Why is it necessary?

Having a Digital Forensic solution is an essential part of any enterprises’ cybersecurity program. Digital Forensics is a key pillar in the “Defense-in-Depth” approach to information security. Understanding the legal and technical aspects of computer forensics will help you capture vital information if your network/infrastructure is compromised and will assist in the prosecution of the responsible entities.

What’s the difference between incident response and digital forensics?

Digital Forensics can drive and augment incident response. Incident response efforts often leverage intelligent tools (e.g. Indicators of Compromise, signature rules, etc.) and are effective only when there is prior information about the vulnerabilities and mechanisms utilized in an attack. The effectiveness of these tools is inverse to the quantity of new and novel attack techniques and mechanisms utilized by threat actors. Digital forensic processes does not suffer from such issues, and can greatly improve and organizations resiliency and ability to recover from a cyber-incident. Additionally traditional IR efforts do not often preserve evidence in a fashion that would be admissible in a court setting.

What is eDiscovery?

Electronic discovery (eDiscovery) is a term referring to discovery process in legal proceedings. eDiscovery differs from traditional Discovery in that the information in question is in electronic/digital format (also known as ESI). Electronic discovery is dictated by rules of civil procedure and accomplished through formalized processes. Electronic information differs from paper information in various ways (intangible form, transient nature, persistence, etc.). and is usually accompanied by metadata (the preservation of which presents specific challenges)– and is of critical consideration when presenting digital information as evidence.

What is the Chain of Custody?

In Digital Forensics, the Chain of Custody is a process that documents the specifics of evidence collection (including the safeguarding, and analysis throughout its lifecycle) by notating each individual involved in the handling of evidence, when it was collected/transferred, and why it was collected/transferred.

Who is qualified to perform digital forensics?

A qualified digital forensic assessor must be proficient in multiple different domains of technical and administrative knowledge, this includes (but it not limited to) computer science, information assurance, information security, document control and review, metadata analysis, volatile memory extraction, etc.

References:

https://www.cisa.gov/uscert/sites/default/files/publications/forensics.pdf

https://www.nist.gov/programs-projects/digital-forensics

https://csrc.nist.gov/publications/detail/sp/800-86/final

https://www.nist.gov/publications/d4i-digital-forensics-framework-reviewing-and-investigating-cyber-attacks