Planning for Forensic Investigations – Stamper

Unless your organization and your security team are quite large, it’s unlikely that you will have dedicated expertise and resources available to facilitate forensic investigations of security-related matters, notably breaches. Nevertheless, there will be scenarios where having access to forensic capabilities will be necessary. Similar to the incident and breach responses, planning for forensic analysis in advance should be an essential priority associated with the CISO’s security program, even for smaller organizations. Let’s take a look at some of the core planning required to prepare you for when a forensic analysis is needed.

Why do we need forensic capabilities as part of our overall security program? There are two principal reasons. First, forensics supports legal claims and actions. Essentially, we use forensic analysis to determine if a crime has been committed and, ideally, determine attribution and present evidence that is legally admissible to support our claim in a court of law. This analysis can be required when there are disputes related to intellectual property, rogue employees, or corporate espionage. Another reason we might need forensic analysis is simply the matter of determining what took place and how – documenting “packet truth.”[1]  Forensics provides a great set of capabilities to evaluate the “history” of our environment (what took place at each stage or phase of the kill chain) and how actors who were not authorized made changes to that environment.

While there is overlap between these two capabilities, there are certain conditions precedent that need to be defined. If a forensic analysis is going to be used to support legal proceedings, effectively legally-defensible analyses, the activities must be legally authorized. Few things are worse than having evidence of a crime that would corroborate your case only to have the evidenced determined to be not legally admissible because the forensic analysis was not appropriately authorized, or the chain of custody did not offer the right assurance. To ensure proper chain of custody practices, you need to plan how you will handle forensic evidence (more on this below).

Preparing for a Forensic Analysis

When preparing for forensic analysis, make sure that you speak with your legal counsel and outline some of the scenarios where forensic analysis would be valuable. As discussed in Chapter 15, we should anticipate certain types of incidents. Revisit the list of potential incidents that you have planned for and determine what kind of forensic analysis to use in these scenarios. Recognize that just like threats and risks, evidence can come from many potential sources.

Evidence can be left behind by perpetrators outside of your organization (such as APTs, criminal elements, corporate espionage, state-sponsored actors, in-laws, among other unsavory actors). It can originate from inside the organization (for example, disgruntled and rogue employees). And it can come from your supplier and vendor ecosystem (this could include third-party service providers, “vetted” independent contractors, and the manufacturers and suppliers of systems, software, and hardware used in your environment). Anticipate needing to collect evidence outside of your “four walls,” and plan how you will get it. Further, with the advent of connecting more operational technology (IoT, ICS, and SCADA) to our networks, it’s important not to overlook these systems as potential sources of evidence.

Once you’ve evaluated these potential sources, coordinate a discussion with legal counsel to understand the repercussions of gathering evidence from these sources. Work out a process that is consistent with your organization’s priorities (e.g., attribution and prosecution when cases arise or – potentially in conflict with those two items – the restoration of services).[2] For scenarios that involve the collection of evidence used to determine if there was a rogue insider involved, engage both human resources and legal counsel in this process.

While in the United States there are limited expectations of privacy in the workplace, we cannot say the same for organizations that operate outside of the U.S. As a case in point, privacy in the workplace in a European context is expected by employees and legally enforced.[3] Knowing what can and cannot be collected in support of an investigation in advance is critical. Where legal privacy protections preclude the collection of the evidence systematically, you’ll need to look at alternative approaches such as user analytics that anonymize activity that can be unmasked subsequently with appropriate legal justification (e.g., a search warrant).

Equally important, the collection of evidence needs to be legally authorized. This authorization requires that practices are consistent with applicable laws and regulations. In the United States, Federal Rules of Evidence[4] govern this process. Changes as recent as December 2017 to section 902, subsection 14 (902(14)) reflect the evolving nature of digital forensics and are focused on streamlining the admissibility of electronic evidence by standardizing certain practices and expectations.

Specifically, the hashing value to determine the integrity of forensic evidence (essentially a presumption of authenticity). Documented and strong chain-of-custody practices should be front and center in your forensics program. Bottom line, CISOs should proactively work with their legal counsel to pre-validate evidence collection procedures in a manner consistent with the organization’s objectives, priorities, and legal requirements.

As noted above, it’s important that your forensics program is also used to determine the fact pattern of incidents where the end game is not attribution and legal proceedings but rather improvements to the security practices and architecture of the firm. Under these circumstances, forensic analysis is used to make internal improvements to the security program and reduce the risk of a similar issue taking place in the future.

Beyond collaborating proactively…

[1] “Packet Truth” is meant to imply the insight and knowledge we obtain while evaluating logs, packet captures, and other network detail. Not to overstate the obvious, packet truth is challenged when there has been spoofing, man-in-the-middle, or other tampering efforts – to wit my evangelism of using threat modeling.

[2] Specifically, there may be a conflict between the desire to obtain attribution and the need to resume operations.  This conflict should be anticipated in advance and organizational priorities established – potentially system by system – such that the procedures and expectations for how an incident that may involve forensics will be handled are documented.

[3] Organizations that operate in both the European Union (EU) and United States would be well-served to review their employee manuals and acceptable use policies (AUPs) for consistency with local or regional employment laws and practices.

[4] There are pending updates (as described above) that will have an impact on proceedings. At present, a good starting point is found at:

Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.