Digital Forensics: Methods And Benefits

Computer Forensics

Digital forensics is forensic science branch works related to computer crime. The branch deals with investigation of digital and performs recovery or correction made, in the digital devices. Digital forensics is a young forensic science, relatively. Digital forensic has been advancing in multi-dimensions, technically, legally and in terms of complexity as the complexity and size of the incidents or computer crimes have been drastically increasing throughout the world. There are many approaches developed to conduct the investigation and recover the data, followed by increasing the security levels of the individual systems and the systems networked in large numbers. Each of the models and approaches has its own logical process and procedure to conduct the investigation and recovery, though many of them follow common phases[1].

The commencement and advancement of the computer security digital forensic approaches and models have been started from 1980s, where, the concept of computer crime was started, with the initiation of the FBI.

Computer forensic is younger than the other forensic sciences. Computer forensic process involves data extraction, followed by data analysis. The process can be simplified by a flowchart that can describe the methodology for digital forensic analysis [2]. Computer forensics can be defined as the usage of the methods that are digital evidences derived from the digital sources and are scientifically derived and proven, toward the digital evidence collection, preservation, validation, identification, interpretation, analysis, documentation and presentation. The objective is facilitation or events reconstruction furthering that is found to be criminal.

Computer forensics makes use of the methods and tools that are scientifically verified and it still involves various elements like interpretation, judgement and ability.

Computer forensics have teh following key elements, shown in the following flowchart figure.

Figure: Computer forensic process

The process is the basic and primary for the forensic team and the forensic examiner and prosecutor have to communicate and decide each other the extent of process completed by far and how many times they should iterate the process.

An incident is an imminent or violation threat of computer security privacy violence and standard security practices violation [3]. For example, an attacker may instruct a botnet for connection requests to the web server, in higher volume that may result in crashing the server.

An event is an occurrence that is observed in a network or system. For example, an event can be a request received by the server for a web page, sending a mail by a user, etc. In context to teh computer forensics, an event is usually an adverse event would have negative consequence, like crash of a system or server or unauthorized access to the secured data, etc.

Digital Forensic Methodology

Attacks usually end up in personal or business data compromise and it demands immediate and quick critical response, after the occurrence of the security breach. Hence, the computer security incident response became implemented and accepted widely. Incident response has the capability supporting systematically respond to the incidents, such as following a methodology of consistent incident handling, towards responding with appropriate actions [4].

Incident response support the organizations and individuals to minimize the information theft or loss and services disruption, resulted from the incidents. It has the ability to utilize the information extracted from the incident handling towards better preparation to handle any possible future incidents and enable stronger system and data protection. The capability of the incident response helps to deal with the legal issues that arise from the incidents, properly.

Incident response capability is also needed for the federal agencies and departments to comply with the laws and regulations and policy to direct coordination and effective defense against the threats to the information security.

Figure: Communicating with External Parties

Incident response methodology has been designed and developed by considering various aspects of policy, plan and procedure creation.

NIST 800 -61r2 

NIST SP 800 – 61 Revision 2 is a standard and potential incident response methodology. It has been developed by NIST (National Institute of Standards and Technology), which develops the guidelines and standards that include the basic and minimum requirements to provide enough security for ifnoramtion, for all assets and operations of agency [15].

NIST is developed for providing effective CSIRC (Computer Security Incident Response Capability) to the medium to large scale industries and organizations. The methodology provides clues to the organization to decide the provisions needed for the incident response team and respective srtreucture and models of the etam to provide their services. It helps in reflecting the plans, policies and procedures of the interactions among the teams.

Policy Elements

The NIST SP 800-61r2 methodology enables the individuals and organizations to include the key policy elements, most commonly as the following.

• Policy purpose and objectives
• Management commitment statement
• Policy scope
• Computer security incidents definitions including related terms
• Various responsibilities, roles and levels for various authorities, according to organizational structure, including incident response team authority to monitor, confiscate or disconnect activity  
• Types of incidents, guidelines and requirements for external information sharing and communication and escalation and handoff points, in the process of incident management
• Incidents severity or prioritization ratings
• Contact and reporting forms
• Performance measures

Plan Elements 

The methodology allows the organization to define the following plan elements.

• Approach for responding to various incidents, in a focused, formal and coordinated ways and incident response plan
• Unique plans according to the organization’s missions and visions
• A detailed plan element for organizations involve
  • Strategies and goals
  • Mission
  • Approach to incident response
  • Approval of senior managmenet
  • Communication between incident response team and the remaining organization and other organizations as well
  • Necessary metrics for incident response capacity of incident response and its effectiveness
  • Incident response capability roadmap

Procedure Elements

The methodology allows the organizations to develop standard operating procedures, for specific techniques, processes, forms and checklists used by the team, according to the organization’s priorities, reflecting in the response operations [14]. They help minimizing the errors, caused from the situations of stressful incident handling. The methodology helps testing the SOPs, in terms of accuracy, usefulness of them, before distributing to the members of the team.

Information Share with External Partners

Incident

The methodology helps in sharing the ifnoramtion, like contacting law enforcement, seeking external enterprise and fielding media enquiries. Other important outside party is internet service providers, other teams of incident response and vulnerable software vendor, etc.

1. Media

The methodology helps establishing the procdures for media communications, complying with the policies of organization on information disclosure and media interaction, through one backup contact and single point of contact.

1. Law Enforcement

The incident response team can use the methodology to maintain the data about the law enforcement, locally and state and nation level and to enable contacting and communicating with the respective agencies.

1. Incident Reporting Organizations

The team would be able to share information with the incident reporting organizations, such as US-CERT (United States Computer Emergency Readiness Team), as a part fo incident handling efforts. The agency designates both primary and secondary point of contact with US-CERT and all incidents reports, in consistant with their incident response policy.

1. Other outside parties include attacking addresses’ owners, ISP of organization, software vendors, affected external parties and other teams for incident response.

The methodology enables the incident handlers of the organizations to analyze the incident data and incident impact determination and appropriately act, towards minimizing the damage and regularize the services by restoring back.

The methodology allows the following possible structures.

1. Team models can be made the possible structures, like central incident response team, distributed, coordinating teams, with three different staffing models, like employees, partially and fully outsourced.
2. Team model selection can be made with the factors, such as,
   1. 24/7 availability need
   2. Full Vs. Part time team members
   3. Employee morale
   4. Staff expertise
   5. Cost

Outsourcing organizations can also consider the factors, like responsibilities division, quality of work in current and future, sensitive information shared with the contractor, lack of knowledge that is specific to the organization, maintenance of in-house incident response skills, incidents handling at multiple locations and lack of correlation.

1. Incident Response Personnel, such as managers, technical leads can make use of the methodology and be part of the incident response team.
2. Dependencies within organizations, like management, IT support, information assurance, human resources, media relations, public affairs, business continuity planning, legal department, management of physical security and facilities

Services of Incident Response Team

The methodology allows the team to perform not only incident response, but also various related tasks, such as,

1. Advisory distribution
2. Intrusion detection
3. Education and awareness
4. Information sharing

Overall Functions

The methodology performs the following technical functions.

1. Creation of policy for incident response
2. Establishing a formal capability for incident response
3. Developing a plan of incident response, according to incident response policy
4. Developing procedures for incident response
5. Providing pertinent information on the incidents
6. Factors consideration, during the model selection for incident response team
7. Selection of people with apt skills for the team
8. Identifying the other groups for participating in the incident handling
9. Determination of the services to be offered by the team 

The NIST SP 800-61, Release 2 performs the entire computer security incident response in four phases [14]. 

Figure: The Methodology’s Incident Response Life Cycle 

Preparation for Incidents Handling

The methodology makes use fo the tools and resources, for making them to use during handling of the incidents, as starting points of discussions.

The methodology deals with the incident handler communications and facilities, such as contact information, incident reporting mechanisms, on-call information, Smartphone, issue tracking system, war rooms, encryption software and secure storage facility.

The methodology makes use of the incident analysis hardware and software such as digital forensic workstations, along with the devices for backup, blank removable media, laptops, spare servers, workstation and networking equipment, evidence gathering accessories, digital forensic software, protocol analyzers, packet sniffers, removable media with additional and optional visualized equivalents.

Event

The methodology makes use of the incident analysis resources, such as documentation needed for the operating system, port lists, network diagrams and critical assets list, cryptographic hashes and current baselines. 

The methodology uses compatible incident migration software, like access to images of the applications and operating system installations for the purpose of recovery and restoration.

Prevention of Incidents

Though the incident response methodologies cannot provide the software and protection system against the occurrence of the incidents, it is important to keep the total incidents low, so that the incident response can be complete and faster. The host has to be well equipped with the protection system, considering risk assessment, network security, host security, malware prevention, user awareness and training. 

The NIST SP 800-61r2 incident response methodology performs detection and analysis of the incidents very effectively, by performing the following related tasks [15].

Attack vectors

The methodology deals directly with the common attack vendors, such as attrition, removable or external media, email, web, improper usage, impersonation and loss or theft of equipment and other common attack vectors. Apart from these common attack vectors, the methodology also deals with the complex attack vectors, and it needs the host or organization to develop unique and varied strategies, for handling, varied and unique incidents occurring.

Signs of Incident

The methodology helps to identify the signs of the incidents, which is the most difficult process of incident response, in effective ways. The methodology helps to identify if any incident has occurred, and if any, the extent, type and magnitude of the incident. It is challenging for any methodology, because usually the potential signs volume is for high for the incidents, detection of them is done through various ways and it detection demands specialized, profound and deeper technical knowledge as well as extensive experience of the team.

The methodology identifies the signs of incidents as precursors and indictors. Indicator acts as a sign of an incident that is occurred by far and precursor indicates incident that could result in the future.

Indicators & Precursors Sources

The methodology identifies the sources of indicators and precursors, by considering various sources. It identifies the suspicious events with the

1. Alerts

The alerts are IDPS products that can identify the events that are suspicious record pertinent data, relevant to the same, Security Information and Event Management products that can generate alerts, accorign to the log data analysis, antivirus and antispam software, third party monitoring services and file integrity checking software.

1. Logs

Incident Response

The methodology identifies the incidents from the logs, such as network device logs, operating system logs, application logs, service logs and network flows.

1. Other information available publicly

The source is information about new exploits and vulnerabilities, generally occurring in the organizations and shared publicly through media, etc.  

1. People

The signs of incidents can also be explored and identified from various staff and people, both within and from other organizations.

Incident Analysis

The methodology performs incident analysis in very effective way, however, it needs the indicators and precursors to be accurate, though, it is common to get carried away by the false indicators, by the team. Technical personnel and information security personnel are to be contacted for accuracy of incident after events are occurred. The methodology uses incident handling and detection by the incident handlers for the analysis of the symptoms that are contradictory, ambiguous and incomplete, for determining what exactly happened. Various technical solutions can be adapted by the experienced and skilled team. The methodology enables the team to consider each incident and analyse and validate.

The inital analysis and validation should include profile systems and networks, understand regular and normal behaviour, performing event correlation, creating a policy for log retection, keeping the host clocks to be synchronized, use and maintain information knowledge base, research by using internet serach engines, running packet sniffers and collecting the additional data, filtering the data and when needed, seeking assistance from the others.

Incident Documentation

Upon suspecting an incident, all the facts are to be immediately recorded by the tam, regarding the incident, in logbook, digital cameras, audio recorders and laptops. The sucspected incident has to be recorded, documented  from the event to the final resolution and then timestamped. Each and every document idnciating the details of the incident has to be properly signed and dated by the incident handler. The documentation is used in court of law, if pursueing the legal prosecution is occurred. The incident handlers team should have minimum two members, one for recording the events in the logs and other to conduct the technical tasks.

The team has to maintain the records and update with the incidents status and pertinent information as well. The methodology involves the database or any application for issue tracking system.

The issue tracking system should contain hte following information.

1. Overall incident summary
2. The incident current status
3. Incident related to incident
4. Other related incidents
5. Custody chain, if needed
6. Actions performed from the incident handlers
7. Evidence gathered during investigation
8. Assessment of impact
9. Incident handlers comments
10. Following steps to take

This is the point of most critical decision, in the process of incident handling. Prioritization of the inciddnets should be according to certain relevant factors, like,

1. Incident functional impact
2. Recovery from the incidents
3. Incident information impact

Benefits

Prioritization of the incidents are done according to the categorization. Waiting response has to be set for each task and if it is crossed, escalation process has ot be established and ensured that response is obtained from the team members.

Incidents are to be notified to the respective and appropriate individuals, to play their respective roles. Policies have to be defined for provisions for reporting of the incidents, like minimum whom to and what to respond and what time.

Notification to be done to the people,

1. CIO
2. Information security head
3. Officer of local information security
4. Other teams in the organization
5. System owner
6. External teams, if needed
7. Human resources
8. Legal departments
9. Law enforcement
10. US-CERT
11. Public affairs

Notifying should be done through different communication methods, like website, email, telephone calls, voice mailbox greeting, in person, paper, etc.

Containment, eradication and recovery is another important phase, where the actual computer digital forensic task is done and further protection measures are taken [15].

Containment

Containment is an important aspect and performed early course of incident handling and provides enough time for tailored remediation strategy development, like decision making. These decisions are made easily and instantly, when the procedures and strategies are predetermined, to contain the incident. Possible and acceptable risks are to be defined, during strategy development.

Containment strategies are unique and according to kind of incident. Criteria for strategy determination would be,

1. Need for preservation of evidence
2. Potential damage to and resources theft
3. Availability of service
4. Resources and time, necessary for strategy implementation
5. Strategy effectiveness
6. Solution duration

The strategies are discussed with the legal department for feasibility. Containment strategy should not be delayed, as it can be dangerous, as attacker may compromise another system or gets the rights to escalate for access unauthorized. Delay may also impose additional damage for containing the incidents.

Gathering and Handling the Evidence

Gathering information is for resolving the incident and also for legal proceedings and done according to certain procedures.

Evidence should be gathered with detailed law, as the following.

1. Identifying the information
2. Each individual’s name, phone number and title
3. Date and time of evidence handling occurring
4. Location of evidence

Attacking Host Identification

It consumes more time and is a futile process and sometimes may prevent to primary goal achievement, by hte team.

The commonly activities performed during idetnticiaton of the attacking host, are as the following.

1. Validation of the IP address of the attacking host
2. Researching through search engines
3. Monitoring the communication channels for possibility
4. Using database of incident

Eradication and Recovery

After containment of information eradiation is focused, like disable of user accounts that are breached, deletion of the malware, etc. All attacking hosts are identified and then remediated. However, certain incidents do not need eradication or sometimes needed for the purpose of recovery [14].

Systems are restored back to normal operation, in recovery and normal functioning of the systems are confirmed. If needed, remediate vulnerabilities is needed to be done, for similar incidents prevention. Sometimes recovery is done as systems restore, from clean backups, from scratch, compromised files replacement, patches installation, modifiying the passwords and security tightening in the network. System higher levels logging or monitoring of network are done duirgn the process of recovery. After successful attack of resource is done, usually, attacking is repeated and sometimes other resources are also needed to attack in the same ways, in the organization.

Incident Response Methodology

Both the eradication and recovery are performed in phased approach so that the prioritization of the remediation steps is done. Early phases security is done for improving the overall security with better and improved changes so that the future incidents can be prevented. The focus of the later phases are on longer term changes and to maintain the enterprise most possible secure.

This is the last phase of the methodology and this phase has the objective of future security of the organization, by learning and improving. However, it is easy for many organizations to leave this phase, after the solution of the issue is obtained.

Lessons Learned

Each team of the incident response ahve to evolve towards reflection to the improved technology, new threats and then the lessons learned. After the major incident, a meeting is held on ‘lessons learned’, with all the parties involved. Optionally, the meetings should be scheduled periodically, if the resources permit that could improve teh measures of the security and the process of incident handling. Such meetings can cover multiple incidents in one go. The lessons learned meetings can provide opportinuity to obtain closure accorign to the incident, by what occurred after the review, what attempt was made for intervene and the ways of working the intervention.

The following questions should be addressed in the meetings [14].

1. What exactly was happened and how many times?
2. How well the incident was dealt by the staff and team? Were adequate documenting procedures followed?
3. What kind of information is needed immediately?
4. Were there any actions or steps resulting recovery inhibition?
5. What could be ways followed, if the same incident will occur?
6. What actions of correction could be followed so that similar incidents can be prevented in the future?
7. How the sharing of information is improved with other organizations?
8. What indicators or precursors are to consider, for similar incident detection, in the future?
9. What are the additional resources or tools required for future incident detection, analysis and mitigation?

When serious attacks are found, post-mortem meetings after resolving the incident can be very helpful, crossing the boundaries of team and organization, so that mechanism can be provided for sharing of information.

The other benefits of the lessons learned meetings are that the reports made from them can be great resource material for new team members training. Other benefit can be updating of the policies and procedures of incident response. Analysis of post-mortem reveal inaccuracy or missing step in proecure that can provide impetus for change in fugure. Finally, the activities of lessons learned produce a set of subjective and objective data, related to each of the incident occurred.

Collected Incident Data Usage

The data produced in the lessons learned activity is useful in different ways and capacities. The data, such as cost, time spent can be the source of information for justified funding to the incident response team. The data could be integrated to the process of risk assessment for defining additional controls. The data can also be used to measure the incident response team’s success, as it would also give measures of success.

Structure of Incident Response Team

The focus of collection of data should be on actionable data, not limiting to the activities.

Important incident related data metrics are as the following.

1. Total number of handled incidents
2. Time spent for each of the incident
3. Each incident’s objective assessment
4. Each incident’s subjective assessment

The data is also useful for periodical audit of the programs of the incident response. Any problems and deficiencies can further be corrected during the audits.

The audit of incident response have to evaluate at least the following listed items, against the policies, regulations and practices that are applicable.

1. Plans, policies and procedures of incident response
2. Resources and tools
3. Training and education of the incident handler
4. Model and structure of the team
5. Documentation and report of the incident

Retention of Evidence

Policies are to be established by the organization, for determining the length of evidence to hold and retain. Though many of the organizations tend to retain the incident evidences for several months or few years, the following factors usually, influene the retention duration.

1. Prosecution
2. Cost
3. Data retention

The methodology enables the team of the incident response to proceed with a formal and scientific process and creating the checklist for incident handling is one of them.

The methodology recommends the team to ensure the following activities to be taken as basic reference and to customize, based on the complexity of the incident.

Action	Checklist
Detection and analysis	Determination of occurrence of the incident – Indicators and precursor analysis – Looking for the information of correlation – Conduct research – Start documentation, investigation and evidence gatherigng, after confirmation of the occurrence of the incident
	Incident handling prioritization, according to the relevant factors
	Reporting the incident within and if needed external organizations
Containment, eradication and recovery	Document evidence acquiring, preserving and securing
	Contain the incident
	Incident eradication – Exploited vulnerabilities identification and mitigation – Removal of inappropriate materials, malware and other threatening elements – Repeat the steps of detection and analysis, if discovery of affected hosts
	Recover from the incident – Returing the system affected to the ready state operations – Confirmation of the systems affected back to normal operation – Additional monitoring implementation if needed
Post-incident activity	Creation of report for the follow-up
	Holding a meeting for lessons learnt

The methodology is developed for computer digital forensic issues, no matter the issue is smaller or very complex. Based on the complexity of the issue the depth of the involvement into the action would be needed. So, the following recommendations can be useful, for complex incidents handling, for any organization.

1. Acquire the resources and tools that can be valuable during handling of the incidents
2. Preventing the occurrence of the incidents, through secure systems, networks and applications
3. Identifying the indicators and precursors, through generation of the alerts, through different kinds of security software.
4. Establishing an effective mechanism to report the incidents to the parties outside
5. Requirement of auditing and logging baseline levels for all the systems and also improved higher baseline level on the systems that are critical
6. Profile systems and networks
7. Understanding of the regular and normal applciaitons, systems and networks behaviour
8. Creating a policy for log retention
9. Performing the correlation of event
10. Keeping all clocks of hosts to be synchronized
11. Use and maintain information knowledge base
12. Recording incident relevant information, as soon as the incident is suspected and occurred
13. Safeguarding data of incidents
14. Prioritizing incidents handling, according to factors, relevant
15. Including provisions, related to the incident reporting the incident response policy of the organization
16. Establishing the procedures and strategies for incidents of containment
17. Following the procedures established for handling and gathering of evidence
18. Capturing volatile data, as evidence from the systems
19. Obtaining snapshots of the system, not by backups of the file system, but with full forensic images of the disk
20. Holding the meetings for the lessons learned, post incidents

The methodology recommends that the organizations should coordinate effectively, the portions of their activities of incident response, with appropriate partners. Sharing of information related to the attacks, threats, vunerability of information can knowledge benefit each other. Sharing of incident information can benefit the organizations mututally, as even the similar attacks and threats sometimes would affect the organizations, even simultaneously.

Sometimes the organizations have to consult other organizations for performing the activities of incident response, such as for internet service provider, incident response team, constituents, law enforcement agencies, customers, etc. through establishing effective communication line.
 

 Figure: Coordination of Incident Response

The above figure shows how the coordination is performed in each incident response lifecycle phase with coordination activity highlighted.

1. Coordination Relationships

Usually, these relationships are based on the type of the organization to which it wishes to coordinate. The kind of information shared would also be varied with the kind of team it interacts and kind of coordination, like team to team coordination, team to coordinating team and coordinating team to coordinating team.

1. Requirements of sharing reporting and agreements

Legal department has to be consulted before an organization consults another organization and certain agreements or contracts are to be placed, such as non-disclosure agreement, before initiation of the discussion. Existing requirements for reporting has to be considered before sharing the information of incident with higher CIRT or ISAC.

Share of information becomes a key element for organizations coordination and information should be shared at the right time, without waiting till the incident is completely resovled.

1. Ad-hoc

It is a traditional information sharing method for the incidents, like instant messaging clients, email, phone, etc. the method usually is based on the connections and participation needed for the incident, in the organization.

1. Partially Automated

Automated information sharing has to be balanced to be partial, so that the concerns of trust and security are addressed.

1. Considerations of Security

Security and legal considerations are done, before attempting even a single piece of information.

Information sharing is done balancing the benefits and drawbacks. Usually, share of information is two kinds.

1. Business Impact Information
2. Technical Information 

Both the NIST incident response methodology and SANS PICERL methodology are similar, in most of the cases, when compared. There are many similar concepts in the approach of these both and a fewer differences or contrasting points.

The approach of the NIST incident response methodology is more like a guiding framework that can enable the incident response team to get guided, right from the suspect of the incident in the organization, till the last minute of retention of the incident response reports and records in the organizations [15]. The approach is very detailed and is at micro level to follow by the incident response team, including how to communicate and coordinate with the rest of the world by the incident response team. When SANS PICERL approach is considered, it is more of converting the theoretical concept into a practical implementation and it is effective equally with that of the NIST approach and methodology.

An important aspect of NIST and SANS PICERL is the incident response lifecycle. The lifecycle followed by the NIST is of four phases, majorly, called preparation, detection & analysis, containment, eradication & recovery and post-incident activity. Through there are four phases in the lifecycle of IR, each of the phases contain detailed sub-procedures.

When the SANS PICERL is considered, the lifecycle has total six phases, called preparation, identification, containment, eradication, recovery and lessons learned. The phases of SANS are majorly of single task with detailed process, where as the NIST lifecycle through consists of total four phases, each of the phase is very long and extensive with sub-procedures. The third, fourth and fifth phases of SANS are contained in a single third phase of NIST [17].

The last phase of the SANS is shorter and limited to lessons learned and the last phase of the NIST, called post-incident activity is more detailed covering multiple activities and covers lessons learnt as one of the activities, to be performed after the incident. 

Federal Bureau of Investigation is an efficient and effective domestic services for intelligence and security of the United States and stands as the principal agency for federal law enforcement. With the advancement of the online presence and online platform for businesses, in large scale has equally, increased the crimes in digital ways. Eventually, the intelligent and security service has more emphasis and focus on the digital forensic to investigate and control the digital and computer cyber crimes and breaches [6].

Initially, impact of FBI on computer security and digital forensic can be seen in three areas.

1. Fourth amendment in the US constitution, to protection of the citizen from unreasonable seizure and search, followed by protection against self-incrimination, in fifth amdendment.
2. US Statutory laws, to be followed by everyone in the US, related to computer forensics,
   1. Pen registers and trace devices statute
   2. Wiretap Act
   3. Stored wired and electronic communication act
3. Federal evidence rules for authentication, best evidence, reliability and hearsay, which are to be understood by everyone. It includes two legal governance areas, related to network data, as the following.
   1. Authority for data monitoring and collection
   2. Collection methods admissibility

The impact of the FBI on the digital forensics and cyber crimes is huge and the policies of data share and data access among the online users and businesses with online presence became strict and more tough. The policies have been defined and every citizen and business in the US have to follow them. FBI has got impact in the incident response and handling and the procedures, respectively, in terms of receipt of information and initial response legally, right after the incident has happened [7].

The challenges in computer forensics have been crossed by strong and strict policies and the industry has to come to stabilization with best practices, through the standardization is limited with the existing and discovered threats, yet challenging the new breaches of data and cyber crimes. Hence, many incidents are well known and procedures and approaches are developed clearly, based on the experiences of breaching of data.

As the computer crime has been initiated and started growing in 1980s and the same had resulted the specialized groups establishment at nationwide so that the investigations’ technical aspects could be covered. Eventually, Computer Analysis and Response Team has been launched by the FBI, in 1984. And in the year 1985, British Metropolitan Police fraud squad has been established.

The laboratory of FBI and law enforcement agencies as well have initiated developing the computer forensic evidence examination, in early 1984. These procedures and processes have direct impact on advancement of the computer forensic investigation performance, influencing in the way of scientific approach to the computer cyber crimes and the incident response approach, through this word was not coined by then. The evidences were then prevented to be collected in unstructured manner, in ad hoc conditions.

Various studies of incident response have extracted the common phases from various models and approaches and then proposed new and general purpose, as per the requirements and suggestions of the FBI. Computer or digital forensic investigation have been modelled with the names of Computer forensic investigative process in 1984, Digital Forensics Research Workshop (DFRW), in 2001, ADFM (Abstract Digital Forensics Model), in 2002, IDIP (Integrated Digital Investigation Process), in 2003, EDIP (Enhanced Digital Investigation Process) model, in 2004, CFFTPM (Computer Forensics Field Triage Process) model, in 2006, DFMMIP (Digital Forensic Model based on Malaysian Investigation Process), in 2009, Scientific Crime Scene Investigation model in 2001, End to End Digital Investigation in 2003, Extended Model of Cybercrime Investigation, in 2004, A Heirarchical, Objective-based Framework for Digital Investigations process, in 2004, Framework for Digital Forensic Investigation, in 2006, Network Forensic Generic Process Model, in 2010 and many more, with most common phases of investigation (P. Sundresan, (2009) “Digital Forensic Model based on Malaysian Investigation Process”, International Journal of Computer Science and Network Security, Vol. 9, No. 8.) [12].

FBI lured Gorshkov and Aleskey Ivanov, computer hackers, by conducting fake interview for jobs, in 2000. Many such attempts have huge impact and now strict policies are defined and must be followed by larger organizations to individuals.

Conclusion

Application of NIST incident response methodology can be more suitable for the middle to large scale organizations, and less for the small businesses and it is because of the extensiveness it follows, in guiding the incident response team in each and every procedure and sub-procedure. This longer guide with lengthy procedures can be time consuming to consider and follow for the smaller incidents possible to happen for the smaller organizations. So, NIST approach can be best suitable for both the middle to larger businesses, compared to the smaller businesses. Whereas, SANS PICERL is considered, the approach is more suitable for the smaller to medium businesses.

When the viability is considered, both of the approaches can be considered as viable approaches, for the interpretation and understanding that the nature and complexity of the computer data breach and cyber crime are unique, though can be varied in their sizes and impacts. So, having more number of viable models and approaches for the computer forensics and investigation, there can be better application and suitability for unique size and complex crimes and breaches. For smaller and less complex incidents the best approach to follow is SANS PICERL and for larger and more complex incidents, NIST SP 800-61r2 can be the best approaches to suit. 

References

1. K. Rogers, J. Goldman, R. Mislan, T. Wedge & S. Debrota,  “Computer Forensic Field Triage Process Model”, presented at the Conference on Digital Forensics, Security and Law, pp. 27-40, 2006.
2. S. Pilli, R. C. Joshi, & R. Niyogi, “Network Forensic frameworks: Survey and research challenges,” Digital Investigation, Vol. 7, pp. 14-27, 2010.
3. C. Freiling & B. Schwittay, “Common Process Model for Incident and Computer Forensics”, in Proceedings of Conference on IT Incident Management and IT Forensics, Stuttgard, Germany, pp. 19-40, 2007.
4. Bem & E. Huebner, “Computer Forensic Analysis in a Virtual Environment”, International Journal of Digital Evidence, vol. 6, no. 2, pp. 1-13, 2007.
5. G. Noblett, M. M. Pollitt & L. A. Presley, “Recovering and Examining Computer Forensic Evidence”, Forensic Science Communications, Vol. 2, No. 4, 2000.
6. FBI Cyber Division, “(u) health care systems and medical devices at risk for increased cyber intrusions for financial gain,” 2014.
7. FBI, “FBI Handbook of Forensic Science, Collection, Identification and Shipping Index (with modifications)”. Washington, D.C.: Federal Bureau of Investigation, 1992.
8. Kral, “Incident Handler’s Handbook”, SANS Institute InforSec Reading Room, 2011.
9. Cichonski,  T. Millar, , T. Grance, K. Scarfone, “Computer security incident handling guide”, Recommendations of the National Institute of Standards and Technology, US : US Department of Commerce, , 2012.
10. “Computer Forensics”, United States Attorney’s Bulletin, 2008
11. Endicott-Popovsky, D. Frincke, “Adding the R: A Systems Approach to Solving the Hackers Arms Race”, Proceedings of the 2006 Symposium 39, Hawai International Conference on System Sciences, 2006.
12. Gordon La, M. Loeb, R. Richardson, W. Lucyshyn, “CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, 2006.
13. H. Solms, “Information Security: The Fourth Wave”, Computers and Security, Volume 25, Issue3, Elsevier, 2006.
14. Kerr, “Computer Records and the Federal Rules of Evidence”. National Institute for Standards and Technology, Computer Security Incident, 2004.
15. Poor, “Handling Guide” NIST Special Publication 800-61. 2006.
16. “Security 504.1 Hacker Techniques, Exploits and Incident Handling”. Book 1
17. SANS Institute, “Computer Security Incident Handling Guide“, Publication, 800-61, , US NIST Incident Handling Step by Step ver. 2., 2001.
18. M. Pollitt, “An Ad Hoc Review of Digital Forensic Models”, in Proceeding of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering US: Washington, , 2007.
19. K. Rogers, J. Goldman, R. Mislan, T. Wedge & S. Debrota, “Computer Forensic Field Triage Process Model”, presented at the Conference on Digital Forensics, Security and Law, pp. 27-40, 2006.
20. M Reith; C Carr; G Gunsch  “An examination of digital forensic models”. International Journal of Digital Evidence.
21. Various, E. Casey, ed. “Handbook of Digital Forensics and Investigation”. Academic Press. p. 567.
22. Casey, Eoghan  “Digital Evidence and Computer Crime”, Second Edition. Elsevier, 2004.
23. Phillip, D. Cowen, Ch. Davis,. “Hacking Exposed: Computer Forensics”. McGraw Hill Professional. p. 544, 2009.
24. L. Garfinkel, “Digital forensics research: The next 10 years”. Digital Investigation. 7:, 2010.
25. Volonino, R. Anzaldua,. “Computer forensics for dummies”.For Dummies, 2008.
26. G. Punja,. “Mobile device analysis”,Small Scale Digital Device Forensics Journal, 2008.
27. Seper, Jerry. “Osama access to state secrets helped 9/11”. Computer Crime Research Center. 
28. G. Kruse, J. G. Heiser,. “Computer forensics: incident response essentials”. Addison-Wesley. p. 392, 2002.
29. Meyer, “Forensische Datenanalyse”. Erich Schmidt Verlag, First Edition. Berlin, 2012.
30. Hlavica, U. Klapproth, F. Hülsberg et al: “Tax Fraud & Forensic Accounting”.Gabler Verlag, Wiesbaden, 2011.
31. S. Olivier, “On metadata context in Database Forensics”. Digital Investigation. Science Direct, 2009.
32. Andrienko, & G. Andrienko, “Exploratory Analysis of Spatial and Temporal Data. A Systematic Approach”. Springer, 2005.
33. Theus, S. Urbanek, “Interactive Graphics for Data Analysis: Principles and Examples”, CRC Press, Boca Raton, FL, 2008.
34. Eoghan, S. J. Gerasimos, “The impact of full disk encryption on digital forensics”. Operating Systems Review. 42(3): 93–982008.
35. Huang, Y. Long. “Demosaicking recognition with applications in digital photo authentication based on a quadratic pixel correlation model”Proc. IEEE Conference on Computer Vision and Pattern Recognition, 2008.
36. Easttom, “System Forensics, Investigation, and Response”. Jones & Bartlett. p. 318. 2013.
37. Adams, “‘The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice”.2012.
38. Phillip, D. Cowen, Ch. Davis,”Hacking Exposed: Computer Forensics”. McGraw Hill Professional. p. 544. 2009
39. Nelson, A. Phillips, F. Enfinger, & C. Steuart, “Guide to Computer Forensics and Investigations”. (3rd ed.). Boston, MA; Course Technology, Cengage Learning, 2008.
40. Dan, Venema, Wietse. “Forensic Discovery”. Addison-Wesley Professional, 2005.
41. Nelson, Bill. “Guide to Computer Forensics and Investigations”. Boston, MA: Thomson Course Technology, 2004
42. Lee and O. Sokolsky, “Medical cyber physical systems,” in 47th ACM/IEEE Design Automation Conference. IEEE, 2010.
43. Luckett, J. McDonald, and W. Glisson, “Attack-graph threat modeling assessment of ambulatory medical devices,” in Proceedings of the 50th Hawaii International Conference on System Sciences, 2017
44. Van Devender, W. Glisson, M. Campbell, and M. Finan, “Identifying opportunities to compromise medical devices,” in 22nd Americas Conference on Information Systems, San Diego, USA, 2016
45. B. Glisson, T. Andel, T. McDonald, M. Jacobs, M. Campbell, and J. Mayr, “Compromising a medical mannequin,” in 21st Americas Conference on Information Systems, Puerto Rico, USA, 2015
46. E. R. McMillan, W. B. Glisson, and M. Bromby, “Investigating the increase in mobile phone
    evidence in criminal activities,” in 46th Hawaii International Conference on System Sciences, 2013.
47. Barske, A. Stander, and J. Jordaan, “A digital forensic readiness framework for south african sme’s,” in Information Security for South Africa (ISSA), IEEE, 2010
48. Casey, “Digital evidence and computer crime: Forensic science, computers, and the internet”. Academic press, 2011.
49. Grispos, W. B. Glisson, D. Bourie, and T. Storer, “Security Incident Recognition and Reporting (SIRR): An Industrial Perspective,” in 23rd Americas Conference on Info. Systems, Boston, USA, 2017.