What issues are enterprises facing that require digital forensics?
• In-depth technical issues within the IT environment
o Complex attack / virus analysis
o Packet analysis
o Complex environment investigation coordination (VMWare)
• Separation of duties / transparency issues with IT staff
o Integrity and audit-ability issues from regulators and common due diligence requirements
• System Audit Functionality verification
o Audit System Investigation / Recovery
• Ensure systems are preserved for forensic investigation*
o Banking Standards
o NIST Standards
o PCI
o US State Laws
• Legal issues such as eDiscovery
o Prepare, Preserve & Produce electronically stored information
• Privacy issues from legislation, regulation and clients
o “DNA Forensics” – Identification for good & evil
• Records Management issues
o Historical Data Retrieval
o Data reconstruction
• Human Resources issues / employee investigations
o Inappropriate Use
o Harassment / Workplace Safety
o Loss management issues / evidence verification
o Theft / Fraud investigation support
o Sabotage
What is an Enterprise Forensics Response Service?
• Enables business owners to actively enforce corporate policy and protect and preserve digital assets through the use of forensic methods.
• Handles investigation requests from many different parts of the organization
o IT (Network / Applications)
o Internal Audit / Compliance
o Legal
o Privacy
o Records Management
o Human Resources / Employee Managers
o Loss Management / Physical Security
• An Enterprise Architectural Perspective of an EDF Service (Overview)
o Conceptual linkages to the business & information security strategy
o Logical service definition, examples of peer services
o Physical mechanisms that the EDF service is comprised of
o Examples of components that the EDF service utilizes
- What does the presentation cover?
• Identification & definition of required forensic services
• Review of common service mechanisms and components
• Considerations for implementing & service management in the enterprise
2. Building an Enterprise Forensic Response Service
What issues are enterprises facing that require
digital forensics?
• In-depth technical issues within the IT environment
• Complex attack/virus analysis
• Packet analysis
• Complex environment investigation coordination (VMWare)
• Separation of duties/transparency issues with IT staff
• Integrity and audit-ability issues from regulators and common due
diligence requirements
• System Audit Functionality verification
• Audit System Investigation/Recovery
3. Building an Enterprise Forensic Response Service
What issues are enterprises facing that require
digital forensics?
• Ensure systems are preserved for forensic investigation*
• Banking Standards
• Enterprise Regulations (PCI, DPA, SOX)
• NIST Standards
• US State Laws
• Legal issues such as eDiscovery
• Prepare, Preserve & Produce electronically stored information
• Privacy issues from legislation, regulation and clients
• DNA Forensics: Identification for good & evil
4. Building an Enterprise Forensic Response Service
What issues are enterprises facing that require
digital forensics?
• Records Management issues
• Historical Data Retrieval
• Data reconstruction
• Human Resources issues/employee investigations
• Inappropriate Use
• Harassment/Workplace Safety
• Loss management issues/evidence verification
• Theft/Fraud investigation support
• Sabotage
5. Building an Enterprise Forensic Response Service
What is an Enterprise Forensics Response
Service?
• Handles investigation requests from many different parts of
the organization
• IT (Network / Applications)
• Internal Audit / Compliance
• Legal
• Privacy
• Records Management
• Human Resources / Employee Managers
• Loss Management / Physical Security
6. Building an Enterprise Forensic Response Service
What is an Enterprise Forensics Response
Service?
• Supports various investigation types and activities
• Civil Litigation
• Criminal Investigation
• Internal / Corporate / HR Investigations
• Incident Handling Support
• Data discovery, preservation, recovery, destruction
• Live analysis activities
7. Building an Enterprise Forensic Response Service
What is an Enterprise Forensics Response
Service?
• Based on the scope of the environment and EDF may:
• Handle activities complementary to IT, CSIRTs, external providers
• Support varied business units with internal / external issues
• Support internal / external Legal entities
• Support law enforcement / intelligence agencies
• Service goals often include:
• Enablement of transparency & due diligence requirements
• Facilitation & support for investigations from different int/ext entities
• Preserve and protect digital assets relevant to the business and
business owner requirements
8. Building an Enterprise Forensic Response Service
Enterprise Forensics Response Service Overview
9. Building an Enterprise Forensic Response Service
An Enterprise Forensics Response Service
Definition
• An Enterprise Forensics Service (EDF), enables business owners
to actively enforce corporate policy, maintain transparency of
complex processes while protecting and preserving digital assets
through the use of forensic methods.
10. Building an Enterprise Forensic Response Service
What will we cover today?
• Identification of required forensic services
• Definition of service mechanisms and
components
• Considerations for implementation & service
management in the enterprise
12. Building an Enterprise Forensic Response Service
Identifying the business need for forensic
investigations
1. Identify business scenarios / incidents that
require digital evidence
2. Inventory potential sources and evidence types
3. Determine minimum evidence collection
requirements
13. Building an Enterprise Forensic Response Service
Identifying the business need for forensic
investigations
How do I identify business scenarios that require forensic support?
• Conduct interviews and workshops with relevant business
owners and staff to determine requirements
• Business Units
• Constituents
• Communications Department
• Legal Department
• Privacy Officer
• Records Management
• Marketing Department
• Outsourced Relations
• Physical Security / Loss Management
• IT / Technology Departments
14. Building an Enterprise Forensic Response Service
Identifying the business need for forensic
investigations
How do I identify business scenarios that require forensic support?
• Review common compliance risk area domains for known
scenarios (OCEG GRC Capability Model)
• Financial Assurance / Anti-Fraud
• Employment / Labor
• Anti-corruption
• Information Management
• International Dealings
• Etc.
15. Building an Enterprise Forensic Response Service
Identifying the business need for forensic
investigations
How do I identify business scenarios that require forensic support?
• Review previous enterprise Threat Risk Assessments
• Security Threat & Countermeasure matrices relevant to
environment
16. Building an Enterprise Forensic Response Service
Identifying the business need for forensic
investigations
How do I inventory potential evidence and types?
• Review identified and prioritized scenarios for transactions and
the supporting processes, applications, systems and
technologies
• Determine what data types are
involved with relevant scenarios
17. Building an Enterprise Forensic Response Service
Identifying the business need for forensic
investigations
How do I determine minimum evidence collection requirements?
• Ask legal council
• Review relevant regulations and legislation
• Identify business owner requirements
• Review internal investigative processes
• Discuss capabilities / capacities of technical environment with IT
18. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
Do you have the following?
• Business needs identified and confirmed
• Basic requirements scoped by example incidents / scenarios
determined by business owners
• Types of evidence and collection requirements are outlined
Now you can define the lower level design
requirements of the EDF service…
19. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
1. Determine capability & capacity requirements
for an EDF service based on identified needs
• How are incidents / scenarios escalated to the EDF service?
• How will evidence be identified or scoped?
• What preservation and collection requirements exist?
• Is anything other than court admissible process an option?
20. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
2. Identify impacted enterprise domains and
determine control requirements for the secure
storage and handling of potential evidence
• What requirements do impacted business areas have
regarding information protection, disclosure and
management?
• What approvals are required before handling an incident in
a particular business unit?
(Legal notice, Union Acknowledgements…)
21. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
3. Inspect audit record creation, logging and
monitoring of applications, systems and
networks for in-scope environments
• Are applications, systems networks monitored in such a
manner that incidents / scenarios can be detected,
mitigated or prevented?
• Do enterprise security services such as a centralized SIM or
Incident Handling capacity already detect or respond to any
known incidents?
22. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
4. Specify the criteria for when an incident /
scenario should be escalated to a forensic
investigation
• Articulating Incident / Scenario differences
• Clearly identify governance structure & authority to act
• Determine communication and review processes for
escalated incidents / scenarios
23. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
5. Specify training & awareness requirements for
relevant staff
• Make business owners aware of their accountability
• Educate managers & custodians of their responsibility
• Train & certify incident handlers, forensic investigators
24. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
6. Document investigation response to scenarios /
incidents and the outcomes for the business
• Highlight the evidence management lifecycle mapping
accountable and responsible parties required actions
throughout the investigation
• Detail evidence that exists in each scenario and the required
identification, preservation, collection, storage actions by
role
• Discuss potential communication and presentation
outcomes and the associated decisions to be made
25. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
7. Ensure an appropriate legal review of
developed procedures is conducted
• Ensure requirements & liabilities are understood
• Validate accountable parties are aware and understand their
responsibilities
• Show due diligence
26. Building an Enterprise Forensic Response Service
Define the requirements to create an EDF service
8. Determine governance changes and approvals
required to finalize design, implement,
maintain and improve
• Several scenarios may have never occurred in the past which
require new or unknown decisions or actions
• Document and prioritize governance issues
• Get buy-in from business owners, remove liability from
yourself and your team when possible
27. Building an Enterprise Forensic Response Service
EDF and other security services alignment
• How does an EDF, as defined in this presentation, align to
common enterprise security services like SIM/SIEM and
Incident Handling/Response?
28. Building an Enterprise Forensic Response Service
EDF and other security services alignment
29. Building an Enterprise Forensic Response Service
EDF and other security services alignment
• The EDF Service should align and support the
strategic goals of the company & the IT/Security
Strategies
• Use Enterprise Architecture / Frameworks such as SABSA to
define and align the service to defined strategies
• Document the supporting linkages the service has to
corporate policy enablement and/or defined compliance
documentation
31. Building an Enterprise Forensic Response Service
Digital Forensic Methodologies
• Where should I start when trying to define EDF service
components?
• Several models & best practices for digital investigations exist
• None are accepted consistently across the world
• FORZA Framework aligns with accepted business and IT
architectures; making it easy to justify & explain
32. Building an Enterprise Forensic Response Service
Digital Forensics – FORZA Core Principles
• Reconnaissance
• Collect, recover, decode, discover, extract, analyze
and convert data kept on different media to
usable evidence
• Reliability
• Preservation of the Chain of custody during the investigation
• The Chain of custody, time, integrity and the relationships with the
evidence enable non-repudiation of the evidence
• Relevancy
• Even though evidence could be admissible, relevancy of the evidence
with the investigation affects the weight and usefulness of the
evidence
35. Building an Enterprise Forensic Response Service
Digital Forensics – FORZA Matrix Example
Contextual Layer: Case Leader
Why What How Where Who When
Motivation Data Function Network People Time
Investigation Event Nature Requested Initial Investigation Initial Participants Investigation
Objectives Investigation Geography Timeline
•What is the nature of •Who reported the
•What is the purpose the reported event? •What needs to be •The geographical case? •When event is
of the investigation? performed in this location of the reported reported
•IT systems are:
investigation event •Who are the suspects
•What is the potential
Objects of crime? and victims? •Any other similar
incident?
•What preliminary event reported?
Subjects of crime?
•What are the needs of investigation should be •Who is the owner of
the requester? Tools for conducting performed the system? •When to call for
or planning a crime? action?
•What information •Who should be in the
•Symbol of computer
should be collected operation team for this
used to intimidate or
case?
deceive?
•IT system as major •What other resources
source/minor source of are required?
evidence?
•What functions have
been disrupted?
36. Building an Enterprise Forensic Response Service
Digital Forensics – Using FORZA in your service
• The FORZA framework & role definitions provide an effective
starting point for defining the physical mechanisms and
required components of your EDF service
• Use the FORZA role matrices to validate governance, policies
and determine processes and workflows
37. Building an Enterprise Forensic Response Service
Case Management & Investigation Workflows
• Key steps in any forensic investigation workflow
1. Evidence Collection
2. Evidence Preservation
3. Evidence Analysis
4. Evidence Presentation
• What steps need to be added to make a service?
• Request Handling / Approval Management
• Case Management / Prioritization
• Evidence Management over long durations / Destruction
38. Building an Enterprise Forensic Response Service
Case Management & Investigation Workflows
• Key steps in an EDF Service investigation workflow
1. Engagement Planning
2. Evidence Identification
3. Evidence Preservation
4. Evidence Collection
5. Evidence Examination
6. Evidence Analysis
7. Evidence Presentation
8. Evidence Storage
9. Evidence Destruction
39.
40. Building an Enterprise Forensic Response Service
Key elements to define & consider
• Service Request Management
• Ensure there is a clear understanding of service throughput, bottlenecks
and dependencies' in order to manage expectations of multiple audiences
• Forensic Triage Processes
• Ensure prioritization polices are defined early on to prevent issues or
tension
• Ensure flexibility in the process
• Workflows should be able to handle new and unknown situations or
technologies in an approved and managed manner
• Complete a process optimization review
• Ensure to minimize costs while meeting contractual requirements
42. Building an Enterprise Forensic Response Service
Forensic Laboratory Policies
Policies should ensure
alignment, achievement and
compliance with:
• Organizational Policies
• Regulations & Standards
• Industry Best Practices
Standards Directly applicable to
forensic laboratories:
• ILAC G19:2002
• ISO 17025:2005
43. Building an Enterprise Forensic Response Service
Forensic Laboratory Processes
Processes should be:
• Specific to the enterprise
• Simple to read & use
• Regularly reviewed
• Approved by accountable
business (Impact) owners
45. Building an Enterprise Forensic Response Service
How do I implement these concepts to build a
service?
• Identify the business need for forensic investigations
• Define the requirements to create an EDF service
• Ensure the EDF Service align with the strategy and goals of
the business and key related services
• Define key components of the service by using example
frameworks such as FORZA and Enterprise Architecture
Methodologies such as SABSA
• Ensure an appropriate legal review is conducted
• Confirm and maintain buy-in of business owners through
good governance
• Get a budget, reset expectations and get going…
46. Building an Enterprise Forensic Response Service
How should I sell this service to the organization?
• Gain confirmation from key business owners justifying value of
service in supporting their requirements (Audit, HR, IT, Legal…)
• Show incidents / scenarios that can be detected and responded
to with an EDF capability; link to business value
• Show impact reductions that can be achieved when responding
to common incidents / scenarios
• Show linkages to compliance & regulatory requirements
47. Building an Enterprise Forensic Response Service
Recommended / Referenced Resources
OCEG Capability Model “Red Book” 2.0
By: Open Compliance & Ethics Group
Pub. Date: 2009
URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf
Enterprise Security Architecture: A Business-Driven Approach
By: John Sherwood, Andrew Clark, David Lynas
Publisher: CMP
Pub. Date: 2005
ISBN-13: 978-1578203185
FORZA – Digital forensics investigation framework that
incorporate legal issues
By: Ricci S.C. Ieong*
Publisher: Science Direct
Pub. Date: 2006
URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf
Building a Digital Forensic Laboratory:
Establishing and Managing a Successful Facility
By: Andrew Jones; Craig Valli
Publisher: Butterworth-Heinemann
Pub. Date: October 02, 2008
eISBN-13: 978-0-08-094953-6
48. Building an Enterprise Forensic Response Service
This presentation contains reference
Questions? material and direct content from
multiple copyright holders.
References available on request /
within presentation slide notes.
Michael Legary,
CSA-SCM, CISSP, CISM, CISA, CGEIT, CRISC, Recommendations offered should
CSSLP, CRMP, CPP, GCIH, PCI-QSA, CEH, CCSA not be considered complete or
Chief Innovation Officer accurate for your specific
organizations requirements
mlegary@seccuris.com No warranty offered or implied ☺
204-255-4490
Recommended / Referenced Resources
OCEG Capability Model “Red Book” 2.0
URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf
Enterprise Security Architecture: A Business-Driven
Approach
ISBN-13: 978-1578203185
FORZA – Digital forensics investigation framework
that incorporate legal issues
URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf
Building a Digital Forensic Laboratory:
Establishing and Managing a Successful Facility
eISBN-13: 978-0-08-094953-6