The digital forensic process

Much like the incident response process, the digital forensic process defines the flow of digital evidence related to an incident from when it is first identified to when it is presented to either the senior leadership or to a trier of fact such as a civil or criminal court. There are a number of schemas that define this process and, for the most part they generally follow a similar path. In this case, we will be utilizing the Digital Forensics Research Workshop (DFRWS) Digital Investigate Framework. This framework contains six elements:

1. Identification.
2. Preservation.
3. Collection.
4. Examination.
5. Analysis.
6. Presentation.

From an incident response standpoint, will not normally seize network components or critical systems and take them offline unless there is a compelling reason to do so. This is one of the balancing acts in regards to digital forensics and incident response. A purely digital forensic approach will take all relevant evidence, secure it, and process it. This process can take months depending on the type of incident. This approach, while thorough and detailed, can leave an organization without critical components. The CSIRT may be able to tell the leadership after a month long analysis what chain of events lead to a breach, but that would do them no good if they have lost a month's of revenue. The examiners assigned to a CSIRT must be ready to balance out the need for thoroughness with the need to resume or continue normal operations.