Forensics information in order to efficiently handle the numerous incidents that an organization may come across, it’s essential that the forensic issues be implemented into the existing system life cycle.
A few such examples are as given below:
• Maintaining a backup of the system on a regular basis
• For securing centralized log servers, audit reports should be forwarded by auditing the workstations, servers, and network devices
• Configure mission-critical applications for auditing
• Maintaining a database of file hashes for the common OS files and application deployments
• Use the file integrity checking software for protecting important assets
• Maintain network and system configurations records
• Implement knowledge retention policies supporting system and network activities
• Regularly audit all the workstations, servers, and network devices and create proper audit reports
• Install correct security tools and solutions, like firewall, IPS, IDS, and honeypots, and set up them to get logs
• Install applications that alert the incident responders during an incident
These points must be present in documents related to that specific domain and not within the overall centralized rhetorical policy as they manage the provisions for the present policies and procedures in a corporation.
Making Investigation Team
The investigation team plays a serious role in resolution a case and is responsible for evaluating the crime, evidence, and criminals. The organization should assign specific tasks to every team member supported their data, skills, and skills to form the process and simple.
The guidelines for building the investigation team are as follows:
Create a forensics investigation team consisting of forensics investigators, linear unit professionals, and incident handlers Equip the team with forensic tools necessary for playing the investigation and providing basic training on the forensics strategies and techniques Organizations could use an internal, partly outsourced or fully outsourced forensic investigation team considering value, latency, and data sensitivity.
• Members of the forensic investigation team ought to have a fairly comprehensive data of forensic principles, guidelines, procedures, tools, and techniques, similarly as anti-forensic tools and techniques that may conceal or destroy data
• Members of the forensic investigation team need to be trained on existing and rising security threats
• Verify the one that have to be compelled to reply to an event for a unbeaten internal PC investigation
• Organize the team members and provides responsibilities to each member of the team
• Purpose somebody as a technical lead among the team members
• The investigation team ought to be as small as potential to realize confidentiality and robot outpouring of data
• Every member of the team ought to have the mandatory clearance and authorization to complete assigned tasks
• Enlist facilitate from a positive external investigation team, if needed
Forensic Readiness Procedures:
Maintaining an inventory : The organization thought to maintain an inventory, similarly as devices, systems, and media, to interchange the compromised devices whereas enjoying investigation. It helps investigators to recreate the incident scene and quickly establish affected systems.
The following are the principles for creating prepared and maintaining an inventory :
• Maintain associate up-to-date inventory of all network devices and hosts
• The inventory have to be compelled to embody the model vary, serial vary, and description of all the devices
• It have to be compelled to supply information relating to but the devices are connected to each completely different as an example, cable connections, jumper settings
• Inventories have to be compelled to in addition embody criticality levels, business desires, owners, operative systems, patch levels, science addresses, and so on
• Embrace all the documents and pictures of the ability with all the resources at intervals the inventory
Monitor the integrity of necessary files
• Produce a information of crypto logical check sums of necessary files which will facilitate in checking the integrity of tiles once an occurrence
• Incident responders can use verification calculators like Hash Calc or automated integrity looking at tools like Tripwire Increase or amendment event and security audit work
• Event work helps in capturing security events like login makes a trial, changes to security configurations, record edits, system startups and shutdowns, and elevated privileges
• Event and security logs facilitate investigators to reconstruct the incident timeline and provide useful information to investigate the incident Secure hosts
• Follow best practices to secure hosts, similarly as putting in place all patches, hot fixes and updates, disabling supernumerary services and ports, and putting in place antivirus systems make a copy necessary data
• Backups facilitate in simple recovery once an occurrence
• Organizations can use an operative system’s intrinsic backup and recovery utilities or any industrial tool to perform regular backups