There are multiple stages for investigating any crime committed
and this stands true for Digital Forensics Investigation as well and like other
forensics investigation Digital forensic also requires planned and systematic
actions to uncover the truth. There are broadly six stages that needs to be followed:
The First stage: Preparation
This aspect covers how you going to handle the situation,
what precautions need to be taken for successful investigation of computer
incident. Preparation includes creation
of polices of what you can do and cannot do including warning banners and other
notification for others to notify of ongoing investigation. You also needs to be train yourself/team
properly if you are not familiar with the technology that been used in the
company. Also needs to be fully prepared with legal aspect if you are going to investigate
in area where you are not familiar with the judiciary and local laws.
Second Stage: Identification
Before diving into the nitty-gritty one has to sense and identify
apple from oranges to weed out the suspect activity and keeping out the rest
infrastructure unaffected. Is there is issue with the network, if yes then is
it confined to some particular location/machine or the suspicion is network
wide. The wider your suspicion area the
more difficult to manage hence you really need to specify your targeted area so
that maximum utilization of resources could take place.
Third Stage: Investigation
This step requires lots of questions to be asked and getting
answer of those questions. Such as how the network intrusion took place, was it
confined to a single location/ machine or multiple areas are affected. Is
someone from the origination was involved or the threat originated externally.
What hints the log files are providing.
It is advised that one must documents each and every step especially
in case of external threats where in majority of cases law enforcement are employed.
Fourth Step: Eradication
This step is initiated when you are sure that no further
internal or external action is required for the investigation. This
step can be termed as the process of getting rid of the problem and involves
running antivirus scan, removing software that are infected as well as
rebuilding the OS.
Fifth Step: Recovery
This is the process of taking the business back into normal
and involves service, network validation, testing and after thorough analysis certifying
the system for restoration of work to normal.
Final Step: Follow Up
Ones you complete the investigation process you need to ask
couple of question so that such mistakes does not get repeated. The questions
can be many but some general question are:
- What has been done now is it sufficient to prevent such type of intrusions.
- How easy/difficult was it to detect the intrusion.
- What was the cost of the incident in term of financial losses?
- What are the preventive measures to avoid such situation from happening again?
Such follow up are critical to strengthen the security and
to avoid such intrusion from happening again within the organization or anywhere
else. The best part of such intrusion is that it helps to improvise by pointing the
loophole.
No comments:
Post a Comment