Pranitha Koya

 

NIST 800-86

 

FORENSIC TECHNIQUES: HELPING ORGANIZATIONS IMPROVE THEIR RESPONSES TO INFORMATION SECURITY INCIDENTS

 

 

Digital forensic techniques involve the application of science to the identification, collection, examination, and analysis of data in ways that preserve the integrity of the information and maintain a strict chain of custody for the data. Organizations have the means to collect growing amounts of data from many sources. Data is stored or transferred by standard IT systems, networking equipment, computing peripherals, personal digital assistants (PDAs), consumer electronic devices, and various types of media. When information security incidents occur, organizations that have established a capability to apply digital forensic techniques can examine and analyze the data that they have collected, and determine if their systems and networks may have sustained any damage and if sensitive data may have been compromised. Digital forensic techniques can be used for many purposes, such as supporting the investigation of crimes and violations of internal policies, analyses of security incidents, reviews of operational problems, and recovery from accidental system damage. 

                                                         

Guide to Integrating Forensic Techniques into Incident Response

 

NIST’s Information Technology Laboratory recently issued Special Publication (SP) 800-86, Guide to Integrating Forensic Techniques into Incident Response provides detailed information on how an organization can establish a forensic capability and develop the needed fundamental policies and procedures that will guide the use of forensics. The focus is on helping organizations use forensic techniques to aid in the investigation of computer security incidents and in troubleshooting other information technology (IT) operational problems.

 

Why Forensics Techniques Are Needed for Information Security

 

Forensic science is generally defined as the application of science to the law. Digital forensic tools and techniques have evolved to enable organizations to properly provide computer crime data to courts. In addition to assisting with criminal investigations and the handling of computer security incidents, digital forensic tools and techniques are valuable for many other organizational and security-related tasks, such as:

 

*  Troubleshooting operational issues: finding the virtual and physical location of a host with an incorrect network configuration; resolving a functional problem with an application; and recording and reviewing the current operating system (OS) and application configuration settings for a host.

 

*  Log monitoring: analyzing log entries and correlating log entries across multiple systems; assisting in incident handling; identifying policy violations; and auditing and other related efforts.

 

* Recovering lost data from systems, including data that has been accidentally or purposely deleted or otherwise modified. 

 

* Acquiring data, for possible future use from hosts that are being redeployed or retired:  acquiring and storing the data from a user’s workstation when the user leaves the organization. The workstation’s media can then be sanitized to remove all of the original user’s data.

 

* Protecting sensitive information and maintaining certain records for audit purposes:  enabling organizations to notify other agencies or individuals when protected information is exposed to other parties.

 

The Forensic Process

 

NIST SP 800-86 describes a four-step process for applying digital forensic techniques in a consistent manner: 

Organization Chart

 

Collection.  Data is identified, labeled, recorded and acquired from all of the possible sources of relevant data, using procedures that preserve the integrity of the data. Data should be collected in a timely manner to avoid the loss of dynamic data, such as a list of current network connections, and the data collected in cell phones, PDAs, and other battery-powered devices.

 

Examination.  The data that is collected should be examined using a combination of automated and manual methods to assess and extract data of particular interest for the specific situation, while preserving the integrity of the data.

 

Analysis.  The results of the examination should be analyzed, using well-documented methods and techniques, to derive useful information that addresses the questions that were the impetus for the collection and examination.

 

Reporting.  The results of the analysis should be reported. Items to be reported may include: a description of the actions employed; an explanation of how tools and procedures were selected; a determination of any other actions that should be performed, such as forensic examination of additional data sources, securing identified vulnerabilities, and improving existing security controls; and recommendations for improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process. 

 

Forensics in the Information System Development Life Cycle

 

Many computer incidents can be handled more efficiently and effectively if forensic considerations have been incorporated into the information system life cycle.

Examples of these life cycle considerations include:

 

*  Performing regular backups of systems and maintaining previous backups for a specific period of time;

 

*  Enabling auditing on workstations, servers, and network devices;

 

*  Forwarding audit records to secure centralized log servers;

 

*  Configuring mission-critical applications to perform auditing, including recording all authentication attempts;

 

*  Maintaining a database of file hashes for the files of common OS and application deployments, and using file integrity checking software on particularly important assets;

 

*  Maintaining records of network and system configurations; and

 

*  Establishing data retention policies that support performing historical reviews of system and network activity, complying with requests or requirements to preserve data relating to ongoing litigation and investigations, and destroying data that is no longer needed.

 

Summary of Recommendations for Using Forensic Techniques

 

NIST recommends that organizations carry out the following actions to establish, organize, and use forensic techniques effectively:

 

* Develop organizational policies that contain clear statements addressing all major forensic considerations, such as contacting law enforcement, performing monitoring, and conducting regular reviews of forensic policies and procedures. 

 

* Create and maintain procedures and guidelines for performing forensic tasks, based on the organization’s policies and all applicable laws and regulations. 

 

* Develop organizational policies and procedures that support the reasonable and appropriate use of forensic tools.

 

* Prepare IT professionals to support and participate in forensic activities.

 

 

References:

http://www.itl.nist.gov/lab/bulletns/bltnsep06.htm

http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf