Once you complete a risk assessment of all your business operations, you can proceed to the second step of the forensic readiness plan which is identifying all types and sources of digital evidence in your organization.
The first thing to do is to analyze all your organizational processes and identify sources of potential evidence as well as noting how the generated evidence is stored and handled. Keeping brief notes about storing and handling is sufficient at this stage because in the following steps you will dive deeper into that matter.
As in every organization, there are probably a lot of possible sources of digital evidence existing in your business operations. That is why the aim of this step is to identify them all across your organization (all systems and applications) and start defining the scope.
While this may sound overwhelming, here are some essential questions defined by IJDE that can kick of your process:
- Where is data generated?
- What format is it in?
- For how long is it stored?
- How is it currently controlled, secured, and managed?
- Who has access to the data?
- How much is produced?
- Is it archived? If so, where and for how long?
- How much is reviewed?
- What additional evidence sources could be enabled?
- Who is responsible for this data?
- Who is the formal owner of the data?
- How could it be made available for an investigation?
- To what business processes does it relate?
Digital evidence can be any sort of digital file from an electronic source. This includes email, text messages, instant messages, files and documents extracted from hard drives, electronic financial transactions, audio files, and video files.
Below you can find possible sources of digital evidence identified by IJDE:
- Equipment such as routers, firewalls, servers, client devices, portable devices, and embedded devices;
- Application software, such as accounting packages for evidence of fraud, ERP packages for employee records and activities (e.g. in case of identity theft), system and management files;
- Monitoring software such as Intrusion Detection Software, packet sniffers, keyboard loggers, and content checkers;.
- General logs, such as access logs, printer logs, web traffic, internal network logs, Internet traffic, database transactions, and commercial transactions;
- Other sources, such as CCTV, door access records, phone logs, PABX data, telco records, and network records, call center logs or monitored phone calls, and recorded messages;
- Back-ups and archives, for example, laptops and desktops.
So far, you have defined potential risks and vulnerabilities in your business processes so you can understand and define where digital evidence may be required and may benefit the organization. With this step, you have identified all types and sources of digital evidence across your organization and now you are ready to define requirements needed for collecting identified digital evidence which is the third step of the forensic readiness plan. We will cover that subject in the third step of this blog post series.
If you didn’t read about the first step, here is the link.