Digital Forensic Incident Response and Analysis Toolkit
It becomes increasingly difficult to ignore the fact that the science is becoming one of the most credible approaches of performance within the entire field of human activity. In other words, scientific approach demonstrates high effectiveness due to obtaining theoretical and empirical knowledge regarding the subject of performance. As a consequence, recent developments in sciences have heightened the significance of a so-called forensic methodology. Namely, forensic methodology includes problem-solving procedures with the basis on the scientific and technological approaches. Hence, it is needless to say that forensic methodology can be applied to investigation of incidents. Taking this point into consideration, it is necessary to outline that the following paper aims at demonstrating a forensic methodology to be applied to the initially given scenario. Thus, it is also important to introduce the main sections of the paper in order to introduce the aspects of the subject, which are discussed within this study.
To begin with, evaluation of the environment has to be conducted as well as global influences and implications are to be determined. As a consequence, related techniques, materials and related forensic procedures should be described. By the same token, the digital forensic techniques for network, Internet and cloud-based platforms are worth discussion. What is more, it is important to describe the actual process of implementation of forensic methodology. Therefore, a detailed schedule has to be provided in a separate section. Actually, this schedule displays a step-by-step plan of all related actions within the terms of ten days. Besides that, it is worth mentioning that this paper is strictly applied to the given case study. Hence, it does not classify or estimate forensic techniques, but demonstrates their practical effectiveness. As the thesis and the layout of the paper have been outlined, it is necessary to proceed to the next section.
With regard to evaluation of the environment for global influences and implications on forensic procedures, first of all it is necessary to say that potential criminal activity, which is expected to be identified, covers some other cases, which are not known yet. Though, it is possible to claim that there is a little evidence of at least minimally reasonable motives for criminal activity. Still, the case potentially implies a human error within the system. As a consequence, the possibility of spreading of this error remains high. Nevertheless, the initial statement has to be positioned as the basic assumption for environment evaluation outcomes. Namely, the study confirms that it is the starting point for the entire investigation regarding the perspective of global consequences. However, it is worth saying that the implications on forensic analysis of the case environment witness about the opposite idea.
To be more specific, the main implication on forensic procedures is based on the fact that these procedures may result in the absence of effective outcomes. To put it in a simpler way, forensic procedures seek to identify certain criminal activity within a particular system, and the primary implication for this case is the high possibility of no criminal activity to be detected from the perspective of forensic methodology (Olivier & Shenoi, 2006, p.57). Therefore, forensic techniques are supposed to refer to external sources, which can witness about wrong decision of cutting the unmarked trees. Taking this point into account, it should be noted that forensic methodology will be functioning as a tool for a proof of certain external data. In case some information regarding cutting the unmarked trees will be revealed by means of non-forensic techniques, a forensic one is capable of its validation. Eventually, it is the main points concerning evaluation of the case environment.
Methodology and Techniques
Firstly, it is necessary to describe the methodology, which will be applied in the case. In fact, the methodology will underpin the choice of techniques to be utilized within the case. Thus, the chosen methodology has been designed by the U.S. Governments NIST organization. It is relatively simple at the external level but it is detailed in terms of separate phases (Johnson, 2014, p.27). Doubtless, the first stage of this methodology is preparation. This phase presupposes the design of an incident response mechanism and installation of the minimal security baseline. However, it is necessary to pay primary attention to the incident response mechanism because the circumstances of the case witness about act of negligence.
The following step would imply detection and analysis. To be more exact, it is the phase, which implies factual identification of the incident. In consequence, analysis means the distinguishing of potential causes of the incident. Traditionally, detection and analysis require a wide observation of hard- and software. Still, in this particular case, software has to be verified first due to the possibility of human error within the system of logical devices. As a consequence, the next steps are containment, eradication and recovery. In fact, this phase requires a decision regarding the powering of the machine, exchange of data, and etc. In case none of these needs emerge, the incident is really caused by some human error. Thus, eradication implies elimination of malicious software and code snippets. Again, in case human matter is involved in the incident, it is necessary to amend the model, which control the tree cut schedule. Finally, the post-incident activity includes procedures of improvement the weakened aspects of the system and taking preventive measures.
Speaking about the techniques to be applied to the outlined methodology, it is necessary to say that the incident reaction mechanism is supposed to be comprised by four elements: verification of e-mail codes, verification of text messages codes, verification of the email content, and verification of text messages content. As for email verifications, it is necessary to say that the analysis is conducted only in terms of emails themselves (Liu, 2009, p.31). In other words, applications, which are used for sending, creating and editing emails, are not taken into account. In fact, it is not a considerable aspect in the given case because mailing applications are not capable of amending the content of emails. However, it is important to note that Internet has to be analysed, as well. It can be explained by the danger of emails to have been corrupted by numerous external threats. In a like manner, the same analyses can be addressed to the text messages. Furthermore, it is possible to retrieve all related content from the data cloud by key word searching. As a result, it will boost the phase of detection and analysis considerably.
By the way of contrast, it should be admitted that the content can be wrong due to human error. In such a way, it is necessary to conduct a matching analysis, which will detect the time and individual, who has committed a mistake. What is more, it is also worth saying that evidence of human error may be multiple. Therefore, this fact can witness about two assumptions. The first one proves the drastic incompetence of the employee while the second one may be a hint for suspecting a deliberate harmful activity. Having described the methodology and techniques of forensics incident reaction, the paper moves on the section devoted to discussion of the implementation process.
As for the implementation procedure of forensic incident response, it is necessary to say that it has to address the primary purpose of this process. In other words, implementation of the incident response is supposed to be based on the identification and elimination a malicious element (Rudolph & Vacca, 2011, p.232). Needless to say that it can be explained by minimal security considerations, which are required even at the preparation step. In such a way, immediate detection and neutralization of a threat is the primary action regarding the implementation procedure. What is more, it is worth saying that identification of a malicious element can be hypothetical at this stage. The main purpose for this phase is to create minimal security baseline and start processing the internal environment of the system. Hence, a certain sector of the internal environment has to be chosen as the potential area of a malicious activity.
As it has been suggested in the previous section, this segment is supposed to be found by means of cloud-based detecting tools. To put it in a simpler way, the emails and text messages have to be retrieved from the data cloud according to match certain key words. In consequence, all text messages and emails should be blocked and disconnected from the entire cloud environment. Doubtless, it is not the final point of implementation process. Besides that, it is important to check whether the system have been attacked externally during the previous month. In case any intervention is identified, the incident reaction will need to change its approach considerably in order to protect the system from the future attacks. Having discussed the basic points of implementation procedure, it is necessary to proceed to the scheduling section.
Subsequently with the methodology phases, it is necessary to develop a schedule for the entire forensic incident response. Therefore, the first point is the initiating of the incident planning committee, which will confirm and suggest amendments in the incident reaction plan. The next day, a certain policy has to be designed in order to outline particular limitations to the system use. The third day has to be devoted to the integration of the basic security and detection tools in order to reveal the potential segment of malicious activity if any exists within the system (Green, Mattord, & Whitman, 2014, p.133). Further, at the fourth day, preventive controls should be set. It is important because as it has been discussed in the previous section, contamination of a malicious element is the primary objective of the incident response. As a consequence, at the fifth day when the problem has been detected, the Computer Security Incident Response Team is supposed to be created. The choice of team members has to coincide with the typology of the identified malicious element.
Further, actual implementation of the incident response should be started. It includes final elimination of malicious activity and beginning of the preventive measures development. As a consequence, it is necessary to conduct verification of the incident reaction outcomes. In other words, the results of the incident response need to provide the positive changes within the system. By the same token, the rest of the days are required for the development and incorporation of an updated protection in order to secure the system from the potential threats. All in all, it is all points regarding the case study and the utilizing the forensic methodology for the solution of the given incident. Hence, it is necessary to draw certain conclusions.
To conclude, it is necessary to admit that the role of forensics methodology in the incident reaction is quite considerable. It can be explained by the fact that the forensics can be applied to a wide range of important procedures. In such way, forensic approach is used for detecting malicious activities and creates the basic protective line for the entire system. In a like manner, forensic methodology is also able to refer to the external factors of the incident. In fact, identification of no malicious evidence within the system obviously witnesses about the influence from the external layer. Speaking about the given case study, it is worth admitting that in case the suggested forensic toolkit will not detect any of malicious elements, it is possible that the human matter is involved in the case. Besides that, the study has revealed that forensics can serve numerous functions depending on the circumstances of an incident.
Concerning the case study, the paper has conducted evaluation of the environment for global influences and implications on the forensic procedures. As a result, the possibility of occurrence of human error has been revealed. In the same way, methodology and techniques for the forensics operations has been described. Needless to say, that the choice of tools and methodology has been underpinned by the peculiar features of the case study. In fact, the tools are primarily focused on the email and text messages retrieval from the cloud-based environments. To be more precise, these tools need to retrieve only those emails and text messages, which match the relevant key words. Then, the process of the incident reaction implementation has been described. Finally, the paper has given the account to scheduling of the incident reaction process with consideration of all important aspects.