One thing I've noticed over the past year is that the majority of information on the web relating to digital forensics is geared toward two audiences. The first is law enforcement and the second are consulting firms. This makes complete sense. Law enforcement probably does more evidence collecting and review that anyone else and most companies don't need (or want) a full time forensics team. So it completely understandable that the bulk of materials cater to these groups.
What concerns me is how underserved those in corporate incident response are by the larger forensics community. Even if incident response at the corporate level is a small market, it is a market nonetheless. Many times companies want to add these capabilities to their in-house arsenal but have no idea where to start. If you are in that camp....keep reading. This article is just for you.
Companies which are considering adding digital forensic investigation capabilities in-house need to ask themselves several questions upfront.
Why do we need this capability?
Who's going to provide the services and where will they report?
Is the cost to purchase and maintain a lab and provide continuing education worth the expense?
Questions 1 and 2 are typically easy to answer. Number three is more difficult. A typical 1 week engagement from one of the well know consulting groups like IBM, Deloitte and others can easily surpass $10,000. Can you provide this in house cheaper? If you plan to do investigations once or twice a year, probably not. If you plan to do it once or twice a month, then likely so. Many times though we forget to look at all of the costs associated with standing up a unique environment like a forensic lab. It shouldn't be hooked to your network which creates management concerns around patching, updating, etc. The hardware most likely will be vastly different that what you purchase for other needs. If you choose to utilize commercial software packages they must be continually updated and software maintenance is a must.
Once an organization decides to offer these services, some immediate steps need to be taken to ensure uniformity in your investigations. An incident response plan must be developed which lays out who can request or initiate an investigation, what the grounds for cause are, who can perform the investigation, who sees the results and what actions should or must be taken based on the outcome. One thing organizations must protect against is the witch hunt mentality. You've got suspicion someone is up to no good but nothing more than that. Just a hunch. I advise my clients never to start an investigation this way. Make sure there is always a reason to investigate. Last thing you want is for your employees to feel there is a culture of mistrust and accusations within the organization. At best your morale will sink to new lows. At worst you could be sued by employees for harassment, privacy or other accusations.
The next thing to guard against is who can call for an investigation. I usually like to see a 2nd level manager be in the approval chain. Let's say Bob is an employee who's manager suspects he's creating fraudulent transactions. If Bob works for Sally and Sally works for Meg then Sally would make the request for investigation and Meg has to approve it. This again helps reduce the chance for a witch hunt and ensures a level of accountability in the process.
You'll also want to make sure investigations are only completed by those who've had some specialized training in acquiring and handling evidence, digital forensic processes and reporting of results. I wish I could say you'll never have to worry about your internal investigations ending up in civil or criminal court but I can't. You should always approach new cases as having the potential to have aspects of civil or criminal law to them. This will save you a lot of headache later.
In terms of who should have access to the final reports, that will vary by organization. Needless to say it should be restricted by need to know. Also remember that many times an initial investigation will lead to one or more follow on investigations and the fewer people who are privy to this fact the better.
So as you begin to build a forensic unit within your organization, here are some things you'll want to consider.
Develop an Incident Response Plan prior to doing any investigations
Create a dual or dotted line reporting structure to maintain independence
Build a self-sustaining lab and staff it appropriately
Create a set of criteria for requesting and initiating investigations to ensure objectivity
Build a communication framework for investigators to ensure they have support of executives, HR and Legal.
Develop a plan for when and how to call for outside help including law enforcement or more experienced investigators.
By following these steps you'll be well on your way to providing these services in house. I can't promise everything will be picture perfect. In fact I can almost guarantee at one or more points along this path you'll wonder if this was the right decision. Adding forensic capabilities to your internal service offering will change the culture at your organization. Make sure you're leadership, all the way to the top, are on board and understand this decision.