Principles of investigative or forensic readiness
Investigations are often seen as purely reactive. They are, most often, something that has to happen because something unforeseen has happened. As a result, many people think that investigations start immediately after the incident which triggers the requirement for them.
In reality, however, the first stages of any investigation should start long before the incident occurs - this is where investigative readiness or forensic readiness comes into play. The goal of any investigator is to gather as much evidence as possible, ensuring that it is relevant and that nothing which might be significant is missed. This is easiest if it can be done at the start of the investigation - before the crime scene or sources of potential evidence have been contaminated.
In this context, readiness is a bit like the "mise en place" found in any good commercial kitchen. Before starting to cook anything, the chefs spend hours making sure that they have all the tools, ingredients and recipes they need for anything the customer might order.
In the same way, we can make predictions about what sort of incidents might occur and how we might need to investigate them.
Elements of Readiness
Perhaps the most crucial part of any readiness plan is the human element. Everyone in an organisation should be aware of what actions they can and should take if they discover an incident.
Remember, if the incident is physical (e.g. a break-in), then the person most likely to discover it and have to respond in some way, is the first person to enter the premises after the incident occurs. This could be a member of the caretaking team, a member of security or senior management.
Exactly what their actions should be and who they should contact upon discovery of an incident should be well-documented and rehearsed. Think of it as the incident equivalent of first-aid. The goal is to preserve the evidence as long as possble, until better qualified incident handlers arrive.
If the organisation is large enough, it may have its own investigative capability or it may choose to outsource the investigative process to an external organisation. Whichever is to be done, the investigative team should be identified in advance and should have the right mix of skills for the incidents and evidence sources which may be found (see below).
Incident Locations and Evidence Sources
In any modern organisation there will be range of locations where incidents may occur. These range from the purely physical (e.g. windows and doors being breached during a physical break-on) to the purely electronic (Internet connections and servers being targeted as part of a cyber-attack). Each location should be considered as not just a potential location for an incident, and thus somewhere to be secured, but also a potentially rich source of evidence in the event that an incident does occur. Steps should be taken, therefore, to ensure that any attempts to cause an incident result in evidence being acquired. For physical locations this could be CCTV, while for electronic systems it is likely to include measures such as firewalls, intrusion detection and malware detection systems with logging capabilities enabled to record what has happened. Even normal access logs and server activity logs can be useful sources of evidence so they should be enabled and preserved for as long as possible. The more information that can be gathered about activities and movements around the site and systems, the greater the chance that something useful will be recorded - reducing the time required to investigate and understand what went wrong.
Processes and Tools
Of course, having trained and well-qualified people and lots of data recorded is virtually useless, unless the people know how to process the potential evidence which has been captured. SOPs or Work Instructions should be prepared, in advance of any incident occurring, and tools selected to allow potential evidence to be recovered, evaluated and interpreted in the most efficient and appropriate way. Having these documented processes to hand will reduce the time it takes to start an investigation and to complete it, as well as allowing the investigators to show that they have followed a correct and appropriate procedure. It can also help to ensure that investigation does not interfere with remediation, and vice-versa.
If you have any thoughts on this, or would like help with preparing for or conducting investigations, please contact n-gate ltd. now.