Digital forensic planning

Forensic readiness plan  

A Forensic Readiness Plan, or FRP, ensures any incident response that requires the acquisition of digital evidence can be conducted effectively and efficiently. The plan must conform to the forensic readiness policy.  

An FRP is an important part of a strategic incident response plan and allows for the proactive planning of digital investigations. This is done through the identification of scenarios, sources of admissible evidence, and related monitoring and collection processes. 

The organisation must have a plan in place outlining the following elements as a minimum… 
 

The organisation’s objectives for forensic readiness: 

• A clear statement of what the organisation hopes to achieve after a security incident.
• Responsibilities for the co-ordination of any response should the plan be called upon. The person should be identified by post rather than an individual name and their responsibilities must be documented.
• Contact details of how and when pre-arranged external forensic support can be obtained, including the provision of post-incident support, for example, via expert witnesses.
• How evidence will be stored safely and how its integrity will be retained.
• The escalation process for incidents, including when to report events to senior management and law enforcement.

Contact details of local law enforcement bodies for reporting an offence

Extraction of evidence  

If the incident leads to criminal investigations, then it’s likely that law enforcement will be involved.  

Extraction of evidence from a system should be conducted by expert forensics teams, where special handling procedures are used to ensure the evidence is not tampered with and is admissible in court.  

The organisation should have a single point of contact who can act as the evidence custody officer. They will ensure that all digital evidence artefacts are properly handled, labelled and identified. The chain of custody is a vital element in managing evidence and will be required in court.  

External organisations involved in investigations should sign a contract and an NDA. This will help protect their integrity and provide the all-relevant parties with legal cover should a breach of trust occur. 

The NDA should also contain: 

• The standards required for information handling
• How information should be transferred between the parties covered by the agreement
• The review requirements and disclosures required of the third party during the investigations

Most countries that deal with crimes involving IT now have complex and prescriptive rules about how evidence should be extracted, analysed, handled, presented and proved to have retained its original integrity.  

In the US, these are the Federal Rules of Evidence, and in the UK they’re the Police and Criminal Evidence Act and the Civil Evidence Act. 

The UK police force has also published the NPCC (National Police Chiefs Council) Good Practice Guide for Digital Evidence which details exactly how digital evidence should be handled and secured. This is supported by the NPCC Manager Guide for Good Practice and Advice Guide for Managers of Cybercrime Investigation.

What’s next? 

Before moving into a new Learning Path looking at the Security lifestyle, our expert Mark is going to take you through an incident review. He'll also being showing you how to implement a Forensics readiness plan. This will help to put this material on incident management into a real context.