Saturday, March 9, 2013

5 Key Processes in Enterprise IT Forensic

As an Information Security Professional, I'm sure that many of us had been approached by the management to perform IT/digital forensic.

Cases such as: a manager suspects his employee is feeding secret company info to a competitor, a dude claims that a colleague has some of child pornography materials on his laptop, or HR  wants to pursue a case against an employee for breaching of company policy etc are not uncommon to us. Most of the time, the laptop of the suspect will just be thrown on our lap and we are expected to perform forensic and search for evidence asap.

I mentioned in my previous piece that IT forensic not only must be carried-out in a forensically sound manner, it must also be done legally. What's at stake is not only about winning the legal case but also our ass. In some countries such as Germany and other EU countries in general, one cannot simply access other's data without the owner's consent or proper approval. By performing forensic without a proper clearance, it is a criminal offense which could invite a hefty jail time.

Enough talking. So, what are the key processes for IT or digital forensic in enterprise? If you googled, you will find many useful information here and there but the principals are roughly the same. For me, I'll just stick to these 5 key processes:

1) Approval - Before you start touching that machine, make sure that you have got all the right approvals. You may need HR, legal, Data Protection, workers council's approval etc. Think "Cover your ass" first.

2) Acquisition - Now, you can start the acquisition of the evidence. All must be done in a forensically sound manner e.g. use a write blocker. Chain of Custody record must be clearly maintained.

3) Analysis - This goes without saying. Time to analyze whatever you just acquired.

4) Reporting - The final product of your forensic activities. The one thing that the management really want from you - the report. Prepare not only one report, but two. Management report and technical report. Remember that bosses love presentation slides.

5) Disposal - Once the report has been finalized and everyone is happy (except the suspect maybe), you'll need to decide what to do with the evidence. Basically you need to "dispose" them. You can't just keep them forever under your desk right (don't do this, evidence must be stored in a secure place!)?. Basically, here are the options that you can discuss with the Requestor:
a) Return the evidence to the him/her
b) Securely destroy the evidence
c) Forward the evidence to another party (as requested by the Requestor)
d) Keep it in a secure storage (until further notice).

No comments:

Post a Comment