This is the process of identifying things such as what evidence is present, where and how it is stored, and which format and platform it is based on. From this information the investigator can start to identify and formulate the appropriate course of action to follow throughout the investigation.
For any activity to succeed, it is imperative to understand the value that can be added through proper planning. Therefore, the Identification process starts with detailed Pre-event Planning phase that provides a workable solution to lead into the (post-event) Develop Incident Awareness phase.
Both of these Identification processes are explained below:
1.1. Pre-Incident Planning
The planning phase is crucial for laying down the foundational framework for performing any forensic activity of value. This is obviously done prior to the incident taking place to achieve a state of readiness to actively respond in case of any eventuality. This allows organizations to consider all factors that matter into as much detail as possible and formulate a plan of action for forensics and evidence handling. Following are a few key areas that form the basis of an effective plan:
- Follow formal forensics and evidence handling procedures that provide a clearly defined course of action and corresponding roles and responsibilities in the ISIRT Charter and the Dolphin IS-IM Framework.
- CISO will lead to own the incident response strategy, response and containment plans and the awareness of incident response actions/initiatives.
- Invest in continuous development of your team appropriately both in terms of size and skills as laid out in the ISIRT Charter. Fully understand your team capabilities, know the gaps and plan in advance to seek support and guidance wherever necessary.
- Maintain clear perspective on which route to take for Forensics Investigations, i.e. either employ in-house capabilities OR involve law enforcement agencies OR rely on outsourced forensic specialists. Understand the communication challenges and how to overcome any deadlocks.
- Factor in resources and logistics required for any desired course of action, e.g. availability of writable media, any specific delivery considerations, etc.
- Regularly test the plan by drilling your team with hypothetical situations to aid their response under real emergencies and also to ensure that plan is aligned to your evolving environment.
1.2. Develop Incident Awareness
In case of an eventuality, the first step is to develop a detailed understanding of the incident and incident response actions/initiative taken so far. This is achieved by obtaining the latest information about the issue through reading the first incident report, any response strategy followed and/or any containment plans executed so far.
After coming up to speed on the current status, the following activities should be undertaken:
- Select an appropriate approach for the investigation aligned with the incident situation and the context.
- Define the scope and boundaries for the investigation along with expected objectives and outcomes.
- Invoke the pre-defined forensic investigation method: in-house or law enforcement or outsourced forensic experts.
- Equip the forensics team with the right tools and information.
- Identify and document the possible sources of evidence for the investigation.
- Identify and document the stakeholders for the digital forensic investigation.
- Identify and document the communication and reporting channels for the digital forensic investigation.
- Identify and document the necessary legal and compliance requirements to be adhered to during the course of the investigation.
- Establish communication channels with the senior management for approvals and reporting. This could include Chief Information Security Officer (CISO), Head of the Legal and Internal Audit, or designated members of the ISIRT Team