Incident Response Plan

profilesepola
bd_ch_10_sect_08.html
Home>Computer Science homework help>Incident Response Plan

Managing Investigations in the Organization

When—not if—an organization finds itself having to deal with a suspected policy or law violation, it must appoint an individual to investigate it. How the internal investigation proceeds will dictate whether or not the organization has the ability to take action against the perpetrator if in fact evidence is found that substantiates the charge. In order to protect the organization and possibly to assist law enforcement in the conduct of an investigation, the investigator (whether the CISO, InfoSec manager, or other appointed individual) must document what happened and how. The investigation of what happened and how is called digital forensics.

Digital forensics is based on the field of traditional forensics The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting. Forensics allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental. . Forensics allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental. It also allows them to determine how the event happened by examining activities, individual actions, physical evidence, and testimony related to the event. What it may never do is figure out the why.

Digital forensics Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well-defined methodologies but still tends to be as much art as science. involves applying traditional forensics methodologies to the digital arena, focusing on information stored in an electronic format on any one of a number of electronic devices that range from computers to mobile phones to portable media. Like forensics, it follows clear, well-defined methodologies but still tends to be as much art as science. This means the natural curiosity and personal skill of the investigator play a key role in discovering potential evidentiary material (EM) Also known as “items of potential evidentiary value,” any information that could potentially support the organization’s legal or policy-based case against a suspect. , also known as items of potential evidentiary value. An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official.

Related to the field of digital forensics is e-discovery The identification and preservation of evidentiary material related to a specific legal action. . Digital forensics and e-discovery are related in that digital forensics tools and methods may be deployed to conduct e-discovery or to extract information identified during e-discovery; however, e-discovery may simply focus on extensive e-mail and database searches to identify information related to specific key terms. Digital forensics used after litigation has begun falls under the umbrella of e-discovery. Digital forensics used prior to the initiation of legal proceedings falls under the umbrella of incident response (IR).

Based on this premise, digital forensics can be used for two key purposes:

  • To Investigate Allegations of Digital Malfeasance—Investigating digital malfeasance A crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime. is similar to e-discovery, as they are conducted after legal proceedings have begun.

  • To Perform Root Cause Analysis—If an incident occurs and the organization suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorized access as well as to determine how pervasive and successful the attack was. Performing root cause analysis is directly related to IR. The IR team will use root cause analysis when examining their equipment after an incident.

Some investigations can be undertaken by organizational personnel, while others require immediate involvement of law enforcement. In general, whenever investigators discover evidence of the commission of a crime, they should immediately notify management and recommend contacting law enforcement. Failure to do so could result in unfavorable action against the investigator or organization.

Listen webReader by ReadSpeaker Open/close toolbar