Enterprise Forensics

Companies do not often consider the eventuality that they will need to conduct a digital investigation until they are victims of a significant incident; intervening only at this point may not, however, be compatible with the need to act rapidly and also lead to the risk of much useful information no longer being available.

For this reason, they should develop the ability to quickly gather and monitor forensic information on all company systems, validating the information gathered in advance in order to use it both during the Incident Response phase and during any legal proceedings.

This can be done through Digital Forensics, the branch of forensic science which is responsible for preserving, identifying and investigating information found on digital devices.

What is Digital Forensics? And how useful is it in defending against and responding to incidents in the corporate context?

1. Identification. The purpose of this phase is to identify the available information or sources of information to understand their nature and relevance, and identify the most appropriate acquisition plan and method. The plan must take into account the fact that, while it is better to acquire too much rather than not enough, on the other it is not possible to acquire everything. Another decision to be taken in this phase is how to intervene on the systems, taking into consideration that systems which are off must never be turned on, and that for systems which are on it is better to acquire any volatile information before turning them off. It is then established whether it is also necessary to take into consideration any sources external to the system, such as logs for firewalls, IDS, authentication systems, physical access systems, and data held by third parties. All the evaluations made in this phase, as well as the evidence identified, are appropriately documented.
2. Acquisition. The purpose of this phase is the acquisition of evidence in accordance with the established plan. Where possible, physical acquisition is used (systems, hard disks and other storage media etc.), maintaining the chain of custody. When performing physical acquisition a copy is also made, which is what will be worked on during the analysis phase. The copies must be identical to the original (integrity, not repudiable), and are made using forensic Linux distributions or write blocker hardware in order not to modify the original. All procedures are documented and implemented in accordance with known methods and technologies in order to be verifiable and usable in a process.
3. Analysis / Evaluation. The purpose of this phase is to extract useful information from the acquired evidence. The data are therefore extracted and processed in order to reconstruct information, interpret it to identify useful components, understand and correlate, refine the research and draw conclusions. This is the most demanding phase of the entire process, and requires a range of different expertise which is constantly evolving. The analysis is performed in an objective manner, avoiding prejudice or rushed conclusions.
4. Presentation. In this phase, the results are presented in a form which is clearly understandable even to those who do not have in-depth IT expertise, but also to any external or internal technical consultants.