to ensure that the potential evidence is captured with the IoT setup and that implementation for extraction and preservation of the evidence is done in a procedure that is well-defined and documented. It is through this that the evidence will be forensically sound.
The drawback with this model, however, is that it is purely based on theoretical approach in the collection of the forensic data. There is no physical experimental in its implementation and evaluation thereby casting doubts on its practicality.
As an extension of DFIF-IoT [Kebandeet al., 2018], proposed an Integrated Digital Forensic Investigation Framework [IDFIF-IoT] which claimed that DFIF-IoT was generic with processes that relied on ISO/IEC 27043 international standards while IDFIF-IoT includes organisational policy making it more policy oriented.
This framework is still more theoretical than practical and as also pointed out by the authors themselves, the framework needs more development so as to identify more critical aspects of forensics.
Read full article
URL: //www.sciencedirect.com/science/article/pii/S2666281721001189