NZ Incident Response Bulletin – September 2022

Our Views:

Forensic Readiness

“The art of warfare teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable” – Sun Tzu (The Art of War)

This somewhat overused but salient quote highlights the reason for spending time and effort assessing and improving your forensic readiness. Becoming forensically ready or “ready to receive the enemy” allows a business to move incident response and forensics from a purely reactive to a proactive activity.

The primary goals of forensic readiness are to:

  1. Maximise the ability to collect evidence, and
  2. Minimise the cost of incident response and forensic investigation

Forensic Readiness involves the establishment of administrative, technical and physical foundations to effectively support activities in the forensic process and resolve questions such as:

  • Do we have the right information, systems, process, and skills to thoroughly and efficiently investigate a cyber incident?
  • Do we know where all potential evidence is?
  • Do we have the systems/logs/credentials/skills to obtain the evidence?
  • Do we fully understand the backup procedures and how to retrieve backup data?
  • Is the information in a usable format?
  • Can we trust the information? (Is it authentic/reliable/has integrity been maintained?)
  • How long will evidence retrieval take?
  • How much is this going to cost?

How do I start?

Conduct a thorough a forensic readiness review and then embed it into your organisation’s information security policies. This document should outline:

  1. Applicable laws and regulatory requirements that apply to the business where the collection of digital evidence may be required.
  2. The available resources your organisation will use in the digital forensic process, such as roles, evidence storage facilities, and suitable workspaces.
  3. All assets and possible sources of digital evidence.
  4. Who can collect each type of evidence (who has the access, authorisation and forensic skills.)
  5. How this evidence can be collected (processes) and what supporting technology is required.

A more advanced readiness plan could also define tailored business risk scenarios (such as BEC) that may require evidence collection.

One example of an advantage gained from completing forensic readiness is identifying whether current security and event log collection is sufficient. For example, enabling detailed logging on an email account can help determine exactly what information an attacker may have viewed during a compromise. This evidence is invaluable when assessing an incident’s scope and potential seriousness, but only if it exists and can be accessed and interpreted in a timely fashion. Completing the readiness process ensures you are fully aware of this capability.

In contrast, your response to any incident can be delayed and incur greater costs if you do not understand and document forensic readiness. For example, should a forensic expert require access to a potentially compromised laptop, a delay in obtaining any bitlocker keys necessary to access this laptop will slow down the ability to copy the evidence and start the investigation. Documenting which assets require keys, where the keys are stored, and who can access these can avoid this delay.

A business can take many proactive steps to ensure incident response and investigation run smoothly. Conducting a forensic readiness assessment and implementing forensic readiness is one we highly recommend.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.