The importance of digital forensics in cyber incidents

By Heimdall and ISH DFIR: As cyber incidents occur in organizations, it is essential that good practices are adopted for incident response, with the aim of collecting as much evidence as possible to assist in the investigation.

In order to spread the word about the importance of securing evidence for a good investigation, we've listed some security measures that can be adopted so that evidence isn't damaged and so that a forensic investigation is carried out correctly and produces good results.

Best practices for Incident Response

The main good practice is to create an Incident Response Plan. This is a set of procedures created and organized to effectively manage and respond to information security incidents or any other event that may occur in an organization.

The main focus is on minimizing the data caused by an incident and ensuring business continuity, as well as providing roles and responsibilities, lines of communication, procedures, evidence gathering, forensic analysis, risk mitigation and system restoration.

In addition, the Incident Response Plan must follow certain steps, such as:

  • Preparation: consists of identifying potential threats, implementing security measures, training staff and prior procedures;
  • Detection: this phase consists of identifying and confirming the occurrence of a security incident, as well as ensuring that the incident response plan is triggered;
  • Assessment: it is necessary to carry out an analysis of the severity and impact that the incident could have on the organization, verifying the necessary actions and prioritizing the response;
  • Response: after evaluating the actions, the affected system is isolated, for example, in order to mitigate the damage. Here, evidence is also collected and forensic analysis of the data collected from the incident is carried out;
  • Recovery: this phase focuses on restoring the affected systems, as well as restoring the availability of the affected systems;
  • Lessons learned: in the final, post-incident phase, it is necessary to identify the failures and occurrences that came to light during the incident response phase, while also verifying the need to update the incident response plan in order to use it correctly, should a security incident occur again.

In addition to these steps, it is important that, during the response, the person or team responsible documents all the processes and actions being taken during an isolation. In addition, it is essential that if a host/asset is the target of the investigation, it is not shut down or restarted, because during its operation, there is the creation of volatile data which, when subjected to a system restart, will be lost.

You should also avoid interacting with the affected system beyond what is necessary, reducing the risk of modifying or contaminating the evidence and preserving its integrity. In addition, appoint a team or responsible person to act as a forensics focal point, as these professionals will use the appropriate tools to collect evidence and analyze the data collected.

DFIR's work

DFIR stands for Digital Forensics and Incident Response, which is an area of practices and techniques involving digital forensics investigations and incident response. Working in this field involves multidisciplinary knowledge that combines knowledge of information security, forensic science, information technology and law.

Digital Forensics involves collecting, preserving, analyzing and presenting digital evidence in an investigation. Data can be recovered from devices and systems, digital artifacts such as log files, records and metadata can be analyzed, and events that occurred in a digital environment can be reconstructed.

Incident Response is the practice of identifying, investigating and responding to an information security incident. It involves acting on the incident in real time, mitigating the risk, collecting evidence for forensic analysis and recovering the affected systems.

Together, digital forensics and incident response form the DFIR field, which is essential for dealing with network intrusions, malware, data theft and other malicious activities.

ISH has a DFIR team prepared to act in security incidents, acting in Response and Investigation, thus guaranteeing concise reports and actions on behalf of the organization to mitigate the threat and damage. Contact us to find out more.