forensics policy for targetted analysis

do any of you who have responsibilities for doing forensics analysis of IT equiptment for more internal disciplinary cases rather than criminal/prosecution policies..have any sort of documented policy around how you can ensure your analysis was targetted based on allegations, rather than a phishing excercise? What does your policy include, and what evidence do you keep from your forensics software to prove you only did analysis in line with targetted analysis rather than a phishing excercise? I assume such as policy also includes who can approve access to hardware for analysis, rather than just the analysts themselves saying it is a good idea. are there any useful template policies or guidance on how to demonstrate you only followed targetted searches.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
It has to follow the principle of strict chain of custody for evidence lifecycle internally (subjected to internal audit and quality control in the procedural to adhere too). You need to align it with existing incident response and escalate for investigation which will involved forensic activities carried out as per internal SOP and submit the analysis as part of the response report for closure of the incident reported (or detected). In short,

a) Incident handling - Internal response plan (team composite, role/resp, severity, response timeline, use cases for scenario handling, contact list)

b) Incident Activities - Internal teams response plan (multi tier involvement led by assigned OPS mgr/tech leader e.g. tier 1 for operation, tier 2 - analyst and tier 3 - forensic (and malware analysis etc), workflow btw these tier of teams and deliverable)

c) Tier specific activities and SOP - Team activities SOP (covering the detailed step in each team and in tier 3 for your case, it is the forensic cycle based on chain of custody and various means to report the root cause, impact, mitigation and remediation)

d) After Action Activities - Team reflections and closure with reporting for each tier and for Tier 3 is more of analysis reports surfaced and measures recommended for reinforcing the effectiveness of existing SOP and controls in place.

Check out
ENISA Incident handling guidelines (link and workflow of handling) can look into
- the policies like code of practices and reporting in the guidelines; and
- the QA aspect like Incident handling process control form

SANS references
- Cheatsheet such as "Evidence Collection" and this good sum up by the SANS poster depicting malware analysis SOP (2015 ver in pdf)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I can't offer you any policy docs, but IMHO your best option at finding such a thing is by reaching out to one of the (handful of) private-sector digital forensic labs that have gone through the ASCLD accreditation process, since that requires a policy for pretty much anything imaginable. You can search the ASCLD directory here:

Choose the digital option for the DISCIPLINES field and the private option for the TYPE field.

As for evidence of how the case was handled within one of the forensic software tools, check page 71 in this version of the manual for X-Ways Forensic:
btanExec ConsultantCommented:
Use authorised software recognised by LE esp for legal submission. Encase is one instance. And be ready to subject to audit and scrutiny. Back those analysis reports generated by your analyst on the forsenic activities. They should be sign off and aknowledged by mgmt supervisor whom is sanctioned in guidance as per SOP and policy framework of the internal org chart.

Be prepared to proof and verify all exchanges and protocol of actions are guided by the guideline workflow stipulated in the sop. So get those SOP approved first and work off those processes and product required. The tier approach is more established but more specifically to team concept as compared to lone ranger to governance faireness and transparency.
btanExec ConsultantCommented:
To add taking an forensic policy as an example, the sanction, rule of engagement and asset for custody are required to be spelled out for agreement and execution. The target owner will be backed with with the policy that the investigator via forensic is doing it in legit and recognised workflow. Note all digital forensic investigation is done on cloned and not on actual storage unless it cannot be clone or it is volatile
 OIT Technical Staff treat any and all forensic investigations on a need-to-know basis. Any HR investigation is considered CONFIDENTIAL.  A Footprints ticket titled HR Investigation may be created for all investigations, so that OIT Technical Staff time can be tracked.  However, if a ticket is created, the ticket creator and anyone updating the ticket MUST ensure that no personally identifiable information about the User is entered into the ticket.

Evidence: Any IT asset or data that is the subject of the forensic investigation. IT assets include, but are not limited to, workstations, desktops, laptops, external drives, compact discs, digital video discs, universal serial bus memory sticks, or any other removable media.  Data includes, but is not limited to e-mail, stored documents, and website visit logs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.