Digital forensics: Organisational learning
Start course

In this module you’ll discover the close relationship between business continuity, disaster recovery and incident management.


Welcome to the session on forensic readiness plan. So, I'm gonna go straight and discuss this slide, to expand on it, 'cause this is quite a, sort of, a, an area that we need to look at in quite detail. So, what is a forensic readiness plan? It's a question that people often ask me. A lot of organisations they obviously are reactive and not proactive. Now proactive means they have a plan in place already. A lot of companies are completely reactive. Now, it's not if you're gonna be hacked, it's when you get hacked. So, a lot of companies they just-, they always think reactively- that they're never gonna be affected by it, but now you're eight times more likely to be hit with a cyber attack than be mugged in the street. And that fact obviously is quite strong. There's a lot of information behind it as well. So, we have to look at them, get that mindset out, out of it, that we have to be pre-planned in terms of what we're gonna do in terms of investigations. So, we have to have a plan in place. A lot of companies don't have this. They don't have a forensic readiness plan to deal with the digital acquisition. Now investigations can come in different formats. We could have an internal threat, or internal incident, and we may have to deal with that situation.  

It could be that someone's just plugged in a USB stick which has released malware, or malicious software onto our system. So, we might have to deal with that from an internal perspective straight away. We may have a threat vector come in from outside where hackers are trying to break into your systems, or even cause your systems to slow down in the form of a DDoS, a Distributed Denial of Service attack. Or the threat could be something else, but this is where we have to be proactive to look at, as part of our plan, have a plan in place, have a incident response plan, a disaster recovery plan. Yeah, they're good to have those in place, but we also have to have a forensic one in place as well. You don't have-, necessarily have to have all the resources available, but you need to have-, so if something happens, you'll be able to respond and deal with this issue quite quickly. So, this is broken into seven elements - the forensic readiness plan. The first one is our organisational objectives. What are the organisational objectives ofwhat happens? So, we've got an incident happening. We want to-, we need to know, we need to get our, sort of, Indiana Jones situation. How's, how's it happened? How have we been hit with a cyber attack? Is there-, how have they managed to get into that? And the only way that you're gonna be able to work out this type of information is conducting a forensic investigation.  

And if you haven't got a plan in place, you're gonna be like a headless chicken. You need to be proactive, so if something does happen, we have a plan in place. We can swiftly switch to our plan, and the plan will tell us who we need to contact to be able to deal with these situations. But we first of all need to think of our objectives, what are we hoping to achieve from this? And a lot of the times it's learning from those mistakes and helping to eliminate those type of mistakes, and hopefully prosecute the perpetrators behind this cyber attack in the first place. So, we have to think of our parameters, what is our intention for that? And then from there we'll move on to what the organisation hopes to achieve after the incident. Well, obviously, first of all, A – How did it happen? So, we can learn lessons which could be, okay, on this occasion it was the CEO of the company. He's clicked on a link. Now that type of attack is referred to as a whaling attack, because he's a big fish. So, that's something that we know what the initial attack is in, what lessons we can learn from that. If we don't have things in place, assets to help to identify it, log what's happening, which could be your syslog, your event log, any forensic logs that might come from the firewall logs. Intrusion, detection, prevention systems. Maybe your SIEM, your Security Information Event Management.  

A lot of this could have given you some, sort of, indications of what has been happening to you, and then obviously responding to it. We could have been hit with a ransomware attack. And then we get that, that horrible either blue screen of death, or the red screen saying, 'Pay up or else.' So, if that happens, okay, how did that come in? Is there a way that this information has come in? Is there any fragments that could have helped us identify how it came in? How do we coordinate it? And this is where when you have a plan in place you're not just-, you can respond to it in a timely manner, deal with the issues that are coming up, and then look at how you can actually retrieve this information back. We might have to use a third party to bring in to help us deal with the situation. Unless you're a big organisation, then you have your own forensic capability to kick in to deal with this situation. Remember, it's Indiana Jones. We've got fragments of things happening, and we're literally like Inspector Clouseau, or, or not a very good explanation. That, that was not a probably good one. But, you know, he was still effective in terms of his investigations, even if he did-, it was more a buffoon way of doing it. But we need to have a systematic way of looking at how we investigate things. How the evidence can be stored safely. This is something called the chain of custody, and chain of evidence. We're gonna go into detail with that later on.  

Chain of custody is a critical element of any retention that you have and no matter if it's a criminal investigation, a civil one which might involve intellectual property, or administration proceedings which could be a misconduct / gross misconduct. We need to have that information securely, and no alternation of the data itself. Obviously, we're gonna look at that in a subsequent slide. And then from there the incident, the escalation process, well, we may have to involve either law enforcement agencies, we may have to involve people in the board. Maybe not all at the same time, but obviously people will have to get involved to investigate this with us to maybe to support us. There are resources that we can pull on. If you don't know what these resources are, we're against the curve. Remember time is of the essence with these type of investigations. We need to be able to respond in a timely manner to deal with these incidents, and try to recover it as quickly as possible, otherwise the business could cease to exist. And then from there, we may have to involve law enforcement agencies like the National Cyber Security, or the National Crime Agency to step in and help us investigate it, and if necessary be involved in prosecutions that might come from that.  

But the forensic readiness plan is a proactive step which makes the business in a more sound setting, and be able to respond to things in a ordered and factual way. Hopefully, this has been helpful.  



About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.