Digital Forensics Readiness Flashcards
Why is Digital Forensics readiness important?
An unprepared organization runs considerable risks of ruining evidence before the investigation begins. An example would be an organization where there are no standard practices in place to ensure that evidence is gathered during incident response. Once the incident is handled, the users go back to using the system as normal, leading to loss of evidence integrity.
What are the two main goals of Digital Forensic readiness?
The main objectives for forensic readiness are:
- Maximizing the usefulness of the incident evidence data
- Minimizing the cost of forensics during an investigation
How may incident response and digital forensics have conflicting interests? How can this be addressed using forensic readiness?
The main purpose of incident response is to resolve unwanted situations inhibiting normal operations. The longer it takes to resolve an incident, the stronger the consequences (financial loss due to downtime, angry customers, etc). Resolving incidents as rapidly as possible will however leave no time for essential forensic procedures, e.g., disk and main memory imaging. The identification and collection of evidence must be conducted before the systems are tampered with (the incident being resolved).
The time required to collect the necessary evidence can be significantly reduced if the organization has clearly defined procedures detailing how it might be done in an efficient manner.
What are some important standards for forensic readiness?
ISO/IEC (27037 and 17025)
NIST SP 800-86
What are the primary objectives of LEA DF Readiness?
Law Enforcement Agency (LEA) digital forensics readiness is primarily concerned with:
- Finding the evidence in a forensically sound manner.
- Prioritize the evidence that is the most time critical (evidence which will vanish within a short period of time)
What are the primary objectives for Enterprise DF Readiness?
This is primarily designed for businesses. The main objectives are:
- Restore business operations as quickly as possible while complying with the law.
- Preservation of evidence is important, but less than restoration of operations.