Ten practices to promote forensic readiness

By | 24th July 2018

Forensic readiness (FR) is a useful concept that is encountered a great deal in public sector information security, but not so much in the private sector. I’ve enjoyed working with FR policies, and you can too, with the right preparation and direction of travel.

FR is defined by NCSC as follows:

“Forensic readiness is the achievement of an appropriate level of capability by an organisation in order for it to be able to collect, preserve, protect and analyse Digital Evidence so that this evidence can be effectively used in any legal matters, in disciplinary matters, in an employment tribunal or in a court of law” (NCSC)

In today’s environment of high profile cyber-attacks and data breaches, having good FR could make a significance difference to the ability of an organisation to respond effectively. Costs may be lower, reputation damage reduced, and prosecutions enhanced, by implementing good FR.

Without further ado, here are ten practices that can help embed good FR:

  1. Get board level backing for an FR policy. This can go hand-in-hand with board ownership of INFOSEC.
  2. Have a good process in place to access the required forensic expertise when needed. Even large organisations struggle to maintain an expensive and infrequently-used forensics lab, so you’ll almost certainly want to use a third party supplier.
  3. Put in place measures, processes and mandates (including QA) to embed FR throughout the organisation. Have a range of forensic tools available, such as EnCase and/or FTK. Measure their effectiveness. Use continuous improvement. Not exclusively the remit of IT, FR practices are cross-cutting right through functional structure.
  4. Adopt NPCC guidance on how to capture forensic evidence. You shouldn’t change captured data, investigators should be competent, audit trails must be maintained, have a case officer in charge of activities, etc.
  5. Implement changes of custody to document the trail of who handles evidence. If you don’t do this simple and obvious practice, you could undermine your claim for damages or a criminal trial.
  6. Put all FR assets under access control. This includes, for example, door access control systems for forensic facilities, secure storage containers, CCTV, and so on.
  7. Use your risk assessment process to inform the design of your FR policies and framework. If you’re up against organised crime syndicates, your FR policies need to be much more rigorous than if you’re largest threat is a cleaner catching cables in your data centre!
  8. Conduct exercises, report regularly, audit, and have a network of FR “first responders”.
  9. Handle incidents carefully, have a defined process for them, and a function that owns incident management and ensure it links into FR.
  10. Get external consultants to review your FR policies and practices and adopt their recommendations. Very few organisations have enough in-house expertise to address all of the pitfalls, so get some outside expertise in to achieve perfection.

This is the tip of the iceberg in FR, and a good FR policy will require a lot more work than the above. Implementing good FR can also support broader INFOSEC capabilities–an effective log server can improve your ability to detect performance issues, for example, as well as provide a forensically “better” source of event indicators.