HW 2-Review Paper

Review Paper on: Digital Forensic Readiness as a Component of

Information Security Best Practice (CP Grobler, CP Louwrens)

Wong, Shing Tai Sander-2010952275

ICOM6027- E-crimes:  digital crime scenes and legal sanctions

Prof: Dr. Michael Kwan

Table of Contents
Introduction.................................................................................................................................................3
The Problem............................................................................................................................................3
Purpose of the selected paper.................................................................................................................3
Literature Review........................................................................................................................................5
Winning the battles, losing the war? Rethinking methodology for forensic computing research (Vlasti
Broucek , Paul Turner).............................................................................................................................5
Specifying digital forensics: A forensics policy approach (Taylor Carol, Endicott-Popovsky Barbara,
Frincke Deborah A.).................................................................................................................................5
Digital Forensics- Meeting the Challenges of Scientific Evidence (Meyers & Rogers)..............................6
Discussion....................................................................................................................................................7
Conclusion...................................................................................................................................................9
Works Cited...............................................................................................................................................10
Introduction

The Problem

The author listed out a number of facts:

1. The E-crime was constantly increasing

2. Digital Evidence investigation was an expensive task
3. Most of the security incidents do not proceed to legal action
4. Many Information security strategy takes place without awareness of digital forensic

Purpose of the selected paper

The purpose of the selected paper was to indicate that after an incident (or attacks)
happened, the existing Information security architectures, strategies and best practices, are not
sufficient to prosecute an event or to ensure an investigation to be successful because of the
lack of admissible evidence and poor procedures. Hence, there is a definite need to have
current IS best practice to include certain aspect of Digital forensic readiness addressing the
shortcoming.

The author firstly defined IS and DF. In term of Information security governance, the
author believes that after examining the overlap between DF and IS, the relevance of DF
readiness to IS would be determined.

The author discussed that digital forensic readiness consists of pro-active and re-active
components while pro-active components assisted with incident anticipation while re-active
concerned about incident response. The author recommended organization to include pro-
active DF management so that evidence can be gathered legally and cost-effectively during re-
active stage.
 Later on, the inclusion of certain aspects of Digital Forensic Readiness as a component of
an information security would be the best practice of IS. Adopting this change will provide the
IS manager and top management the means to demonstrate that reasonable care has been
taken to protect valuable company information resources.
Literature Review

Winning the battles, losing the war? Rethinking methodology for forensic
computing research (Vlasti Broucek , Paul Turner)

Similar to the problem area of Grobler & Louwrens descripted, (Vlasti Broucek , Paul
Turner) emphasized the need of awareness of accurate and legally admissible collection of
digital data is increased. To improve forensic computing, Broucek and Turner suggest re-
conceptualizing the term ‘solution’ and advocates an additional methodological step for
forensic computing research. Forensic computing has many domains. When Grobler &
Louwrens suggested with digital forensic readiness to ensure successful investigations, Broucek
and Turner also highlighted the important of awareness training to organization network
administrator and end users of digital evidence handling.
The new proposed methodology from Broucek and Turner were targeted on incident
response while Grobler & Louwrens were more into implementing the pro-active DF readiness
for IS. While tackling the Anti-Forensic topic, Grobler & Louwrens suggested preventing the use
of anti-forensic strategies while Broucek and Turner proposed organization to balance security,
privacy and legal admissibility.

Specifying digital forensics: A forensics policy approach (Taylor Carol,

Endicott-Popovsky Barbara, Frincke Deborah A.)

Grobler & Louwrens recommended adding DF readiness as a component to information

security as the best practice of enabling system to capture and use digital evidence. Taylor,
Endicott and Frincke, however, found problem in DF readiness. Firstly, the properties such as
specification and implementation are not consistent within the digital forensics community
(Endicott & Frincke). Secondly, DF readiness was one of the few proposed forensics
characteristics discussed in the forensics literature. Thirdly, there was no one methodology or
approach to enabling forensic readiness. Hence, there was no easy way to find out how to
implement DF readiness.

At this point, Taylor, Endicott and Frincke didn’t suggest ignoring DF readiness. They
suggested enforcing forensics policy for a corporate IT system by determining DF readiness
requirements. They determined DF readiness requirements by stating forensics policy for IS.

In term of approaching IS for DF readiness, Grobler & Louwrens suggested IS to leverage

technique from DF while Taylor, Endicott and Frincke’s DF policy enforcement mechanism was
borrowed from Computer security domain. DF policy concept was borrowed from the security
community which traditionally relies on security policies for specifying the security of a system
and then enforces it [ CITATION ICOM2707 \l 1033 ].

Digital Forensics- Meeting the Challenges of Scientific Evidence (Meyers &

Rogers)

Grobler & Louwrens had mentioned that computer forensic tools are needed for re-
active DF readiness. However, which computer forensic tools to use and how to select had
never been discussed. While Grobler & Louwrens focused mainly on the DF readiness, the big
picture, Meyers & Rogers focused specifically on the tools that used for digital evidence preparation
and handling. At the court end, somebody has to validate whether the computer forensic tools should
be accepted or not.

Meyers & Rogers explored three admissibility considerations for scientific evidence that was
engaged in US’s courts: reliability, peer review and acceptance within the relevant
community[ CITATION ICOM27y06 \l 1033 ]. The relevant community here means the computer forensic
community. For instance, this community would examine the tools that used to prepare digital
evidence.

When there was no such relevant community, the authors proposed a trusted third party
certification model to address this issue. The computer forensics field could employ a trusted third party
for certification purposes. This trusted third party would report the test result on computer forensic
tools to scrutiny. And then the court would turn to it for guidance on general acceptance and reliability.
Discussion

Most organization information security would rather focus planning on disaster recovery
and business contingency. Digital forensic readiness is often overlooked. I had prepared a few
disaster recovery document and business contingency plan for the company that I worked for. I
never have any forensic background and I believe none of our IT staff does.

I do agree that the existing IS was not designed for attack incident response. Since my
old company business is OEM serving customer like HP, Apple, Cisco and etc, we have B2B
gateway to gather their end customer’s billing information. This information has to be secured
and we had signed contract for the liability to secure such data. Let’s say if there is a successful
attack to our company network and end customers data was hacked, our company needed to
be responsible for investigation. Since we don’t have any forensic training, we would have to
hire expert to handle the investigation which would be ridiculously costly. If I were appointed to
implement DF readiness, I would consider the author suggestion: 'Maximizing the ability of an
environment to collect credible digital evidence while minimizing the cost of an incident
response.'

In term of implementation of DF readiness, here comes the problem. In order to implement DF

readiness, we have to compare our existing IS and DF. However, DF readiness’s framework and
methodologies are difficult to follow. It’s originally comes from Forensic science which is hard for
network administrator or I.T. manager to understand. It is too costly to educate them with forensic
science in mind. After they learned the forensic science, it would still take a while for them to find out
what needs to be changed accordingly.

To ease out the implementation effort, forensic policy approach is much more appropriate here.
For instance, a forensics policy can be “all access to DB must be monitored and access logs to DB will be
preserved for no less than one year”. This is easy for our IT. We are trained for enforcing policy. And
policy is easy to audit especially it is speaking in IS policy language.
 Since we all hoped that a successful attacks would never happen, it is difficult to convince
organization to spend extra effort on adding the 4 th R: the Redress (DF techniques, computer forensic
tools, legal remedies and etc.). For post incident or should say the re-active DF readiness, unless the
company size is large enough, I think it is more practical to have 3 rd party to handle it. Since DF
technique is a complicated skill and requires knowledge to be updated frequently, outsourcing this area
would make more sense than adopting it.

DF readiness to prevent Anti-forensic (suggested by authors) is pretty difficult mission.

Since the IS has been commercialized and anti-forensic had been provided by large cooperate-
Google, VeriSign, there would be indeed difficult to prevent and ensure evidence collection. For
instance, users may leak out information not by company email but with GMAIL while the email
exchanged with SSL encrypted with session key that was unknown to cooperate. There must be
a balance of security, privacy and admissibility control.
Conclusion

There is no doubt that cybercrime is getting serious. Information security management

can no longer ignore the importance of DF. To prevent the costly investigation when an attack
incident occurred, preparation is needed. Information security governance that requires DF
readiness would need attention for every organization. After we are convinced to spend
reasonable effort on it, we are at the next stage: HOW TO IMPLEMENT.

For implementation, unfortunately, there are no simple ways. The DF Framework and
methodologies for readiness are too conceptual or theoretical for implementation. Computer
forensic communities should standardize and come out with a digital forensic policy for DF
readiness implementation. Also, computer forensic communities should tackle the issue
brought by Anti-Forensic.
Works Cited
1. Taylor, Carol, Endicott-Popovsky, Barbara and Frincke, Deborah A. Specifying digital forensics: A
forensics policy approach. Richland, WA 99352, US : Elsevier Ltd, 2007.

2. Meyers, Matthew and Rogers, Marcus. Digital Forensics- Meeting the Challenges of Scientific
Evidence. s.l. : Advances in digital forensics, 2006.

3. Broucek, Vlasti and Paul, Turner. Winning the battles, losing the war? Rethinking methodology for
forensic computing research. Verlag : Springer, 2006.