Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

DFIR Team

Computer Forensics Investigation Process, Part Two

In my previous blog post, I delved into the critical importance of the computer forensics process, highlighting its pivotal role in guaranteeing the consistency, legality, and precision of digital investigations. This process, structured around pre-investigation, investigation, and post-investigation phases, serves as the foundation for preserving the integrity of digital evidence. Notably, the establishment of a secure Computer Forensics Lab, encompassing elements such as budgeting, physical security, and the utilization of specialized tools, plays a fundamental role in this framework. Its significance extends beyond legal contexts, impacting incident response and cybersecurity, where it ensures the reliability of findings, upholds evidence integrity, and optimizes the investigative process for uncovering the truth behind cybercrimes and security incidents.

In this current post, we dive into the essential topics of constructing a strong Digital Forensics and Incident Response (DFIR) team, understanding the legal landscape, and adhering to industry standards. Building an effective DFIR team involves uniting diverse skills for confronting cyber threats. We also examine the legal and regulatory aspects, emphasizing compliance and ethics, alongside industry standards that define excellence in DFIR. And we look into the risk assessment for DFIR.

Build the Investigation Team

Digital Forensics team building rules are as follows:

  • Maintain a small team structure.
  • Identify each team member and assign specific responsibilities.
  • Ensure necessary clearance and authorization for team members.
  • Appoint one team member as the technical lead for the investigation.
  • Team members should include:
    • Attorney
    • Photographer
    • Incident responder
    • Decision maker
    • Incident analyzer
    • Evidence examiner/investigator
    • Evidence documenter
    • Evidence manager
    • Expert witness
  • Ensure that the Forensic Practitioner is certified and licensed appropriately.

Review Policies and Laws

Applicable federal statutes include the Electronic Communications Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (CCPA), both as amended by the USA PATRIOT ACT of 2001, and/or the Privacy Protection Act of 1980 (PPA)

The best practices:

  • Determine the extent of the authority to search
  • Determine the legal authorities that perform an investigation.
  • Consult with a legal advisor for the issues arising because of any improper handling of the investigation.
  • Ensure the customer’s privacy and confidentiality

Forensic Laws:

  • 18 USC §1029 – Fraud and related activity in connection with access devices 
  • 18 USC §1030 – Fraud and related activity in connection with computers 
  • 18 USC §1361-2 – Prohibits malicious mischief 
  • Rule 402 – General Admissibility of Relevant Evidence 
  • Rule 901 – Authenticating or Identifying Evidence 
  • Rule 608 – Evidence of character and conduct of witness 
  • Rule 609 – Impeachment by evidence of a criminal conviction 
  • Rule 502 – Attorney-Client privilege and work product; Limitations on waiver 
  • Rule 614 – Calling and interrogation of witnesses by court 
  • Rule 701 – Opinion testimony by lay witnesses 
  • Rule 705 – Disclosure of facts or data underlying expert opinion 
  • Rule 1002 – Requirement of orig
  • Rule 1003 – Admissibility of duplicates

Establish Quality Assurance Processes

Follow a well-documented systematic process. 

Practices:

  • Follow a well-documented systematic process.
  • Ensure that tools undergo validity testing for design purpose and result accuracy, with detailed documentation.
  • Review and update the quality management system every three years to meet unit quality needs.
  • Maintain a documented Quality Assurance Manual (QAM) and appoint a Quality Manager (QM) responsible for quality assurance.
  • Subject investigative reports to administrative review for policy consistency and accuracy.
  • Technically review final computer forensic reports by another examiner to ensure clarity and proper documentation.

General and Software/Hardware Processes:

  • Conduct formal, documented training.
  • Attain ASCLD/LAB or ISO/IEC 17025 accreditation.
  • Administer annual proficiency tests for investigators.
  • Perform quality audits and system reviews.
  • Validate equipment and maintain physical plant security.
  • Adhere to appropriate standards and controls in casework.
  • Ensure health and safety measures.
  • Establish policies and procedures for effective forensic investigations.
  • Annually review, update, and document policies and standards.
  • Validate all software and hardware tools before use and keep them licensed.
  • Regularly update and test software tools for functionality and accuracy.
  • Maintain and document hardware instruments in working condition.
  • Document test methodologies, results, and related theory when testing tools.
  • Integrate license compliance into laboratory standard operating procedures.
  • Follow tool-testing procedures in line with established standards and policies, such as NIST’s Computer Forensics Tool Testing Project (CFTT) methodology

It is recommended to integrate maintaining, auditing, documenting, and demonstrating license compliance into the laboratory standard operating procedure (SOP).

Tool-testing procedures must follow certain standards and policies National Institute of Standards and Technology (NIST) has launched the Computer Forensics Tool Testing Project (CFTT), which establishes a “methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware”.

Data Destruction Industry Standards

  1. DoD 5220.22-M (American): This widely recognized standard ensures data destruction by overwriting the drive’s required area three times with alternating ones and zeros, followed by a verification process to confirm data obliteration. It’s a robust method for secure data erasure. Learn more
  2. NAVSO P-5239-26 (RLL) (American): Employing a three-pass overwriting algorithm, this standard offers data destruction assurance by conducting verifications in the final pass. It’s a trusted method for securely wiping data from storage devices. Read more
  3. NAVSO P-5239-26 (MFM) (American): Similar to the RLL standard, this American standard employs a three-pass overwriting algorithm, with the crucial verification occurring in the last pass. It ensures thorough data erasure for sensitive information. Find details
  4. VSITR (German): The VSITR method goes a step further with six passes of overwriting, alternating between ones and zeros, and culminating in the letter ‘A.’ This meticulous approach guarantees data destruction, making it a robust choice for secure data erasure. More info
  5. GOST P50739-95 (Russian Standard): The Russian GOST P50739-95 standard adopts a method of data wiping. In the initial pass, it writes zeros and follows up with random byte writes in subsequent passes. While different from overwriting methods, it effectively ensures data destruction and privacy protection. Explore further

During our interactions, we’ve covered a lot of ground! We started by talking about the significance of computer forensics and the meticulous processes involved. Later, we explored various data destruction standards. Now we look into the risk assessment and at the next post we will explore the investigation phase.

Risk Assessment

Risk assessment is a valuable tool for comprehending information security challenges within a business context and gauging the potential repercussions of a security breach. It involves:

  1. Identifying the Incident and its Impact: This step entails pinpointing the specific security incident that has occurred and recognizing the problems it has caused. Understanding the nature of the incident is vital to addressing it effectively.
  2. Characterizing Incident Severity: Assessing the severity of the incident is crucial in determining how urgently it needs to be addressed. Some incidents may have minor consequences, while others can be highly disruptive or even catastrophic.
  3. Quantifying Data Loss or Damage: Evaluating the extent of data loss or damage resulting from the incident is essential. This helps in assessing the potential impact on sensitive information and business operations.
  4. Assessing Wider Implications: It’s important to consider the possibility of the incident affecting other devices and systems. Understanding the scope of the incident’s reach is vital for containment and mitigation efforts.
  5. Preventing Spread: To limit the incident’s impact, cutting off communication with other devices and systems is a proactive measure. Isolation can prevent the incident from spreading further and causing additional harm.

By systematically going through these steps, organizations can better manage and respond to security incidents, minimizing damage and safeguarding their information assets.

RISK ASSESSMENT MATRIX

LikelihoodConsequences
InsignificantMinorModerateMajorCatastrophic
Almost Certain(>90%)HighHighExtremeExtremeExtreme
Likely(<90% >50%)ModerateHighHighExtremeExtreme
Moderate(<50% >10%)LowModerateHighExtremeExtreme
Unlikely(<10% >3%)LowLowModerateHighExtreme
Rare(<3%)LowLowModerateHighHigh

As we wrap up this blog post, we’ve covered key aspects of computer forensics, digital investigations, and information security. From building a strong DFIR team to understanding legal requirements and adhering to industry standards, we’ve provided insights to bolster your digital security efforts. In our next post, we’ll dive into the investigation phase of the computer forensic process, so stay tuned for more in-depth exploration.

Emre Caglar Hosgor