Organizational forensics is the application of forensics (most typically digital forensics) to the intersection of an organization’s information systems, ethical policies and legal compliance.
I spent a fair amount of time coming to grips with the fact that a lot of “stuff” can fall under the label of “organizational forensics”. I broke it down in the following ways.
1. Definition of organization’s ethics via policies and standards
2. Identification of applicable laws (compliance) governing business practices
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a good example of law that applies industry-wide. In this case, any organization that has business in the field of Health must comply with HIPAA requirements.
3. Establishment of metrics and artifacts that support the above two requirements
Once an organization has defined its ethical worldview and identified legal/regulatory requirements, it must be able to measure and prove their adherence and compliance. I work for the federal government, so I am required to receive training about sexual harassment. This is dictated by the Department of Defense (and no doubt higher, such as Title VII of the Civil Rights Act)
4. Definition of procedures to handle violations of ethics and compliance requirements
Say that I violate Espionage Act of 1917 by leaking classified information to another country. What is supposed to happen to me? What punitive measures am I facing? How long is it going to take?
5. Identification of the people responsible in carrying out the previously defined procedures
Who is responsible for taking action against me if I violate a policy and/or law?
I like how you broke down everything into 5 different groups. And I do agree with you that a lot of “stuff” can fall under Organizational Forensic. It is a very broad term that encompasses multiple different things
I really like your approach to answering this question. You took the route on explaining more about the polices, procedures, and laws, which was quite different than some of our other classmates. The examples to each piece was very helpful in understanding in your definition. The ethical policies and legal compliance definitely plays a major role in organizational forensics.
Andres, great explanation of organizational forensics from ethics and policies stand point. It looks like the logic of this example is somewhat similar to a concept of Audit process. So, I believe Forensics in this context would be going beyond the audit in a sense that it involves searching for evidence that might be used in a court of law. Do you think Forensics and Audit could be compared to a certain extent?
Andres, I liked your way of breaking things down. When doing my initial post I ran into a similar feeling that a lot of things can fall under organizational forensics. It sometimes feels like a catch-all umbrella term.
Your article was very easy to follow and to understand on the way you broke down organizational forensics into different subsets. I agree with you that the lines are blurred when it come down to understanding who is in charge of mandating organizational policy. In my opinion all organizations should have a standardized method that employees should follow when it comes down to digital forensics.
I feel like point 5 is very important since without clearly defined roles, organizational forensics may fall apart. If no one is assigned a specific task, it would require an employee to seek out a task that isn’t required of them. This will still let plenty of issues slip through the cracks. Not to mention how passing the blame for a missed issue will cause chaos.
Organizational Forensics is the comprehensive process of identifying, collecting, preserving, analyzing and presenting digital evidence in response to a subpoena or any legal proceedings that require to prove or disprove client’s case during an investigation. Most importantly, evidence must be collected in such a way so that it is legally admissible in a court case.
Department of Justice or an authorized attorney on behalf of a court may issue a subpoena, which must be obeyed by a client to avoid any penalties. In addition, Companies who have a very sound security architecture that is following best industry practices and have effective security policies in place, usually avoid having lawsuits, subpoenas or audits for regulatory compliances.
Historically, back in 1980s-1990s, rising growth of computer crime influenced FBI to establish a CART (Computer Analysis and Response Team) group, followed by Britain Crime unit group National and finally since 2000s various agencies began development of standardization and guidelines to support forensics investigation needs.
Forensics involves a broad range of organizational elements that make it possible to ensure effectiveness of an investigation and collection of evidence, including:
– People (Legal Counsel, CISO, IT Management, IT personnel, HR)
– Technology
– Policies, Procedures and Business Processes
– Audit Logs and Retention Policies
– Standards and Best practices (NIST, SANS)
– Cyber Laws and Government Regulations
Forensics investigation have some aspects that require thorough understanding of the followings:
• what is being searched within information systems
• possess deep knowledge of certain tools such as FTK Imager and others to recover accidentally or intentionally deleted crucial evidence
• complying with chain of custody requirements
• storing collected evidence in encrypted drive w/Write Blocker function through the entire investigation process to preserve data consistency and originality
Modern Forensics Tools are classified by different categories including: Cloud, Networking, Storage, Email, Security, Social Media, Systems, SIEM, CCTV, Facility Security, e-Discovery and include the following common tools:
– FTK
– EnCase
– CAIN
– X-Ways Forensics
– SIFT
……. and many others
Ruslan,
I agree with all points you have made, but I think it is important to add that not all forensics investigations have to involve law enforcement. Knowing when to involve law enforcement is important, and that companies should have a policy for this. However, some investigations involve things that are against company policy, but not necessarily illegal. The investigation should be similar, in that preserving integrity of the evidence is important is still important even if the act found wasn’t illegal. An employee could attempt to sue the organization for wrongful termination, which could then land the evidence found in a court of law after the investigation is over, without the organization involving law enforcement. Thus, if the integrity of the evidence is not compromised, the organization could present it as proof, and show that it was against policy and directly resulted in the termination, and therefore the termination was not wrongful.
Great point, Amanda! Thanks for bringing this up. I agree that some investigations don’t need to involve law enforcement into the process. I believe it would make sense to bring law enforcement in case of criminal investigations and computer crimes; however, certain policy violations could be resolved internally by the organizations assuming procedures and policies are followed.
I’m going to agree with Andres and his high level definition of organizational forensics. I think where organizational and digital forensics differ is that the organizational side is more the policies and procedures that need to be followed and the regulations that the business is placed under. Digital forensics is the evidence gathering to support a claim made about compliance with one of those policies or regulations. I think that they go hand in hand.
Through the entire process the forensics investigators need to apply a strict adherence to the chain of custody and all guidance involving how to collect, analyze, and store evidence in a way that it can still be submitted in court. Without compliance, an investigator could end up with a great case against a criminal, but be unable to prove it in a court of law.
I agree that organizational forensics is more political because encompasses the whole organization. You need to know proper procedure and how to deal with the different departments properly to gather the information you need in a timely manner. I also agree that chain of custody is important. If the chain of custody of evidence is lost then a case could be thrown out over something silly.
Darin, I definitely agree about critical importance of chain-of-custody. I remember dealing with a Subpoena issued by Department of Justice for one of companies I worked for in the past, and that is where I was fully responsible for identifying and preserving requested evidence and making sure a chain-of-custody is kept consistent. For this purpose I was using FTK tools to collect data into an encrypted hard drive with Write-Blocker mode to ensure entire data and all time-stamps are kept intact as that is the only way to be sure that collected evidence is accepted at a court of law.
I don’t know if I remember correctly, but the Professor mentioned that not all “evidence” will require the same amount of control when we talk about chain of custody. Not all evidence is the “murder weapon.” For example, for a murder case recovering the murder weapon and having strict chain of custody is of more importance then recovering an email that shows intent. The email did not murder the person, but the knife did. Showing intent is great, but having DNA with it being altered or compromised is of greater concern.
Forensics is the process of using scientific knowledge for collecting,analyzing, and presenting evidence to the courts.Forensics deal with more of the post crime scene.When we add word digital to it then digital forensic analysts follow crime footprints to investigate incidents and track activities in the electronic and cyber domain.Digital forensics also deal with creating an infrastructure and environment where it preserves the integrity of the evidence collected so it can be used effectively in a legal case.
An example for such case is that forensics not only deal with collection of audit logs after the crime but also deals with analyzing whether the logs are not being altered by hacker to destroy the evidence so that the integrity of evidence is maintained in the court
The legal aspects of digital forensics are very important and every country has its own laws and regulation and when we work for clients from different countries we need to have legal counsel who can give an insight on the legal rules and regulation we have to face. The United States Constitution has The Fourth Amendment which allows for protection against unreasonable search and seizure, and the Fifth Amendment
allows for protection against self-incrimination.Violation of any of them during the practice of computer forensics could be a crime.We also need to have a written permission or agreement from the owners who are demanding for use of forensic practices which has implicit clauses of the boundaries around which investigation can be carried .
I like that you brought up the issue of thinking globally. Even if you only build your website in the US it is still out there for the world to look at and use. Each country may have its own data protection laws or issue reporting laws which if disobeyed can result in penalties.
I saw the word “digital forensics” many times in your post. I agree that organization forensics is digital forensics, but I am still wondering if organization forensics=digital forensics. If so, we just need to give definition to digital forensics then. Is organization forensics different from digital forensics?
I separated the word forensics with digital forensics as the forensics is something related to the evidence admissible in the court.So it can be also a fingerprint collected after a crime for investigating criminals so when we jump to digital forensics its collection of evidence in the digital world
There are 3 main types of organizations that are linked to Digital Forensic:
1. International Organisations:
– INTERPOL enables police in 190 member countries to work together to fight international crime that is concentrated in 3 areas (Counter-terrorism, Cybercrime, and Organized and emerging crime)
2. US Government:
– Computer Crime and Intellectual Property Section of the Department of Justice
– Computer Technology Investigators Network (CTIN has been providing high tech crime fighting training since 1996 )
– National Institute of Standards and Technology, Computer Forensic Tool Testing (NIST)
– Organization of Scientific Area Committees for Forensic Science (OSAC has in its Digital/Multimedia 4 Subcommittees like Digital Evidence, Facial Identification, Speaker Recognition and Video/Imaging Technology
and Analysis)
– Department of Defense Cyber Crime Center (DoD Cyber Crime Center, or DC3)
– FBI Regional Computer Forensic Laboratory Program( FBI established the RCFL in 2002)
3. Professional Organizations:
– The SANS Institute
– High Technology Crime Investigation Association (based in CA since 1984)
– High Tech Crime Network (provide certification for Certified Computer Crime Investigator)
– American Academy of Forensic Science (since 1948 with 6600 members )
Joseph, great layout of organizations who are affiliated with forensics. It is amazing how widely forensics are used and applied to various aspects of investigations. I also found a few more interesting links about forensics:
Interesting approach in answering the wiki question by stating all the organizations that are strongly associated with digital forensics. I have to agree with Ruslan about how it is quite fascinating how forensics is applied by many organizations throughout the country, but also internationally. It also makes sense because we are surrounded by technology everyday and companies or organizations are experiencing some type of cyber attack by the second.
I thought it was extremely helpful how you broke down your piece pertaining to different organizations that are the foundations for forensics. I found it interesting that some of these organizations have been operating since 1996 and have evolved to handle other types of cybercrime.
I think this was an interesting way to answer the question. It shows that there is a lot of support even internationally for digital forensics. It is also important to note that the groups are able to talk with each other and share their techniques and information to keep improving in the field. Sometimes they will consult with another on big issues or hold a conference to enable free flowing ideas.
If I was slated with the task to write a Wikipedia page for Organizational Forensics, like most Wikipedia pages I would start with a brief overview of the topic that way users can know what it is about. I would take the definition about forensics and then the definition of organization and mold them together into a definition that would explain what I mean when I say organizational forensics. I think it would say something along the lines of:
Organization forensics is using tests and techniques to gather information from within an organization to piece together and solve a crime that may have transpired. When people think forensics, they think of dusting for finger prints and looking at ballistic data from a gun however within an organization there are many other things that could be captured and/or documented and used as evidence within the company. Organizational Forensics will look at computers, networks, cameras, mobile devices, email and cloud repositories to name a few things that could be captured, analyzed and used against someone in litigation. A lot of the log files that are created on a day to day basis that most people don’t even know about are a treasure trove of information for an investigator. The Organizational forensic encompasses multiple different resources, departments, talents and abilities in order to complete a single task, to solve a puzzle of if a person is innocent or guilty and then finding the information/data or confirm or deny that claim.
Hello Jonathan- you actually broke down an easy way for other to understand what organizational forensics is and does. As a Wiki page developer I think you have the correct idea on what should be posted, in order to provide other users the proper information on what they are looking for.
Many Wiki pages, wither internal or external to an organization have all the tools and application available to users, so the page is a one-stop shop deal.
I completely agree with Roberto’s reply. I believe you broke down the use of forensics by an organization very well and understandable for someone who may not be familiar with the term. The only thing I would briefly mention are the policies, procedures, requirements, etc. that an organization has to strictly adhere to, especially if they are to present the evidence in court.
I like the analog metaphor used for digital forensics in your explanation. I am just not certain on whether or not forensics determine innocence. It seems more that it determines exactly what happened and it is up for a court to determine the other half of the information. Intent is a hard thing to find in digital forensics as people sometimes press a key by accident or on purpose. There are times where it can be clear when a user is in a system that they certainly know they shouldn’t.
I really like your answer! Jonathan.
It is very easy to understand and short to read. I would recommend to emphasis the use of laws. But other than the legal use, I think you did a very good job on describing organization forensics.
If you were tasked to write the Wikipedia page for Organizational Forensics what would it say?
Forensic Science is defined as the scientific method of gathering and examining for the purpose of presenting in court. Organizational Forensics is the use of forensics, mainly digital forensics, within companies to help preserve the company’s information and protect its data (information systems) while adhering to the organization’s policies and standards of compliance.
Digital Forensics is the collection, examination, analysis, and reporting of digital evidence (computer crime date) that is admissible in a court of law. There are different areas of digital forensics an organization can apply: network forensics, computer forensics, forensic animation, forensic watermark, software, forensics, etc. Sources of digital evidence could be hard disks, email, server content, audit log files, etc.
If an organization is in the situation to present digital evidence in the court of law, it is important that the company adheres to its policies, procedures, and guidelines that address the use of the forensic process. Depending on the situation of the company, there are country/region specific laws, international standards, guidelines for ensuring corporate forensic readiness, compliance with local laws and regulations, or industry specific requirements the company must comply with. It is very critical for the organization to adhere to all policies, standards, and guidelines for collecting, preserving, analyzing, and presenting the digital evidence. Otherwise, the evidence will be dismissed in court.
Your explanation of digital forensics was thorough and I liked that you identified the various disciplines of organizational forensics and the assortment of regulations and policies that need to be considered during the organizational forensics process. I noticed that your definition, while not explicitly limiting digital forensics to legal applications, didn’t mention its admissibility towards settling internal incidents. While the arguably more important aspect of digital forensics is its applications for handling criminal offenses, it can also be handy for settling simpler issues such as violation of the company’s computer policy, etc.
The internet’s definition of organizational forensics is “the investigation of a business structures or components that are not functioning as intended, causing negative impact to business results”, however to define forensics, we need to understating that is a collection , preservation, analysis, and presentation of digital evidence which is admissible in a court of law. Forensics is also usable for internal disciplinary hearings, and data is to support internal incident reports as to assist or furthering other investigations.
My Wiki page will have this definition, along with links where to find information about the organization, whether an internal or external use, I would point users to the right direction for a more efficient result.
Last, I would provide a list of hierarchical individuals in an organization, or a chain of command chart for a better understanding of different areas, departments and senior leadership involve in a legal and technical situation for forensic purposes.
Roberto I like your idea about the leadership chart/chain of command. I think sometimes it’s easy for us to get lost in the policies and the investigative tools and forget the fact that there are humans behind all of this who need to be communicated with and considered.
Roberto, your statement about negative impact to business results is great example of necessity for organization to have sounds computer forensics practices to ensure information systems integrity and defense-in-depth security strategy. Of course, this level of integrity can be achieved by thorough understanding not only technical, but legal aspects as well. This way, should there be a prosecution, an organization will be able to provide adequate evidence and solve the case.
Ruslan,
You are absolutely right about security professionals must not only understand the technical but the legal aspects as well. They need to consider their policy decisions and technical actions with existing laws. For instance, security professionals in the healthcare industry must understand or be able to navigate through HIPPA requirements when designing their systems, or consider the legal ramifications when using monitoring tools.
I like your idea of the org chart for an organization. Since every organization will of course be different it can be a generalized chart to show the flow of power through a company. This could help a user if they need a specific piece of data, by knowing how to ask
I like the outline for your wikipedia article. I agree with Jonathan that the org chart for an organization makes sense when employees would need to figure out who to talk to about specific forensic matters. In addition, I think it would help those investigating an instance so they would know who to contact to get information.
Organizational forensics is the practice of digital forensics in the context of organizations. Unlike digital forensics in the context of criminal investigations, which is conducted in reaction to events, organizational forensics is often practiced proactively in anticipation of the need for evidence. Organizational forensics support legal defense, prosecution, e-discovery and demonstrating compliance with laws and regulations. Digital forensics readiness is the preparedness of organizations for conducting digital forensics.
NIST‘s Information Technology Laboratory issued Special Publication (SP) 800-86, Guide to Integrating Forensic Techniques into Incident Response which provides detailed information on how an organization can establish a forensic capability and develop the fundamental policies and procedures that will guide the use of forensics.
Digital forensic tools and techniques are valuable for organizational and security related tasks such as:
• Troubleshooting operational issues
• Log Monitoring
• Recovering lost data from system
• Acquiring data for future analysis
• Protecting sensitive information and maintaining records for auditing purposes
Organizational forensics involves including forensic considerations in the Information System Development Life Cycle. Examples of these considerations include:
• Performing regular backups of systems and maintaining them for a specific period of time
• Enabling auditing on workstations, servers, and network devices
• Forwarding audit records to secure centralized log servers
• Maintaining a database of file hashes for the file names of common OS and application deployments
• Maintaining records of network and system configurations
• Establishing data retention policies
In order for organizations to establish an effective forensics program they must develop organizational policies that are clear and concise. These policies should be based on all applicable laws and regulations required in their respective industry while maintaining support for the reasonable and appropriate use of forensic tools.
Bilaal,
My definition of organization forensics is very different than yours, but I tend to agree with you more. In today’s business environment, every organization needs to anticipate and be prepared to respond to breach, or provide digital evidence if requested. Whether it’s to prosecute or defend, having a forensics policy, process, and structure in place will make them more effective in delivering the required evidence, saving time, money and resources.
Great examples, Bilaal.
Thank you for providing examples of digital forensic tools and forensics considerations. I am still confused by the differences between organization forensics and digital forensics. Can I understand it as digital forensics readiness is the process of collecting digital evidences and organization forensics is the result of digital forensics and applying to laws and regulations?
Thanks Menqxue,
What I gathered from the research is that forensic readiness is how prepared an organization is to handle forensic investigation.. So this would include an organizations ability to process and collect digital evidence should an incident arise. And yes, organizational forensics is the application of digital forensics within an organization which should support company policy, laws and regulations.
Forensics is the practice of applying science to investigations. Organizational forensics is applying this scientific investigation style within an organization such as a company or government agency. In modern times, digital forensics is heavily involved in organizational forensics. This is because much of what organizations do is now heavily tied to technology. Digital forensics is using scientific investigation to examine technology, such as computers.
Organizational forensics starts with development of policies and rules for how investigations will be carried out. Investigations should require authorization from someone at an appropriately high level prior to beginning their investigation. There should also be policies for how to preserve evidence so that, if required, it would be admissible in court. There should also be a determination of when the authorities need to be called to join the investigation. Finally, there should be policies on how to report findings, and who to report findings to.
I like how you indirectly pointed out how forensics has changed over time. Today, digital forensics is heavily used because we live in a “digital” world and technology is involved in our everyday lives, including organizations that strongly rely on technology to be successful.
I like the structure that you laid out on how organizational forensics should be conducted. Without structure, policies, and rules it would prove difficult to recover the required evidence. Things such as log monitoring or backups could be inadvertently mishandled; people deleting log files, backups are not performed periodically. Having policies in place provides for a means of consequences.
I like how you were able to define the different instances of forensics and how they are used. What also was helpful is how you mentioned to introduce the policies for how investigations should be handled. I also agree with Loi on how evidence could be mishandled so policies are necessary,
Great post, Amanda!
I totally agree that digital forensics is heavily used in organization forensics because of technologies. It should be easier to find criminals than science forensics since computer footprints are easier to track than physical footprints. Also, there are policies and regulations in a company and the country.
This is kind of tangentially related to this topic, but it is the first thing I thought of when I read the question, I tried to find a case where someone used digital forensics on wikipedia. I could not find such a case, but I will explain where this thought came from. Anyone can edit wikipedia, and there are many pages on there for people, and sometimes those pages get edited in a way that is not true and unfavorable. (See: The invertebrate page was edited yesterday to include a picture of Paul Ryan, implying he has no spine for not standing up to Trump http://nymag.com/selectall/2017/01/wikipedia-invertebrate-page-edited-to-include-paul-ryan.html) My thought here is if something like this, but probably a bit more extreme than the Paul Ryan example, would be covered under libel laws. Say someone edited a page to say a famous actor was something terrible, and the actor could prove that that page edit led to them suffering damages, would the actor be able to sue the person who edited the page? My thought is yes, because things journalists write can be used to sue them, so I don’t see why editing a wikipedia page would be different. But, since wikipedia can be edited by anyone, it may not be the easiest to figure out who made the edit. They would have to get wikipedia to investigate it. If the person didn’t use their real name when setting up the account, they may need to look into the IP address that made the post. All of this would need to be done using sound digital forensic techniques so it could be admissible in court.
Anyone can sue anyone for anything if they have enough money and lawyers. If you are editing something that is used as a source for people, you cannot use personal opinion as a defense. You also probably cannot use the truth as the defense as you have nothing sourcing your claim. I think this is why wikipedians revert even small changes because the edits need to have sources to last. I think it is still very hard to get someone in court over just their IP address as there have been some cases where the judge has said that it is not unique information to identify a defendant with.
Yeah you have used an excellent example to define this but I feel tracking IP address may not be enough to sue a person in court.There are cases when people hack into somebody network and use his network to hack and bring damage to other systems.The method do deals with tracking the user with IP address and then depositing his personal computer with any of the internet history or log files.
According to US-Cert.gov, “Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.” It is the act of recovering and analyzing latent evidence; fingerprints at a crime scene, files on a hard drive, or evidence in digital formats. Organizational Forensics is collecting and analyzing business structures or components that are not functioning as intended (Transitions for Business, 2017). Organizational forensics is not limited to presenting the findings in a court of law, although preserving its integrity is a must, it is used to draw upon deeper seeded problems within the organization. It examines the organization culture, values, strategy, goals, processes, systems, and resources to find each area contributes to the problem.
In my opinion, when data is compromised by a breach, it’s not just the security controls or lack of that is the problem. It looks of the culture of the organization; how do they perceive cyber threats, how does their strategy and goals align with the security efforts and vice versa. Computer forensic, to identify, collect, preserve, and analyze data is a way that preserves integrity to present in a court of law, is just a subcategory or organizational forensics.
I agree that the culture of an organization plays a significant role in how cyber threats are handled. Organizations who include cyber security in their business culture will be more likely to create policies and procedures that will allow for effective reaponse should a threat or attack arise. These organizations will more more likely to have IDS/IPS in place, adequate logs available, amd policies that will allow the use of digital forensic investigation without being hindered by privacy laws.
Organizational forensics makes use of the scientific method of gathering and understanding information as well as data about a company which helps to identify what is working properly for the company and what is not. Much like traditional forensics, organizational forensics uses information from the past to understand an incident that needs to be investigated.
Digital forensics works hand in hand with organizational forensic science to aid the evidence collection process. This science works to preserve, collect, validate, and document digital evidence that so that it can in turn be used in the court of law to prove or anticipate criminal or unsanctioned activity. Digital Forensics can be classified into different subsets: traditional digital forensics, network forensics, and mobile, handheld, and embedded forensics. Since the digital landscape is always changing it is difficult to have best practices when there could be a standard but the technology evolves. When a company is looking for a plan of action when it comes to digital forensics it is important to have a standardized means of testing the data, having it reviewed, looking for errors, and looking at privacy as well as compliance matters.
For a company to be successful it will need to have a standardized way across the organization of handling forensics matters. By putting proper protocols and policies in place that are in line with industry standards information and data collected will be analyzed and tested the same way to be used for forensic measures.
I really like the point of mentioning the proper protocols and policies are in place.The work of forensic expert will be easier if he can find the log files.Most of the auditor do recommend using log files but the organizations ignore them.Many organization have a retention policy but the data may not be available for the particular date when being asked by an forensic investigator due non compliance to policy
Organizational Forensics is the implementation of forensic techniques into an organization. This includes detecting vulnerabilities, detecting incidents, responding to issues, and recovery of data and evidence. It also involved obeying all laws in an investigation and getting information that can be later used in a court of law. To aid in organizational Forensics, a framework for the company should be developed. NIST offers a lot of information pertaining to adding forensics when responding to incidents. This should include a plan for how to handle known possible issues such as DDoS attacks, bogus wireless access points, phishing attempts, and even stolen/lost/encrypted data. For any scenario, there should be a guide for “identification, containment, eradications, recovery, and lessons learned” (syllabus). In this way organizational forensics will protect an organization should an issue arise.
First, I think the meaning of organization forensic is based on forensic science. So, I looked at the Wikipedia page of “forensic science”.
“Forensic science is the application of science to criminal and civil laws, mainly-on the criminal side-during criminal investigation, as governed by the legal standards of admissible evidence and criminal procedure”. I will add my understanding of organization forensic based on this explanation of forensic science.
Organization Forensic
Organization Forensic is business form of forensic science. It is the investigation of business structures or components that are not functioning as intended, causing negative impact to business results.
• Digital evidence: Most of today’s organization forensic involves with information systems, therefore, the process of finding digital evidence can be understood as organization forensic as well.
• Legal knowledge: Digital forensics tends to be mainly used for investigations that are geared toward legal or law enforcement issues that are likely to end up in court; hence, the emphasis on legal acceptability.
• Use of computer and information systems knowledge: Users of information systems leave digital footprints whenever they use the systems—be they computer systems, smartphones, mobile phones, tablets or networks (i.e., the Internet, intranets, phone networks).
It can be defined as the use of computer and information systems (IS) knowledge, coupled with legal knowledge, to analyze in a legally acceptable manner digital evidence acquired, processed and stored in a way that is legally acceptable.
Andres Galarza says
Organizational forensics is the application of forensics (most typically digital forensics) to the intersection of an organization’s information systems, ethical policies and legal compliance.
I spent a fair amount of time coming to grips with the fact that a lot of “stuff” can fall under the label of “organizational forensics”. I broke it down in the following ways.
1. Definition of organization’s ethics via policies and standards
Ideally, an organization “stands for something” and has a defined set of ethics. For example, check out this Starbuck’s page: https://www.starbucks.com/about-us/company-information/business-ethics-and-compliance
2. Identification of applicable laws (compliance) governing business practices
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a good example of law that applies industry-wide. In this case, any organization that has business in the field of Health must comply with HIPAA requirements.
3. Establishment of metrics and artifacts that support the above two requirements
Once an organization has defined its ethical worldview and identified legal/regulatory requirements, it must be able to measure and prove their adherence and compliance. I work for the federal government, so I am required to receive training about sexual harassment. This is dictated by the Department of Defense (and no doubt higher, such as Title VII of the Civil Rights Act)
4. Definition of procedures to handle violations of ethics and compliance requirements
Say that I violate Espionage Act of 1917 by leaking classified information to another country. What is supposed to happen to me? What punitive measures am I facing? How long is it going to take?
5. Identification of the people responsible in carrying out the previously defined procedures
Who is responsible for taking action against me if I violate a policy and/or law?
Jonathan Duani says
Andres,
I like how you broke down everything into 5 different groups. And I do agree with you that a lot of “stuff” can fall under Organizational Forensic. It is a very broad term that encompasses multiple different things
Elizabeth V Calise says
Andres,
I really like your approach to answering this question. You took the route on explaining more about the polices, procedures, and laws, which was quite different than some of our other classmates. The examples to each piece was very helpful in understanding in your definition. The ethical policies and legal compliance definitely plays a major role in organizational forensics.
Ruslan Yakush says
Andres, great explanation of organizational forensics from ethics and policies stand point. It looks like the logic of this example is somewhat similar to a concept of Audit process. So, I believe Forensics in this context would be going beyond the audit in a sense that it involves searching for evidence that might be used in a court of law. Do you think Forensics and Audit could be compared to a certain extent?
Darin Bartholomew says
Andres, I liked your way of breaking things down. When doing my initial post I ran into a similar feeling that a lot of things can fall under organizational forensics. It sometimes feels like a catch-all umbrella term.
Samantha M Sederstrand says
Andres,
Your article was very easy to follow and to understand on the way you broke down organizational forensics into different subsets. I agree with you that the lines are blurred when it come down to understanding who is in charge of mandating organizational policy. In my opinion all organizations should have a standardized method that employees should follow when it comes down to digital forensics.
Noah J Berson says
I feel like point 5 is very important since without clearly defined roles, organizational forensics may fall apart. If no one is assigned a specific task, it would require an employee to seek out a task that isn’t required of them. This will still let plenty of issues slip through the cracks. Not to mention how passing the blame for a missed issue will cause chaos.
Ruslan Yakush says
Organizational Forensics is the comprehensive process of identifying, collecting, preserving, analyzing and presenting digital evidence in response to a subpoena or any legal proceedings that require to prove or disprove client’s case during an investigation. Most importantly, evidence must be collected in such a way so that it is legally admissible in a court case.
Department of Justice or an authorized attorney on behalf of a court may issue a subpoena, which must be obeyed by a client to avoid any penalties. In addition, Companies who have a very sound security architecture that is following best industry practices and have effective security policies in place, usually avoid having lawsuits, subpoenas or audits for regulatory compliances.
Historically, back in 1980s-1990s, rising growth of computer crime influenced FBI to establish a CART (Computer Analysis and Response Team) group, followed by Britain Crime unit group National and finally since 2000s various agencies began development of standardization and guidelines to support forensics investigation needs.
Forensics involves a broad range of organizational elements that make it possible to ensure effectiveness of an investigation and collection of evidence, including:
– People (Legal Counsel, CISO, IT Management, IT personnel, HR)
– Technology
– Policies, Procedures and Business Processes
– Audit Logs and Retention Policies
– Standards and Best practices (NIST, SANS)
– Cyber Laws and Government Regulations
Forensics investigation have some aspects that require thorough understanding of the followings:
• what is being searched within information systems
• possess deep knowledge of certain tools such as FTK Imager and others to recover accidentally or intentionally deleted crucial evidence
• complying with chain of custody requirements
• storing collected evidence in encrypted drive w/Write Blocker function through the entire investigation process to preserve data consistency and originality
Modern Forensics Tools are classified by different categories including: Cloud, Networking, Storage, Email, Security, Social Media, Systems, SIEM, CCTV, Facility Security, e-Discovery and include the following common tools:
– FTK
– EnCase
– CAIN
– X-Ways Forensics
– SIFT
……. and many others
Useful Links:
https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
http://resources.infosecinstitute.com/computer-forensics-tools/#gref
https://en.wikipedia.org/wiki/Digital_forensics
Amanda M Rossetti says
Ruslan,
I agree with all points you have made, but I think it is important to add that not all forensics investigations have to involve law enforcement. Knowing when to involve law enforcement is important, and that companies should have a policy for this. However, some investigations involve things that are against company policy, but not necessarily illegal. The investigation should be similar, in that preserving integrity of the evidence is important is still important even if the act found wasn’t illegal. An employee could attempt to sue the organization for wrongful termination, which could then land the evidence found in a court of law after the investigation is over, without the organization involving law enforcement. Thus, if the integrity of the evidence is not compromised, the organization could present it as proof, and show that it was against policy and directly resulted in the termination, and therefore the termination was not wrongful.
Ruslan Yakush says
Great point, Amanda! Thanks for bringing this up. I agree that some investigations don’t need to involve law enforcement into the process. I believe it would make sense to bring law enforcement in case of criminal investigations and computer crimes; however, certain policy violations could be resolved internally by the organizations assuming procedures and policies are followed.
Darin Bartholomew says
Ruslan thanks for mentioning several tools that are helpful with forensics. I’m hoping we can learn a few of these in class.
Darin Bartholomew says
I’m going to agree with Andres and his high level definition of organizational forensics. I think where organizational and digital forensics differ is that the organizational side is more the policies and procedures that need to be followed and the regulations that the business is placed under. Digital forensics is the evidence gathering to support a claim made about compliance with one of those policies or regulations. I think that they go hand in hand.
Through the entire process the forensics investigators need to apply a strict adherence to the chain of custody and all guidance involving how to collect, analyze, and store evidence in a way that it can still be submitted in court. Without compliance, an investigator could end up with a great case against a criminal, but be unable to prove it in a court of law.
Jonathan Duani says
Darin,
I agree that organizational forensics is more political because encompasses the whole organization. You need to know proper procedure and how to deal with the different departments properly to gather the information you need in a timely manner. I also agree that chain of custody is important. If the chain of custody of evidence is lost then a case could be thrown out over something silly.
Darin Bartholomew says
I like the use of the word political.
Ruslan Yakush says
Darin, I definitely agree about critical importance of chain-of-custody. I remember dealing with a Subpoena issued by Department of Justice for one of companies I worked for in the past, and that is where I was fully responsible for identifying and preserving requested evidence and making sure a chain-of-custody is kept consistent. For this purpose I was using FTK tools to collect data into an encrypted hard drive with Write-Blocker mode to ensure entire data and all time-stamps are kept intact as that is the only way to be sure that collected evidence is accepted at a court of law.
Loi Van Tran says
Darin,
I don’t know if I remember correctly, but the Professor mentioned that not all “evidence” will require the same amount of control when we talk about chain of custody. Not all evidence is the “murder weapon.” For example, for a murder case recovering the murder weapon and having strict chain of custody is of more importance then recovering an email that shows intent. The email did not murder the person, but the knife did. Showing intent is great, but having DNA with it being altered or compromised is of greater concern.
Vaibhav Shukla says
Forensics is the process of using scientific knowledge for collecting,analyzing, and presenting evidence to the courts.Forensics deal with more of the post crime scene.When we add word digital to it then digital forensic analysts follow crime footprints to investigate incidents and track activities in the electronic and cyber domain.Digital forensics also deal with creating an infrastructure and environment where it preserves the integrity of the evidence collected so it can be used effectively in a legal case.
An example for such case is that forensics not only deal with collection of audit logs after the crime but also deals with analyzing whether the logs are not being altered by hacker to destroy the evidence so that the integrity of evidence is maintained in the court
The legal aspects of digital forensics are very important and every country has its own laws and regulation and when we work for clients from different countries we need to have legal counsel who can give an insight on the legal rules and regulation we have to face. The United States Constitution has The Fourth Amendment which allows for protection against unreasonable search and seizure, and the Fifth Amendment
allows for protection against self-incrimination.Violation of any of them during the practice of computer forensics could be a crime.We also need to have a written permission or agreement from the owners who are demanding for use of forensic practices which has implicit clauses of the boundaries around which investigation can be carried .
https://www.us-cert.gov/sites/default/files/publications/forensics.pdf
Noah J Berson says
I like that you brought up the issue of thinking globally. Even if you only build your website in the US it is still out there for the world to look at and use. Each country may have its own data protection laws or issue reporting laws which if disobeyed can result in penalties.
Mengxue Ni says
good answer, Vaibhav!
I saw the word “digital forensics” many times in your post. I agree that organization forensics is digital forensics, but I am still wondering if organization forensics=digital forensics. If so, we just need to give definition to digital forensics then. Is organization forensics different from digital forensics?
Vaibhav Shukla says
I separated the word forensics with digital forensics as the forensics is something related to the evidence admissible in the court.So it can be also a fingerprint collected after a crime for investigating criminals so when we jump to digital forensics its collection of evidence in the digital world
Joseph Nguyen says
There are 3 main types of organizations that are linked to Digital Forensic:
1. International Organisations:
– INTERPOL enables police in 190 member countries to work together to fight international crime that is concentrated in 3 areas (Counter-terrorism, Cybercrime, and Organized and emerging crime)
2. US Government:
– Computer Crime and Intellectual Property Section of the Department of Justice
– Computer Technology Investigators Network (CTIN has been providing high tech crime fighting training since 1996 )
– National Institute of Standards and Technology, Computer Forensic Tool Testing (NIST)
– Organization of Scientific Area Committees for Forensic Science (OSAC has in its Digital/Multimedia 4 Subcommittees like Digital Evidence, Facial Identification, Speaker Recognition and Video/Imaging Technology
and Analysis)
– Department of Defense Cyber Crime Center (DoD Cyber Crime Center, or DC3)
– FBI Regional Computer Forensic Laboratory Program( FBI established the RCFL in 2002)
3. Professional Organizations:
– The SANS Institute
– High Technology Crime Investigation Association (based in CA since 1984)
– High Tech Crime Network (provide certification for Certified Computer Crime Investigator)
– American Academy of Forensic Science (since 1948 with 6600 members )
Useful links:
http://forensicswiki.org/wiki/Organizations
https://www.nist.gov/forensics/organization-scientific-area-committees-forensic-science
https://www.nist.gov/sites/default/files/documents/forensics/OSAC-Block-Org-Chart-3-17-2015.pdf
Ruslan Yakush says
Joseph, great layout of organizations who are affiliated with forensics. It is amazing how widely forensics are used and applied to various aspects of investigations. I also found a few more interesting links about forensics:
– National Institute of Justice
https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx
– Department of Justice – Forensics Science DNA
https://www.justice.gov/ncfs
https://www.justice.gov/dag/forensic-science
Elizabeth V Calise says
Joseph,
Interesting approach in answering the wiki question by stating all the organizations that are strongly associated with digital forensics. I have to agree with Ruslan about how it is quite fascinating how forensics is applied by many organizations throughout the country, but also internationally. It also makes sense because we are surrounded by technology everyday and companies or organizations are experiencing some type of cyber attack by the second.
Samantha M Sederstrand says
Joseph,
I thought it was extremely helpful how you broke down your piece pertaining to different organizations that are the foundations for forensics. I found it interesting that some of these organizations have been operating since 1996 and have evolved to handle other types of cybercrime.
Noah J Berson says
I think this was an interesting way to answer the question. It shows that there is a lot of support even internationally for digital forensics. It is also important to note that the groups are able to talk with each other and share their techniques and information to keep improving in the field. Sometimes they will consult with another on big issues or hold a conference to enable free flowing ideas.
Jonathan Duani says
If I was slated with the task to write a Wikipedia page for Organizational Forensics, like most Wikipedia pages I would start with a brief overview of the topic that way users can know what it is about. I would take the definition about forensics and then the definition of organization and mold them together into a definition that would explain what I mean when I say organizational forensics. I think it would say something along the lines of:
Organization forensics is using tests and techniques to gather information from within an organization to piece together and solve a crime that may have transpired. When people think forensics, they think of dusting for finger prints and looking at ballistic data from a gun however within an organization there are many other things that could be captured and/or documented and used as evidence within the company. Organizational Forensics will look at computers, networks, cameras, mobile devices, email and cloud repositories to name a few things that could be captured, analyzed and used against someone in litigation. A lot of the log files that are created on a day to day basis that most people don’t even know about are a treasure trove of information for an investigator. The Organizational forensic encompasses multiple different resources, departments, talents and abilities in order to complete a single task, to solve a puzzle of if a person is innocent or guilty and then finding the information/data or confirm or deny that claim.
Roberto Nogueda says
Hello Jonathan- you actually broke down an easy way for other to understand what organizational forensics is and does. As a Wiki page developer I think you have the correct idea on what should be posted, in order to provide other users the proper information on what they are looking for.
Many Wiki pages, wither internal or external to an organization have all the tools and application available to users, so the page is a one-stop shop deal.
Elizabeth V Calise says
Jonathan,
I completely agree with Roberto’s reply. I believe you broke down the use of forensics by an organization very well and understandable for someone who may not be familiar with the term. The only thing I would briefly mention are the policies, procedures, requirements, etc. that an organization has to strictly adhere to, especially if they are to present the evidence in court.
Noah J Berson says
I like the analog metaphor used for digital forensics in your explanation. I am just not certain on whether or not forensics determine innocence. It seems more that it determines exactly what happened and it is up for a court to determine the other half of the information. Intent is a hard thing to find in digital forensics as people sometimes press a key by accident or on purpose. There are times where it can be clear when a user is in a system that they certainly know they shouldn’t.
Mengxue Ni says
I really like your answer! Jonathan.
It is very easy to understand and short to read. I would recommend to emphasis the use of laws. But other than the legal use, I think you did a very good job on describing organization forensics.
Elizabeth V Calise says
If you were tasked to write the Wikipedia page for Organizational Forensics what would it say?
Forensic Science is defined as the scientific method of gathering and examining for the purpose of presenting in court. Organizational Forensics is the use of forensics, mainly digital forensics, within companies to help preserve the company’s information and protect its data (information systems) while adhering to the organization’s policies and standards of compliance.
Digital Forensics is the collection, examination, analysis, and reporting of digital evidence (computer crime date) that is admissible in a court of law. There are different areas of digital forensics an organization can apply: network forensics, computer forensics, forensic animation, forensic watermark, software, forensics, etc. Sources of digital evidence could be hard disks, email, server content, audit log files, etc.
If an organization is in the situation to present digital evidence in the court of law, it is important that the company adheres to its policies, procedures, and guidelines that address the use of the forensic process. Depending on the situation of the company, there are country/region specific laws, international standards, guidelines for ensuring corporate forensic readiness, compliance with local laws and regulations, or industry specific requirements the company must comply with. It is very critical for the organization to adhere to all policies, standards, and guidelines for collecting, preserving, analyzing, and presenting the digital evidence. Otherwise, the evidence will be dismissed in court.
Anthony Clayton Fecondo says
Elizabeth,
Your explanation of digital forensics was thorough and I liked that you identified the various disciplines of organizational forensics and the assortment of regulations and policies that need to be considered during the organizational forensics process. I noticed that your definition, while not explicitly limiting digital forensics to legal applications, didn’t mention its admissibility towards settling internal incidents. While the arguably more important aspect of digital forensics is its applications for handling criminal offenses, it can also be handy for settling simpler issues such as violation of the company’s computer policy, etc.
Roberto Nogueda says
The internet’s definition of organizational forensics is “the investigation of a business structures or components that are not functioning as intended, causing negative impact to business results”, however to define forensics, we need to understating that is a collection , preservation, analysis, and presentation of digital evidence which is admissible in a court of law. Forensics is also usable for internal disciplinary hearings, and data is to support internal incident reports as to assist or furthering other investigations.
My Wiki page will have this definition, along with links where to find information about the organization, whether an internal or external use, I would point users to the right direction for a more efficient result.
Last, I would provide a list of hierarchical individuals in an organization, or a chain of command chart for a better understanding of different areas, departments and senior leadership involve in a legal and technical situation for forensic purposes.
Darin Bartholomew says
Roberto I like your idea about the leadership chart/chain of command. I think sometimes it’s easy for us to get lost in the policies and the investigative tools and forget the fact that there are humans behind all of this who need to be communicated with and considered.
Ruslan Yakush says
Roberto, your statement about negative impact to business results is great example of necessity for organization to have sounds computer forensics practices to ensure information systems integrity and defense-in-depth security strategy. Of course, this level of integrity can be achieved by thorough understanding not only technical, but legal aspects as well. This way, should there be a prosecution, an organization will be able to provide adequate evidence and solve the case.
Loi Van Tran says
Ruslan,
You are absolutely right about security professionals must not only understand the technical but the legal aspects as well. They need to consider their policy decisions and technical actions with existing laws. For instance, security professionals in the healthcare industry must understand or be able to navigate through HIPPA requirements when designing their systems, or consider the legal ramifications when using monitoring tools.
Jonathan Duani says
Roberto,
I like your idea of the org chart for an organization. Since every organization will of course be different it can be a generalized chart to show the flow of power through a company. This could help a user if they need a specific piece of data, by knowing how to ask
Samantha M Sederstrand says
Roberto,
I like the outline for your wikipedia article. I agree with Jonathan that the org chart for an organization makes sense when employees would need to figure out who to talk to about specific forensic matters. In addition, I think it would help those investigating an instance so they would know who to contact to get information.
BIlaal Williams says
Organizational forensics is the practice of digital forensics in the context of organizations. Unlike digital forensics in the context of criminal investigations, which is conducted in reaction to events, organizational forensics is often practiced proactively in anticipation of the need for evidence. Organizational forensics support legal defense, prosecution, e-discovery and demonstrating compliance with laws and regulations. Digital forensics readiness is the preparedness of organizations for conducting digital forensics.
NIST‘s Information Technology Laboratory issued Special Publication (SP) 800-86, Guide to Integrating Forensic Techniques into Incident Response which provides detailed information on how an organization can establish a forensic capability and develop the fundamental policies and procedures that will guide the use of forensics.
Digital forensic tools and techniques are valuable for organizational and security related tasks such as:
• Troubleshooting operational issues
• Log Monitoring
• Recovering lost data from system
• Acquiring data for future analysis
• Protecting sensitive information and maintaining records for auditing purposes
Organizational forensics involves including forensic considerations in the Information System Development Life Cycle. Examples of these considerations include:
• Performing regular backups of systems and maintaining them for a specific period of time
• Enabling auditing on workstations, servers, and network devices
• Forwarding audit records to secure centralized log servers
• Maintaining a database of file hashes for the file names of common OS and application deployments
• Maintaining records of network and system configurations
• Establishing data retention policies
In order for organizations to establish an effective forensics program they must develop organizational policies that are clear and concise. These policies should be based on all applicable laws and regulations required in their respective industry while maintaining support for the reasonable and appropriate use of forensic tools.
References:
http://www.itl.nist.gov/lab/bulletns/bltnsep06.htm
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
https://www.researchgate.net/figure/264898131_fig1_Figure-1-A-Framework-of-Organizational-Digital-Forensic-Readiness
Loi Van Tran says
Bilaal,
My definition of organization forensics is very different than yours, but I tend to agree with you more. In today’s business environment, every organization needs to anticipate and be prepared to respond to breach, or provide digital evidence if requested. Whether it’s to prosecute or defend, having a forensics policy, process, and structure in place will make them more effective in delivering the required evidence, saving time, money and resources.
Mengxue Ni says
Great examples, Bilaal.
Thank you for providing examples of digital forensic tools and forensics considerations. I am still confused by the differences between organization forensics and digital forensics. Can I understand it as digital forensics readiness is the process of collecting digital evidences and organization forensics is the result of digital forensics and applying to laws and regulations?
BIlaal Williams says
Thanks Menqxue,
What I gathered from the research is that forensic readiness is how prepared an organization is to handle forensic investigation.. So this would include an organizations ability to process and collect digital evidence should an incident arise. And yes, organizational forensics is the application of digital forensics within an organization which should support company policy, laws and regulations.
Amanda M Rossetti says
Forensics is the practice of applying science to investigations. Organizational forensics is applying this scientific investigation style within an organization such as a company or government agency. In modern times, digital forensics is heavily involved in organizational forensics. This is because much of what organizations do is now heavily tied to technology. Digital forensics is using scientific investigation to examine technology, such as computers.
Organizational forensics starts with development of policies and rules for how investigations will be carried out. Investigations should require authorization from someone at an appropriately high level prior to beginning their investigation. There should also be policies for how to preserve evidence so that, if required, it would be admissible in court. There should also be a determination of when the authorities need to be called to join the investigation. Finally, there should be policies on how to report findings, and who to report findings to.
Elizabeth V Calise says
Amanda,
I like how you indirectly pointed out how forensics has changed over time. Today, digital forensics is heavily used because we live in a “digital” world and technology is involved in our everyday lives, including organizations that strongly rely on technology to be successful.
Loi Van Tran says
Amanda,
I like the structure that you laid out on how organizational forensics should be conducted. Without structure, policies, and rules it would prove difficult to recover the required evidence. Things such as log monitoring or backups could be inadvertently mishandled; people deleting log files, backups are not performed periodically. Having policies in place provides for a means of consequences.
Samantha M Sederstrand says
Amanda,
I like how you were able to define the different instances of forensics and how they are used. What also was helpful is how you mentioned to introduce the policies for how investigations should be handled. I also agree with Loi on how evidence could be mishandled so policies are necessary,
Mengxue Ni says
Great post, Amanda!
I totally agree that digital forensics is heavily used in organization forensics because of technologies. It should be easier to find criminals than science forensics since computer footprints are easier to track than physical footprints. Also, there are policies and regulations in a company and the country.
Amanda M Rossetti says
This is kind of tangentially related to this topic, but it is the first thing I thought of when I read the question, I tried to find a case where someone used digital forensics on wikipedia. I could not find such a case, but I will explain where this thought came from. Anyone can edit wikipedia, and there are many pages on there for people, and sometimes those pages get edited in a way that is not true and unfavorable. (See: The invertebrate page was edited yesterday to include a picture of Paul Ryan, implying he has no spine for not standing up to Trump http://nymag.com/selectall/2017/01/wikipedia-invertebrate-page-edited-to-include-paul-ryan.html) My thought here is if something like this, but probably a bit more extreme than the Paul Ryan example, would be covered under libel laws. Say someone edited a page to say a famous actor was something terrible, and the actor could prove that that page edit led to them suffering damages, would the actor be able to sue the person who edited the page? My thought is yes, because things journalists write can be used to sue them, so I don’t see why editing a wikipedia page would be different. But, since wikipedia can be edited by anyone, it may not be the easiest to figure out who made the edit. They would have to get wikipedia to investigate it. If the person didn’t use their real name when setting up the account, they may need to look into the IP address that made the post. All of this would need to be done using sound digital forensic techniques so it could be admissible in court.
Noah J Berson says
Anyone can sue anyone for anything if they have enough money and lawyers. If you are editing something that is used as a source for people, you cannot use personal opinion as a defense. You also probably cannot use the truth as the defense as you have nothing sourcing your claim. I think this is why wikipedians revert even small changes because the edits need to have sources to last. I think it is still very hard to get someone in court over just their IP address as there have been some cases where the judge has said that it is not unique information to identify a defendant with.
Vaibhav Shukla says
Yeah you have used an excellent example to define this but I feel tracking IP address may not be enough to sue a person in court.There are cases when people hack into somebody network and use his network to hack and bring damage to other systems.The method do deals with tracking the user with IP address and then depositing his personal computer with any of the internet history or log files.
Loi Van Tran says
According to US-Cert.gov, “Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.” It is the act of recovering and analyzing latent evidence; fingerprints at a crime scene, files on a hard drive, or evidence in digital formats. Organizational Forensics is collecting and analyzing business structures or components that are not functioning as intended (Transitions for Business, 2017). Organizational forensics is not limited to presenting the findings in a court of law, although preserving its integrity is a must, it is used to draw upon deeper seeded problems within the organization. It examines the organization culture, values, strategy, goals, processes, systems, and resources to find each area contributes to the problem.
In my opinion, when data is compromised by a breach, it’s not just the security controls or lack of that is the problem. It looks of the culture of the organization; how do they perceive cyber threats, how does their strategy and goals align with the security efforts and vice versa. Computer forensic, to identify, collect, preserve, and analyze data is a way that preserves integrity to present in a court of law, is just a subcategory or organizational forensics.
Transitions For Business. (2017, January 29). Discover powerful business solutions from within using Organizational Forensics. Retrieved from Transitions for Business: http://www.transitionsforbusiness.com/organizational-forensics-is-the-investigation-of-business-structures-or-components-that-are-not-functioning-as-intended-causing-negative-impact-to-business-results.html
BIlaal Williams says
Loi,
I agree that the culture of an organization plays a significant role in how cyber threats are handled. Organizations who include cyber security in their business culture will be more likely to create policies and procedures that will allow for effective reaponse should a threat or attack arise. These organizations will more more likely to have IDS/IPS in place, adequate logs available, amd policies that will allow the use of digital forensic investigation without being hindered by privacy laws.
Samantha M Sederstrand says
Organizational forensics makes use of the scientific method of gathering and understanding information as well as data about a company which helps to identify what is working properly for the company and what is not. Much like traditional forensics, organizational forensics uses information from the past to understand an incident that needs to be investigated.
Digital forensics works hand in hand with organizational forensic science to aid the evidence collection process. This science works to preserve, collect, validate, and document digital evidence that so that it can in turn be used in the court of law to prove or anticipate criminal or unsanctioned activity. Digital Forensics can be classified into different subsets: traditional digital forensics, network forensics, and mobile, handheld, and embedded forensics. Since the digital landscape is always changing it is difficult to have best practices when there could be a standard but the technology evolves. When a company is looking for a plan of action when it comes to digital forensics it is important to have a standardized means of testing the data, having it reviewed, looking for errors, and looking at privacy as well as compliance matters.
For a company to be successful it will need to have a standardized way across the organization of handling forensics matters. By putting proper protocols and policies in place that are in line with industry standards information and data collected will be analyzed and tested the same way to be used for forensic measures.
References:
https://www.radford.edu/content/dam/colleges/csat/forensics/nij-chapters/brunty1.pdf
Vaibhav Shukla says
I really like the point of mentioning the proper protocols and policies are in place.The work of forensic expert will be easier if he can find the log files.Most of the auditor do recommend using log files but the organizations ignore them.Many organization have a retention policy but the data may not be available for the particular date when being asked by an forensic investigator due non compliance to policy
Noah J Berson says
Organizational Forensics is the implementation of forensic techniques into an organization. This includes detecting vulnerabilities, detecting incidents, responding to issues, and recovery of data and evidence. It also involved obeying all laws in an investigation and getting information that can be later used in a court of law. To aid in organizational Forensics, a framework for the company should be developed. NIST offers a lot of information pertaining to adding forensics when responding to incidents. This should include a plan for how to handle known possible issues such as DDoS attacks, bogus wireless access points, phishing attempts, and even stolen/lost/encrypted data. For any scenario, there should be a guide for “identification, containment, eradications, recovery, and lessons learned” (syllabus). In this way organizational forensics will protect an organization should an issue arise.
sources:
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
syllabus
Mengxue Ni says
First, I think the meaning of organization forensic is based on forensic science. So, I looked at the Wikipedia page of “forensic science”.
“Forensic science is the application of science to criminal and civil laws, mainly-on the criminal side-during criminal investigation, as governed by the legal standards of admissible evidence and criminal procedure”. I will add my understanding of organization forensic based on this explanation of forensic science.
Organization Forensic
Organization Forensic is business form of forensic science. It is the investigation of business structures or components that are not functioning as intended, causing negative impact to business results.
• Digital evidence: Most of today’s organization forensic involves with information systems, therefore, the process of finding digital evidence can be understood as organization forensic as well.
• Legal knowledge: Digital forensics tends to be mainly used for investigations that are geared toward legal or law enforcement issues that are likely to end up in court; hence, the emphasis on legal acceptability.
• Use of computer and information systems knowledge: Users of information systems leave digital footprints whenever they use the systems—be they computer systems, smartphones, mobile phones, tablets or networks (i.e., the Internet, intranets, phone networks).
It can be defined as the use of computer and information systems (IS) knowledge, coupled with legal knowledge, to analyze in a legally acceptable manner digital evidence acquired, processed and stored in a way that is legally acceptable.
helpful links: http://www.transitionsforbusiness.com/organizational-forensics-is-the-investigation-of-business-structures-or-components-that-are-not-functioning-as-intended-causing-negative-impact-to-business-results.html
https://www.isaca.org/Journal/archives/2014/Volume-1/Pages/JOnline-Importance-of-Forensic-Readiness.aspx