call 020-8166-0059

Forensic Readiness

“Expect the best, prepare for the worst”

Establish relationships

Have you ever tried to find a good electrician at a time when you really needed one?

Incident response specialists are a lot like electricians, only more difficult to find. To ensure that you are able to deal with an incident calmly, carefully and appropriately, you need to be able to call on people you trust, with whom you've worked before and who know you, your staff and your environment.

Calling in an unknown computer engineer who has to simultaneously figure out your network topology whilst it's under attack and having sections quarantined, is no way to get to the bottom of what's going on.

By establishing relationships with people you're likely to need during an incident, you can build a rapport and share the knowledge that can make the difference between a two hour outage and an all-day affair.

By having relationships like this ready to go, you're far more likely to get a positive response on the day you need them, rather than an unhelpful: "sorry, we're all busy today".

Make a plan

During any incident, the last thing you need to be doing is thinking about what you should be doing.

It's far better to sit down with stakeholders during normal operation and calmly prepare your response to a set of incident criteria.

A Forensic Readiness Plan should integrate well with any incident response plans that you have and will mean that you have everything in place that you need to ensure that logs are being generated, audit trails created and exceptions to standard processes noted. All of these things will assist not only your ability to investigate and recover from an incident, but also ensuring that your compliant with regulatory requirements governing risk.

Test your plan

It's fair to say that most organisations that create an incident response and forensic readiness plan will smile broadly at the fact, pop it on a shelf and promptly forget about it until sometime later when it's desperately needed.

By this time, new systems have been implemented and the plan doesn't work, because it's out of date.

It's important to test the plan that you make - possibly in conjunction with Disaster Recovery exercises. If your staff don't know what steps to take then it's unfair to hold them responsible for not following the plan when it's needed.

Stick to the plan

When systems fail or your network has been breached, it's very easy with the pressure of people looking to you for a solution, to abandon the carefully orchestrated steps laid out in the plan, because they look like they will take too long.

It's easy, even understandable that you might decide to put the plan to one side and play it by ear. Occasionally this works. Usually it makes a bad situation worse.

By ensuring that your plan has executive sign-off, the plan becomes your insurance policy when things go into meltdown. The board cannot criticise you too strongly for following the plan they signed off - but if you fail to follow it and things don't work out, then you are truly on your own.

How can we help?

We've been working in the area of Incident Response and Forensic Readiness Planning for more than ten years. We can help you assess the risks you face, implement and document the controls required to mitigate those risks and help you prepare a robust Forensic Readiness Plan that will ensure you have all of the bases covered - before you need it.

We can help you test it and if the worst happens, we can be there to help you when you need to implement it.

Call us now on 020-8166-0059 or send us an email and we'll call you straight back to discuss how we can help.

Digital Evidence is Fragile

Performing this type of analysis is a specialised field and isn't something you should leave to the untrained amateur.

digital evidence is fragile

Very often the initial, well intentioned actions by IT staff can fatally destroy crucial evidence that ends the case. Integrity cannot be retrofitted.

For this reason, it's very important that you take steps to preserve the evidence.

As soon as you're aware that a forensic investigation may be necessary, ensure that the devices involved are secured. Don't let anyone “have a quick look”.

For Mobile Telephones this means:

  • Switch the handset off - do NOT remove the battery!

For Computers, Laptops and Workstations:

  • If still running, simply disconnect it from the network by removing the network cable and secure it so it won't be used by anyone else. This is the preferred option as it allows capture of the computers memory in addition to the hard disk contents.
  • If you you need to shut it down, don't shut it down cleanly - simply pull the plug to bring the machine down. For laptops, you will need to also remove the battery.
  • As far as you are able, secure any associated storage devices, items like memory sticks, for example, although these may be the personal property of the individual concerned.

In ALL cases:

  • Take lots of digital photographs of the device in situ and after you've secured it. These are cheap, easy and invaluable.
  • Secure the powered down devices in a locked storage area under your supervision.
  • Make notes about what you have secured, make, model, serial number and the date and time.
  • Get a colleague to sign your notes as valid.

If you're unsure about any of these steps or would simply like to have a brief chat to explore your options, then we are happy to speak with you and offer you some useful advice about how to proceed.

Call us now on 020-8166-0059 or send us an email and we'll call you straight back to discuss how we can help.

LangfordParc Limited is a limited company registered in England and Wales. Company Registration Number 07642033.
Registered office: 1 Heddon Street, London, W1B 4BD. VAT No. 119 4780 95