Are you ready? Forensically speaking… On digital forensic readiness

Are you ready? Forensically speaking… On digital forensic readiness

Organizations, governments and individuals should be ready for cyber-attacks. Ready not only in the sense of prevention through increased security; Also in case an attack would be successful.

The recent hack of Sony Pictures shows cyberspace is a dangerous place. Therefore, it is wise for organizations, governments and individuals to be ready for cyber-attacks. Ready not only in the sense of prevention through increased security but also ready in case an attack would be successful.

When a possible incident or crime has been detected the subsequent forensic investigations are, like in physical space, costly. They are time-consuming, require specialist investigators and tools and sometimes even international travel and cooperation. Furthermore, the likelihood of catching the criminals or successful prosecution very much depends on the information - read evidence - available on the attacked system or network.

Therefore security specialists and researchers since early 2000 advise that digital forensic readiness should be an important part of the security processes within organizations. Digital forensic readiness is the organization’s capabilities to first of all maximize the organization's environment’s ability to collect credible digital evidence, and to minimize the cost of forensic investigation in an incident response. Much work already has been done to formulate frameworks and standards but new challenges arise by the extending use of cloud services and virtualization.

Being digitally forensic ready means a quicker recovery, improved business continuity and compliance and an improved success rate in legal actions by having available the collected evidence. As a side effect it provides a tool to fight insider threats, deters employees from non-compliance with company rules and evidence in case of employee disciplinary hearings.

These positive effects come at a price: Policies have to be updated, awareness training given to all employees, investments made in hardware, software, sometimes re-development of the organization’s infrastructure, securing storage for potential evidence, in-house digital forensic capabilities, enhanced capabilities for evidence retrieval, and systematic gathering. Numerous organizations have implemented digital forensic readiness in their security and risk management procedures, apparently the business case was positive then. In practice many organizations and individuals have not done so yet. Has your organization or have you personally already made the business case? Are you ready?

1 Comment

Antonis M.

Hi Andre,

Excellent and very informative blog, indeed :) I assume that the rhetorical question can only be assessed by applying quantitative frameworks to each organisation to see whether they are forensically ready or not. In both information security, and digital forensics fields certain metrics (such as a cost-benefit analysis) could be applied, however in real life, (tangible) data are highly-sought after and rather expensive. Are multinational corporations ready to invest in forensic plans since they cannot foresee the benefits they'll get?

With best wishes!