Forensic investigations normally take place within the framework of an incident and thus follow a common cycle of events. You suspect that an employee has found a way of intercepting emails from one of their colleagues. What would the incident lifecycle look like?
Within the incident lifecycle there are several different functions that can be observed.
Aside from the actual evidence gathering it is important to realise a large part of an investigation is the diagnosis, reporting and lessons learned from the initial incident.
So what would the incident lifecycle look like for the above example?
Detection: An employee at the organisation has reported that they believe somebody is accessing or reading their emails.
Reporting: Depending on the organisation the employee could report this to a number of people. This is one of the reasons why a proper reporting structure is in place; ensuring that incidents are raised to the correct person and level. This could be anybody from a line manager, the IT manager or even someone at senior management level.
Diagnosis – Initial: This could be anything from a keylogger, unauthorised access to the email server or even intercepting and analysing network traffic.
Management actions based on initial diagnosis: Senior staff informed and an incident team should be formed. These team members will then be assigned individual tasks.
Evidence collection: Take a forensic image of the PC, check the physical area around the workstation and take logs from the email server.
Diagnosis – mature: Assess the evidence that has been gathered and revisit the initial diagnosis. This would be the time to confirm or refute the points made during the initial diagnosis.
Management actions based on mature diagnosis: At this stage it should be determined whether the problem is internal or external. Whether it is internal or external it needs to be clarified whether this was malicious or accidental.
Business/Asset recovery: In this case any kind of financial recovery is doubtful.
Remedial activity: A list of lessons and changes need to be formed and put into action.
Civil legal activity: If an employee is responsible internal discipline may be appropriate. If this is an external issue, it will more than likely be criminal activity.
Criminal proceedings: This depends on the amount of evidence collected and whether any serious breach has been made.
From the above it is clear to see there is more to a forensic investigation than the collection and analysis of electronic evidence. There are many different attributes to an investigation, or incident, and they all need to be addressed.
An investigation is unlikely to succeed without an aim or objective. The investigation needs to be reliable and irrefutable in its processes and drawn conclusions. The investigation needs to be supported by quality evidence that is credible and admissible in court.