Implementing Digital Forensic Readiness, 2nd Edition

Book description

Implementing Digital Forensic Readiness: From Reactive to Proactive Process, Second Edition presents the optimal way for digital forensic and IT security professionals to implement a proactive approach to digital forensics. The book details how digital forensic processes can align strategically with business operations and an already existing information and data security program.

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Table of Contents
  6. Preface
  7. Acknowledgments
  8. Introduction
  9. Author
  10. Section I ENABLING DIGITAL FORENSICS
    1. 1 Understanding Digital Forensics
      1. Introduction
      2. The Role of Technology in Crime
      3. History of Digital Crime and Forensics
        1. Prologue (1960s–1980s)
        2. Infancy (1980–1995)
        3. Childhood (1995–2005)
        4. Adolescence (2005–2015)
        5. The Future (2015 and Beyond)
      4. Evolutionary Cycle of Digital Forensics
        1. “Ad Hoc” Phase
        2. “Structured” Phase
        3. “Enterprise” Phase
      5. Principles of Digital Forensics
        1. Evidence Exchange
        2. Forensics Soundness
          1. Authenticity and Integrity
          2. Chain of Custody
      6. Types of Forensics Investigations
      7. Legal Aspects
        1. Jurisdiction
      8. Digital Forensics Resources
      9. Summary
    2. 2 Investigative Process Methodology
      1. Introduction
      2. Existing Process Models
      3. Digital Forensics Readiness Model
      4. Summary
    3. 3 Digital Evidence Management
      1. Introduction
      2. Types of Digital Evidence
        1. Common Sources of Digital Evidence
          1. Log Files
          2. Computer Systems
          3. Infrastructure Devices
          4. Virtual Systems
          5. Cloud Computing
          6. Mobile Devices
          7. External Sources
      3. Federal Rules of Evidence
      4. Investigative Process Methodology
        1. Preparation
          1. Information Security Management
          2. Lab Environment
          3. Hardware and Software
        2. Gathering
          1. Operating Procedures
        3. Processing
        4. Presentation
      5. Evidence Storage Networks
      6. Summary
    4. 4 Ethics and Conduct
      1. Introduction
      2. Importance of Ethics
      3. Principles of Ethics
        1. Personal Ethics
        2. Professional Ethics
        3. Computer Ethics
        4. Business Ethics
      4. Ethics in Digital Forensics
        1. Certifications and Professional Organizations
          1. Digital Forensics Certification Board (DFCB)
          2. International Association of Computer Investigative Specialists (IACIS)
          3. International Society of Forensics Computer Examiners (ISFCE)
        2. Principles for Digital Forensics
          1. Impartiality and Objectivity
          2. Openness and Disclosure
          3. Confidentiality and Trust
          4. Due Diligence and Duty of Care
        3. Certifications and Accreditations
        4. Summary
    5. 5 Digital Forensics as a Business
      1. Introduction
      2. The Role of Digital Forensics in an Enterprise
      3. Starting a Digital Forensics Program
        1. Step #1: Understand Business Risks
        2. Step #2: Outline Business Scenarios
        3. Step #3: Establish Governance Framework
        4. Step #4: Enable Technical Execution
        5. Step #5: Define Service Offerings
      4. Maintaining a Digital Forensics Program
        1. Educational Roadmap
        2. Forensics Toolkit Maintenance
        3. Key Performance Indicators (KPI)
          1. Resource Capacity
      5. Challenges and Strategies
        1. Team Placement
        2. Industry Regulation
      6. Political Influences
      7. Summary
  11. Section II ENHANCING DIGITAL FORENSICS
    1. 6 Understanding Digital Forensic Readiness
      1. Introduction
      2. What Is Digital Forensics Readiness?
      3. Costs and Benefits of Digital Forensics Readiness
        1. Cost Assessment
        2. Benefits Analysis
      4. Implementing Forensics Readiness
      5. Summary
    2. 7 Defining Business Risk Scenarios
      1. Introduction
      2. What Is Business Risk?
      3. Forensics Readiness Scenarios
        1. Scenario #1: Reduce the Impact of Cybercrime
        2. Scenario #2: Validate the Impact of Cybercrime or Disputes
          1. Mitigating Control Logs
          2. Overhead Time and Effort
          3. Indirect Business Loss
          4. Recovery and Continuity Expenses
        3. Scenario #3: Produce Evidence to Support Organizational Disciplinary Issues
        4. Scenario #4: Demonstrating Compliance with Regulatory or Legal Requirements
        5. Scenario #5: Effectively Manage the Release of Court-Ordered Data
        6. Scenario #6: Support Contractual and Commercial Agreements
      4. Scenario Assessment
      5. Summary
    3. 8 Identify Potential Data Sources
      1. Introduction
      2. What Is a Data Source?
        1. Background Evidence
        2. Foreground Evidence
      3. Cataloguing Data Sources
        1. Phase #1: Prepare an Action Plan
        2. Phase #2: Identify Data Sources
        3. Phase #3: Document Deficiencies
          1. Insufficient Data Availability
          2. Unidentified Data Sources
      4. External Data Considerations
      5. Data Exposure Concerns
      6. Forensic Architectures
      7. Systems Lifecycle
        1. Waterfall and Agile Models
      8. Summary
    4. 9 Determine Collection Requirements
      1. Introduction
      2. Pre-collection Questions
      3. Evidence Collection Factors
        1. Best Evidence Rule
        2. Time
        3. Metadata
        4. Cause and Effect
        5. Correlation and Association
        6. Corroboration and Redundancy
        7. Storage Duration
        8. Storage Infrastructure
      4. Data Security Requirements
      5. Summary
    5. 10 Establishing Legal Admissibility
      1. Introduction
      2. Legal Admissibility
      3. Preservation Challenges
      4. Preservation Strategies
      5. Administrative Controls
        1. Policies
        2. Guidelines
        3. Standards
        4. Procedures
      6. Technical Controls
        1. Storage Security
        2. Integrity Monitoring
        3. Cryptographic Algorithms
        4. Remote Logging
        5. Secure Delivery
      7. Physical Controls
        1. Deter
        2. Detect
        3. Deny
        4. Delay
      8. Summary
    6. 11 Establish Secure Storage and Handling
      1. Introduction
      2. Secure Storage Attributes
        1. Least Privilege Access
        2. End-to-End Cryptography
        3. Integrity Checking
        4. Physical Security
      3. Administrative Governance Foundations
        1. Personnel
        2. Evidence Storage
        3. Evidence Handling
        4. Incident and Investigative Response
        5. Assurance Controls
      4. Backup and Restoration Strategies
        1. Near Real-Time Data Replication
        2. Data Replication
        3. Data Restoration from On-line Backup Media
        4. Data Restoration from Off-line Backup Media
      5. Summary
    7. 12 Enabling Targeted Monitoring
      1. Introduction
      2. What Is (un)acceptable Activity?
      3. Digital Forensics in Enterprise Security
        1. Information Security vs. Cyber Security
        2. Defense-in-Depth
        3. Traditional Security Monitoring
        4. Modern Security Monitoring
      4. Positive Security
      5. Australian Signal Directorate (ASD)
      6. Analytical Techniques
        1. Misuse Detection
        2. Anomaly Detection
        3. Specification-Based Detection
        4. Machine Learning
          1. Extractive Forensics
          2. Inductive Forensics
          3. Deductive Forensics
      7. Implementation Concerns
      8. Summary
    8. 13 Mapping Investigative Workflows
      1. Introduction
      2. Incident Management Lifecycle
        1. Integrating the Digital Forensic Readiness Model
      3. Incident Handling and Response
        1. Phase #1: Preparation
          1. “Event” versus “Incident”
          2. Policies, Plans, and Procedures
          3. Team Structure and Models
          4. Communication and Escalation
          5. Escalation Management
        2. Phase #2: Respond
          1. Detection
          2. Analysis
          3. Prioritization
        3. Phase #3: Restore
          1. Containment
          2. Eradication and Recovery
        4. Phase #4: Learn
      4. The Incident Response Team (IRT)
        1. The Role of Digital Forensics During an Incident
          1. Practitioner
          2. Advisor
      5. Investigation Workflow
        1. Types of Security Investigations
      6. Summary
    9. 14 Establish Continuing Education
      1. Introduction
      2. Types of Education and Training
        1. Awareness
        2. Basic Knowledge
        3. Functional Knowledge
          1. Professional Certification
        4. Specialized Knowledge
      3. Organizational Roles and Responsibilities
        1. The Digital Forensics Team
          1. Roles
          2. Titles
      4. An Educational Roadmap
        1. Technical Knowledge
          1. Introductory
          2. Intermediate
          3. Advanced
      5. Non-Technical Knowledge
        1. Introductory
        2. Intermediate
        3. Advanced
      6. Digital Forensics Experts
      7. Summary
    10. 15 Maintaining Evidence-Based Reporting
      1. Introduction
      2. Importance of Factual Reports
      3. Types of Reports
        1. Creating Understandable Reports
      4. Arranging Written Reports
      5. Inculpatory and Exculpatory Evidence
      6. Summary
    11. 16 Ensuring Legal Review
      1. Introduction
      2. The Role of Technology in Crime
      3. Laws and Regulations
        1. Information Technology (IT) Law
        2. Cyberlaw or Internet Law
        3. Computer Law
      4. Legal Precedence
        1. Brady Rule: Inculpatory and Exculpatory Evidence
        2. Frye versus Daubert Standard: General Acceptance Testing
        3. Jurisdiction
      5. Technology Counselling
      6. Obtaining Legal Advice
        1. Constraints
        2. Disputes
        3. Employees
        4. Liabilities
        5. Prosecution
        6. Communication
          1. Involving Law Enforcement
      7. Summary
    12. 17 Accomplishing Digital Forensic Readiness
      1. Introduction
      2. Maintain a Business-Centric Focus
      3. Don’t Reinvent the Wheel
      4. Understand Costs and Benefits
      5. Summary
  12. Section III INTEGRATING DIGITAL FORENSICS
    1. 18 Forensics Readiness in Cloud Environments
      1. Introduction
      2. Brief History of Cloud Computing
      3. What Is Cloud Computing?
        1. Characteristics
        2. Service Models
        3. Delivery Models
        4. Isolation Models
      4. Challenges with Cloud Environments
        1. Mobility
        2. Hyper-Scaling
        3. Containerization
        4. First Responders
        5. Evidence Gathering and Processing
      5. Forensics Readiness Methodology
        1. Step #1: Define Business Risk Scenarios
        2. Step #2: Identify Potential Data Sources
        3. Step #3: Determine Collection Requirements
          1. Enterprise Management Strategies
          2. Cloud Computing Governance
          3. Security and Configuration Standards
          4. Reference Architectures
        4. Step #4: Establish Legal Admissibility
          1. Layers of Trust
        5. Step #5: Establish Secure Storage and Handling
        6. Step #6: Enable Targeted Monitoring
        7. Step #7: Map Investigative Workflows
          1. Phase #1: Preparation
          2. Phase #2: Gathering
          3. Phase #3: Processing
          4. Phase #4: Presentation
        8. Step #8: Establish Continuing Education
          1. General Awareness
          2. Basic Training
          3. Formal Education
        9. Step #9: Maintain Evidence-Based Presentations
        10. Step #10: Ensure Legal Review
          1. Contractual Agreements
      6. Summary
    2. 19 Forensics Readiness with Mobile Devices
      1. Introduction
      2. Brief History of Mobile Devices
      3. Challenges with Mobile Devices
        1. Loss
        2. Theft
        3. Replacement
        4. Local Storage
        5. Cloud Storage
        6. Encryption
        7. “Burner” Phones
      4. Forensics Readiness Methodology
        1. Step #1: Define Business Risk Scenarios
        2. Step #2: Identify Potential Data Sources
        3. Step #3: Determine Collection Requirements
          1. Enterprise Management Strategies
        4. Step #4: Establish Legal Admissibility
        5. Step #5: Establish Secure Storage and Handling
        6. Step #6: Enable Targeted Monitoring
        7. Step #7: Map Investigative Workflows
          1. Phase #1: Preparation
          2. Phase #2: Gathering
          3. Phase #3: Processing
          4. Phase #4: Presentation
        8. Step #8: Establish Continuing Education
          1. General Awareness
          2. Basic Training
          3. Formal Education
        9. Step #9: Maintain Evidence-Based Presentation
        10. Step #10: Ensure Legal Review
      5. Summary
    3. 20 Forensics Readiness and the Internet of Things
      1. Introduction
      2. Brief History of the Internet of Things (IoT)
      3. What Is the Internet of Things (IoT)?
      4. Challenges with the Internet of Things (IoT)
        1. Form Factor
        2. Security
        3. Privacy
        4. Evidence Gathering and Processing
      5. Forensics Toolkits
        1. Forensics Readiness Methodology
        2. Step #1: Define Business Risk Scenarios
        3. Step #2: Identify Potential Data Sources
        4. Step #3: Determine Collection Requirements
        5. Step #4: Establish Legal Admissibility
          1. Zones of Trust
        6. Step #5: Establish Secure Storage and Handling
        7. Step #6: Enable Targeted Monitoring
        8. Step #7: Map Investigative Workflows
          1. Phase #1: Preparation
          2. Phase #2: Gathering
          3. Phase #3: Processing
          4. Phase #4: Presentation
        9. Step #8: Establish Continuing Education
          1. General Awareness
          2. Basic Training
          3. Formal Education
        10. Step #9: Maintain Evidence-Based Presentation
        11. Step #10: Ensure Legal Review
          1. Discrimination
          2. Privacy
          3. Security
          4. Consent
      6. Summary
  13. Section IV ADDENDUMS
    1. Addendum A: Tool and Equipment Validation Program
    2. Addendum B: Service Catalog
    3. Addendum C: Cost-Benefit Analysis
    4. Addendum D: Building a Taxonomy
    5. Addendum E: Risk Assessment
    6. Addendum F: Threat Modeling
    7. Addendum G: Data Warehousing Introduction
    8. Addendum H: Requirements Analysis
  14. Section V APPENDIXES
    1. Appendix A: Investigative Process Models
    2. Appendix B: Education and Professional Certifications
    3. Appendix C: Investigative Workflow
  15. Section VI TEMPLATES
    1. Template 1: Test Case
    2. Template 2: Logbook
    3. Template 3: Chain of Custody
    4. Template 4: Investigative Final Report
    5. Template 5: Service Catalog
    6. Template 6: Business Case
    7. Template 7: Net Present Value (NPV)
    8. Template 8: Threat Risk Assessment
    9. Template 9: Data Source Inventory Matrix
    10. Template 10: Project Charter
    11. Template 11: Requirement Analysis Report
  16. Bibliography
  17. Resources
  18. Glossary
  19. Index

Product information

  • Title: Implementing Digital Forensic Readiness, 2nd Edition
  • Author(s): Jason Sachowski
  • Release date: May 2019
  • Publisher(s): CRC Press
  • ISBN: 9780429805820