In the previous post, we introduced Digital Forensics and Incident Response (DFIR) quickly. We investigate details about evidence criteria, forensics readiness, and incident response plan as a second part of our DFIR introduction posts. In addition to technical analysis and evidence investigation, policy-based definitions and IR understanding are vital for an effective DFIR in an enterprise. Let’s start the second part with evidence-related definitions.
Rules of Evidence
Rules of evidence govern whether, when, how, and for what the proof of a case may be placed before a trial of fact for consideration.
Best Evidence Rule: It is designed to prevent any alteration of digital evidence, either intentionally or unintentionally.
The Best Evidence Rule also states that the best or highest form of evidence available to any party must be presented in a court of law. If a live/original testimony form of the evidence were available, the court would not admit duplicate copies of that testimony.
Federal Rules of Evidence: The list below is the important rules in Federal Evidence.
Effect of Erroneous Ruling: Error may not be predicated upon a ruling admitting or excluding evidence unless a substantial right of a party is affected and the requirements of the law regarding a protest or objection have been satisfied (definition)
Record of offer and ruling
Hearing of jury
Preliminary questions about the evidence and witness should adhere following principles:
Questions of admissibility generally
Relevancy conditioned on fact, the introduction of evidence sufficient to support a finding of the fulfillment of the condition
Testimony by accused
Weight and credibility, this rule does not limit the right of a party to introduce before the jury evidence relevant to weight or credibility.
Limited Admissibility: Evidence can only be admissible to a single party for a single purpose but can be used for another party for another purpose.
Hearsay Rule: Hearsay is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.
Statements That Are Not Hearsay: Prior statement by witness Admission by party-opponent.
Rule 804. Hearsay Exceptions:
The declarant of unavailability: exemption, refusal, the claim of lack of memory, inability, or absence is due to procurement or wrongdoing of the proponent of a statement for preventing the witness from attending or testifying.
Hearsay exceptions, former testimony, a statement under the belief of impending death, a statement against interest, statement of personal or family history.
Rule 1001. Definitions, Content of Writings, Recordings, and Photographs
Rule 1002. Requirement of Original Rule
Rule 1003. Admissibility of Duplicates, the original is not admissible if the original is lost or destroyed, the original is not obtainable, the original is in possession of an opponent, or collateral matters.
Scientific Working Group in Digital Evidence (SWGDE) Principle: To ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement, and forensic organizations must establish and maintain an effective system for quality control.
Standard Operating Procedures (SOPs):
1.1, All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.
1.2, Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
1.3, SOPs must be generally accepted in the field or supported by data gathered and recorded scientifically.
1.4, The agency must maintain written copies of the appropriate technical procedures.
1.5, The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.
1.6, All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
1.7, Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
Forensic readiness refers to an organization’s ability to make optimal use of digital evidence in a limited time and with minimal investigation costs. It includes technical and nontechnical actions that maximize an organization’s competence in using digital evidence.
Fast and efficient investigation with minimal disruption to the business Provides security from cybercrimes such as intellectual property theft, fraud, or extortion Offers structured storage of evidence that reduces the expense and time of an investigation Improves law enforcement interface Easy identification of evidence related to the potential crimes Proper usage of evidence for a positive outcome of any legal prosecution Helps the organization use digital evidence in its defense Blocks the attackers from covering their tracks Limits the cost of regulatory or legal requirements for disclosure of data Averts similar attacks in the future
Identify the potential evidence required for an incident Determine the source of the evidence Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption Establish a policy for securely handling and storing the collected evidence Identify if the incident requires a full or formal investigation Train the staff to handle the incident and preserve the evidence Create a special process for documenting the procedure Establish a legal advisory board to guide the investigation process
DFIR as Part of the Incident Response Plan
Organizations often include computer forensics as part of incident response plans to track and prosecute perpetrators of an incident.
Incident response plans’ goals:
Develop and implement a strong security policy.
Effectively monitor and analyze the systems and network traffic.
Ensure operational logs and logging mechanisms.
Handle the incidents to minimize damage and reduce recovery time and costs.
Map the pathway for extracting evidence in a legally sound and acceptable manner.
Define the role of an incident response professional, such as identifying how a breach occurred, how to locate the method of the breach, and how to mitigate the breach.
In conclusion, we looked at DFIR and evidence from judicial and scientific focuses. We continue our DFIR posts with Forensic Investigator and DFIR code of ethics.