Information Technology Reference
In-Depth Information
Figure 8.11
Digital forensics worklow oeriew.
n
Scientific Working Group for Digital Evidence (SWGDE)
Best Practices for
Digital Evidence Laboratory Programs
8.12.6
IA
2
Perspective
Effective use of digital forensics requires an IA architectural approach that builds in
appropriate tracking mechanisms, including cyber, personnel, and physical logs. Cyber-
logs include IT infrastructure (e.g., routers, switches), IA infrastructure (e.g., FW/VPN,
AV, and IDS), host, client, and application logs as well. An effective digital forensics
analysis provides for not only log consolidation but also aggregate log analysis.
Forensic planning and activity take place in each phase of the IA operations
cycle.
Anticipatory
actions include planning and preparation from architecture
throughout the solution development life cycle. Policies include what to log in
COTS, servers, clients, and custom applications. SETA includes awareness for
every user to be on the lookout for activity, when and how to report activity, and
preserving evidence in questionable situations.
Defense
actions include optional log-
ging from standard business as usual to high-alert logging.
Operational snapshots provide baselines to discern atypical activity. Moni-
toring includes log management, monitoring, and filtering expected traffic to
