In a hyper-connected digital world, organizations majorly focus on prevention, detection, and recovery processes to ensure business continuity. Once major aspect that needs diligence is post-incident analysis to understand the genesis of the attack and technical or process gaps that resulted in attack. Tracing an attacker’s digital footprints and understanding techniques, tactics and procedures used can give valuable insights on existing gaps in environment in terms of people, process, and technological controls. Digital Forensics & Incident Response focuses on this very aspect of information security and is one of the most critical exercises to be conducted in post-incident scenario.
Gartner defines digital forensics as the use of specialized, investigative techniques and technologies to determine whether illegal or otherwise inappropriate events have occurred on computer systems and provide legally defensible information about the sequence of those events.
Digital Forensics and Incident Response are two distinct set of activities with very specific aim.Digital Forensics focuses on analysis of available digital footprint to trace an attacker’s kill path.
Key stages of Digital Forensics are:
1.Identification – Identify evidence and store it with requisite detailing
2.Preservation – isolate and preserve evidence to sure no tampering (even inadvertent) is possible
3.Analysis – Reconstruct available data fragments to derive inferences and link it to evidence
4.Documentation – Assign priority and ranking to different documents and evidence with respect to it importance
5.Presentation – Prepare a detailed presentation to present findings to customer along with deductions and inferences based on information and evidence collected
Incident Response is well-planned set of activities (proactive or reactive) designed to minimize the damage caused and recover impacted systems to full capacity at earliest. Incident Response can be considered either proactively or reactively. Key difference in terms of activities for both the approaches is: