Digital forensics is carried out during and after a security incident has occurred. As part of the incident response, it is important that the characteristics and any Indicators of Compromise (IOCs) are quickly identified to map out the scale of the incident. The root cause and source or source of the attack is identified as to minimise the chances of a reoccurrence and any additional corruption or data exfiltration. Detailed or more comprehensive forensics effort is typically carried out post incident.
During this process we carry out the following tasks:
- Assess the current environment for any obvious vulnerabilities, traces of the source/root cause of the incident.
- Collect and protect logs or any information and corresponding assets that are involved or affected
- Analyse and align a sequence of events, what happened, how and who carried out the attack. Include details of all findings, tools, techniques, and procedures (TTPs) within the report.
- Provide recommendations for mitigating the risks, list any areas of weakness, provide recommendations to improve security and reduce likelihood of re-occurrence.
- Draft Report – review and workshop report with client
An organisation needs to consider the legal obligations (Notifiable Data Breach).
|Review Digital Forensic requirements||Review current environment to determine required changes to reporting, alerting, and monitoring systems and report on capabilities to carry out appropriate digital forensics. Provide feedback and recommendations for improvement.|
|Incident Response Assistance||Provide pro-active or reactive management and response of incidents. Document policy and procedures to provide clear guidance in the event of an incident.|