I've mentioned before that I'm not a forensics guy by any means. I've never done any "real" forensics, at least not anything beyond simple looking for fairly obvious evidence of a breach or problem. I enjoy reading about digital forensics because it fascinates me. The way that data can be extracted from media after it has been deleted, hidden, and even when the disk has been formatted. Not to mention how someone who is trained can look at the system and determine what happened, how it happened, who did it, how they gained access to the system, etc....
Last week I read this post by Harlan Carvey here. This quote that he made got me to thinking:
My personal thought on this is that ideally what an organization would want to do is develop an in-house capability for tier 1 response...trained folks whose job it is to respond to, triage, and diagnose a technical IT incident. By "trained", I mean in the basics, such as NSM, incident response, troubleshooting, etc...enough to be able to triage and accurately diagnose level 1 and 2 incidents, as well as preserve data until outside professionals can respond to level 3 or 4 incidents.
What is it that companies really need? What are the basics to ensure that triage is done in a manner that doesn't compromise "the crime scene". I decided to post that question to my friends in the Security Catalysts Community here. As I expected I have gotten some good responses.
On Thursday of this week I attended a one day event put on by ISC2 called SecureAtlanta 2008. I had forgotten what the topic was and it turned out to be Digital Forensics. It was a high level discussion that covers a lot of the basics of what DF is and why companies need to be informed and concerned about it. Not much of the content was technical but it was informative. One of the things that grabbed my attention was the topic of DF and the law. We need to keep in mind that what we are doing in incident response and forensics needs to keep in mind the possibility of going to court. Our findings may need to be presented in court to convict or defend. Therefore we need ensure that our teams are trained in the basics but also trained in how to not contaminate the crime scene.
One last thing to consider is that just as all things related to security there has to be a balance. We have to balance IR and DF with ensuring that we get (or keep) the company running. We can't forget that our company probably relies on these systems running in order for them to make money. So if your company doesn't have proper policies and procedures in place for this that you start the conversation with your boss. Then work with management to put in place the proper program and training get put in place.