The transference of most information archives, money, and communications to electronic form created an independent type of asset – information. Significant risks arise in ensuring state security in the field of information; citizens also suffer from crimes committed in the information sphere. Therefore, the issues of information security incidents are currently the most relevant, and it is vital to publicize such situations to ensure awareness and protect people in any way. If hacking occurs, the case is taken to court, where various examinations are carried out to determine the damage and punish the criminals. For an expert witness, it is necessary to provide a particular awareness of the population to convey the complexity of such crimes and related evidence when solving crimes. The work of information security incident response services is a time-consuming process that is critical for victims of cybercrime, as it helps to restore justice and minimize the damage caused.
Analyzing the overall procedures for First Responder and Incident Handling, a series of consecutive actions is necessary for the court to determine the actual state of affairs and help the victims. In most cases, at the initial stage of responding to an information security incident, it is impossible to know what caused it (Chopra & Chaudhary, 2020). As well as it is impossible to predict whether the collected evidence of the incident will be the subject of study in the framework of the preliminary investigation and trial in the future. Therefore, the main task of responding to an incident is to ensure the invariability and safety of forensic data for the possibility of forensic investigation in the future. Moreover, it is necessary to carry out activities that reduce damage and draw up documents necessary for law enforcement agencies. The incident response team must ensure that digital evidence is collected and stored securely and continuously monitored for its safe preservation.
A typical scenario for information security violations can be based on the following actions:
- To identify the incident
- To locate the area of the IT infrastructure involved in the incident
- To restrict access to objects involved in the incident
- To draw up the necessary documentation about the fact of the incident
- To engage competent specialists for consultation and draw up a work plan (Susanto & Almunawar, 2018).
The procedures related to the scenario are relevant in this case since they are essential to identify an incident, formalize it according to standards, and prevent it by developing several measures. Specific operations can be applied to a particular case, such as copying network equipment log files by exporting the appropriate data types to removable media from the device management interface.
Evidence acquisition and maintaining the integrity of the evidence is a delicate process that requires commitment, concentration, and utmost control at all stages of information gathering. Initially, it is needed to remove volatile information from a running system, and collect information about an incident occurring in real-time: “log files of network equipment and network traffic.” (Al-Dhahri et al., 2017, p. 30) In addition, it is necessary to control the safety and proper registration to seize and seal information carriers with an evidentiary base in the presence of a third party. It should be taken into account that removing images and other information will also be needed for subsequent analysis and preservation. Upon completion of the investigation, an appropriate report and recommendations must be drawn up to prevent similar incidents in the future.
By its nature, digital evidence can be vulnerable; it can be altered, falsified, or destroyed through mishandling or study. Organizations must understand that in the process of collecting incident evidence, conducting or responding, incompetent actions, and the use of outdated processes and tools can cause critical digital evidence to be partially or destroyed. There is “a high frequency of cases of incorrect response to incidents” during which system administrators, employees of information security departments of organizations, or other authorized persons destroyed forensic data. (Mirtsch et al., 2020, p. 92) They were critical and made it possible to prosecute the perpetrators. In some cases, the consequences of inappropriate use or retention of evidence have significantly diminished the legal relevance of the data collected during the internal investigation of the incident.
What is more, a particular significance of the chain of custody should be noted since it provides such evidence properties as relevance, completeness, reliability, and admissibility. This is some assurance that the collected evidence contains valuable information to assist in investigating a particular incident. All documentation is complex work and is critical for the entire chain of custody. It makes it possible to track that the collection and processing of all data are legally permissible.
To conclude, the First Responder and Incident Handling aim to ensure cyber security and is also designed to reduce the likelihood of occurrence and mitigate the consequences of incidents. Several basic procedures for responding to an incident may be relevant for different scenarios, but specific actions can depend on the situation and the unique case. The stages of gathering evidence require the utmost care and attention, as digital data is vulnerable and can be easily altered or tampered with. If the evidence is stored improperly, it can be partially or entirely lost or destroyed, which will entail the impossibility of confirming any information necessary for the court. Therefore, this whole chain of custody is critical because it guarantees that the evidence is obtained legally from trusted sources and unchanged.
References
Al-Dhahri, S., Al-Sarti, M., & Abdul, A. (2017). Information security management system. International Journal of Computer Applications, 158(7), 29-33.
Chopra, A., & Chaudhary, M. (2020). Implementing an information security management system. Apress.
Mirtsch, M., Kinne, J., & Blind, K. (2020). Exploring the adoption of the international information security management system standard iso/iec 27001: A web mining-based analysis. IEEE Transactions on Engineering Management, 68(1), 87-100.
Susanto, H., & Almunawar, M. N. (2018). Information security management systems: A novel framework and software as a tool for compliance with information security standards. Apple Academic Press.