Being agile in dealing with, and handling, digital evidence is of great use when an incident happens. It is helpful to have a document that will clearly state the types of digital evidence required by a court or your internal compliance department, and how to collect them. Applying strategies to achieve forensic readiness shows that an organization has the initiative and ability to manage risks effectively.
If your company is forensic ready it means that your organization has the ability to maximize the potential of its digital evidence whilst minimizing the financial costs of an investigation. Preparation on how to define all sources of digital evidence and how to collect evidence are already covered in the previous steps. Once you know all the sources of digital evidence and have decided which of them can be collected to address the company risks within a planned budget, the next step is to ensure that it is collected in a secure way, using appropriate tools, so the authenticity of the digital record is not compromised.
According to IJDE these are the two essentials check to be made at this stage:
Can the evidence be gathered without interfering with business processes?
Can the evidence be gathered legally?
Throughout this stage, it is advised (if not mandatory) to ensure legal advice as part of the decision-making process. Every country has its own specific laws related to data protection, privacy, and human rights. While somewhere it is legal to monitor personal emails and use of private data, in other countries it’s rather not. There are also organizations that operate in multiple countries, and multiple jurisdictions and they have to secure evidence collection according to the laws of those countries.
As you can see, it is not a straightforward process. That is why planning is the most important component of the forensic readiness strategy. One of the goals of implementing forensic readiness checklist is to make your organization ready and agile in gathering digital evidence without interrupting regular business operations.
If you choose the other way around, to react (rather than to be proactive) to an incident you can certainly expect business operation blockages and unexpected financial damages.
Download our DFIR Guide and learn more how you can elevate your incident response processes.
Can you gather digital evidence in a legal way?
The main purpose of this step is to establish an answer to this question. Besides not interrupting day-to-day business operations another main goal, as highlighted above, is to be able to gather digital evidence without violating any laws or regulations. To ensure that there are no legal violations, you have to get legal advice at this stage so all evidence collection requirements are met and upheld.
An organization must plan in advance and follow all applicable laws and regulations across countries.
In the next step, we will cover how to develop a framework to govern digital evidence management.