Escolar Documentos
Profissional Documentos
Cultura Documentos
The Problem
The purpose of the selected paper was to indicate that after an incident (or attacks)
happened, the existing Information security architectures, strategies and best practices, are not
sufficient to prosecute an event or to ensure an investigation to be successful because of the
lack of admissible evidence and poor procedures. Hence, there is a definite need to have
current IS best practice to include certain aspect of Digital forensic readiness addressing the
shortcoming.
The author firstly defined IS and DF. In term of Information security governance, the
author believes that after examining the overlap between DF and IS, the relevance of DF
readiness to IS would be determined.
The author discussed that digital forensic readiness consists of pro-active and re-active
components while pro-active components assisted with incident anticipation while re-active
concerned about incident response. The author recommended organization to include pro-
active DF management so that evidence can be gathered legally and cost-effectively during re-
active stage.
Later on, the inclusion of certain aspects of Digital Forensic Readiness as a component of
an information security would be the best practice of IS. Adopting this change will provide the
IS manager and top management the means to demonstrate that reasonable care has been
taken to protect valuable company information resources.
Literature Review
Winning the battles, losing the war? Rethinking methodology for forensic
computing research (Vlasti Broucek , Paul Turner)
Similar to the problem area of Grobler & Louwrens descripted, (Vlasti Broucek , Paul
Turner) emphasized the need of awareness of accurate and legally admissible collection of
digital data is increased. To improve forensic computing, Broucek and Turner suggest re-
conceptualizing the term ‘solution’ and advocates an additional methodological step for
forensic computing research. Forensic computing has many domains. When Grobler &
Louwrens suggested with digital forensic readiness to ensure successful investigations, Broucek
and Turner also highlighted the important of awareness training to organization network
administrator and end users of digital evidence handling.
The new proposed methodology from Broucek and Turner were targeted on incident
response while Grobler & Louwrens were more into implementing the pro-active DF readiness
for IS. While tackling the Anti-Forensic topic, Grobler & Louwrens suggested preventing the use
of anti-forensic strategies while Broucek and Turner proposed organization to balance security,
privacy and legal admissibility.
At this point, Taylor, Endicott and Frincke didn’t suggest ignoring DF readiness. They
suggested enforcing forensics policy for a corporate IT system by determining DF readiness
requirements. They determined DF readiness requirements by stating forensics policy for IS.
Grobler & Louwrens had mentioned that computer forensic tools are needed for re-
active DF readiness. However, which computer forensic tools to use and how to select had
never been discussed. While Grobler & Louwrens focused mainly on the DF readiness, the big
picture, Meyers & Rogers focused specifically on the tools that used for digital evidence preparation
and handling. At the court end, somebody has to validate whether the computer forensic tools should
be accepted or not.
Meyers & Rogers explored three admissibility considerations for scientific evidence that was
engaged in US’s courts: reliability, peer review and acceptance within the relevant
community[ CITATION ICOM27y06 \l 1033 ]. The relevant community here means the computer forensic
community. For instance, this community would examine the tools that used to prepare digital
evidence.
When there was no such relevant community, the authors proposed a trusted third party
certification model to address this issue. The computer forensics field could employ a trusted third party
for certification purposes. This trusted third party would report the test result on computer forensic
tools to scrutiny. And then the court would turn to it for guidance on general acceptance and reliability.
Discussion
Most organization information security would rather focus planning on disaster recovery
and business contingency. Digital forensic readiness is often overlooked. I had prepared a few
disaster recovery document and business contingency plan for the company that I worked for. I
never have any forensic background and I believe none of our IT staff does.
I do agree that the existing IS was not designed for attack incident response. Since my
old company business is OEM serving customer like HP, Apple, Cisco and etc, we have B2B
gateway to gather their end customer’s billing information. This information has to be secured
and we had signed contract for the liability to secure such data. Let’s say if there is a successful
attack to our company network and end customers data was hacked, our company needed to
be responsible for investigation. Since we don’t have any forensic training, we would have to
hire expert to handle the investigation which would be ridiculously costly. If I were appointed to
implement DF readiness, I would consider the author suggestion: 'Maximizing the ability of an
environment to collect credible digital evidence while minimizing the cost of an incident
response.'
To ease out the implementation effort, forensic policy approach is much more appropriate here.
For instance, a forensics policy can be “all access to DB must be monitored and access logs to DB will be
preserved for no less than one year”. This is easy for our IT. We are trained for enforcing policy. And
policy is easy to audit especially it is speaking in IS policy language.
Since we all hoped that a successful attacks would never happen, it is difficult to convince
organization to spend extra effort on adding the 4 th R: the Redress (DF techniques, computer forensic
tools, legal remedies and etc.). For post incident or should say the re-active DF readiness, unless the
company size is large enough, I think it is more practical to have 3 rd party to handle it. Since DF
technique is a complicated skill and requires knowledge to be updated frequently, outsourcing this area
would make more sense than adopting it.
For implementation, unfortunately, there are no simple ways. The DF Framework and
methodologies for readiness are too conceptual or theoretical for implementation. Computer
forensic communities should standardize and come out with a digital forensic policy for DF
readiness implementation. Also, computer forensic communities should tackle the issue
brought by Anti-Forensic.
Works Cited
1. Taylor, Carol, Endicott-Popovsky, Barbara and Frincke, Deborah A. Specifying digital forensics: A
forensics policy approach. Richland, WA 99352, US : Elsevier Ltd, 2007.
2. Meyers, Matthew and Rogers, Marcus. Digital Forensics- Meeting the Challenges of Scientific
Evidence. s.l. : Advances in digital forensics, 2006.
3. Broucek, Vlasti and Paul, Turner. Winning the battles, losing the war? Rethinking methodology for
forensic computing research. Verlag : Springer, 2006.