Digital Forensics: The Laws and

Governance

Joe Abraham
IT SECURITY PROFESSIONAL

@joeabrah www.joestechinsights.com
 Importance of laws and governance
Laws vs. standards vs. policies vs. best
practices
Overview
Governing bodies and laws
Best practices, standards, and policies
within the branches
Incident handling standards and
procedures
Evidence handling standards and
procedures
Everyone should know and
play their part in a forensic
investigation!
Law
A binding custom or practice of a community: a rule or
action prescribed or formally recognized as binding or
enforced by a controlling authority.
-Merriam-Webster Dictionary
Standard
Something established by authority, custom, or general
consent as a model or example.
-Merriam-Webster Dictionary
Policy
A high-level overall plan embracing the general goals
and acceptable procedures especially of a governmental
body.
-Merriam-Webster Dictionary
Best Practice
A procedure that has been shown by research and
experience to produce optimal results and that is
established or proposed as a standard suitable for
widespread adoption.
-Merriam-Webster Dictionary
Governing Bodies and Laws
Which laws and regulations
do I need to know about?
 Convention on
Cybercrime
US Computer Fraud
and Abuse Act
PACE Act (UK)
Computer Misuse Act
US Federal Rules of
Evidence
 Best Practices
National Institute of Standards
and Technology (NIST)
SP 800-86
Guidelines on Cell Phone Forensics
A Probabilistic Network Forensics
Model for Evidence Analysis
Computer Forensics Tool Testing
(CFTT)
*These are just a sampling of the
published guidelines
International Organization for
Standardization (ISO)
ISO/IEC 27037 – Guidelines for
identification, collection, acquisition,
and preservation of digital evidence
ISO/IEC 27042 – Guidelines for the
analysis and interpretation of digital
evidence
ISO/IEC 27043 – Incident investigation
principles and processes
 Write based on your unique environment
Define policies for (at a minimum)
- Digital evidence
- Incident handling
- Conducting an investigation

Policies - Reporting

Use as many influences as possible

- Legal consultation
- Expert consultation
- Management

Every organization is different!

 Forensic Science

Forensic Science

Other
Forensic Digital Forensics
Subdivisions
Get buy in from legal
representation, law
enforcement, and
management.
Incident Response
 Preparation
Identification
Containment
Incident Response Steps
Eradication
Recovery
Lessons Learned
 Who Is in Yours?

Consultant Legal Law Management

Representation Enforcement
Digital Forensics
Process of identifying, preserving, analyzing and
presenting digital evidence in a manner that is legally
acceptable in any legal proceedings (i.e., a court of law)
Research and include these
steps in your organizational
policies!
Evidence Handling
Key Points on Evidence Handling

Laws and typical procedures vary by country and

environment

Special training is usually required

Certifications (CDFE, CHFI) help verify training,

knowledge, and experience

Get legal authority to seize the evidence!

Take photos, videos, or sketches
Create and follow a chain of custody
- Typically first responder

Notify investigator of information wanted

- What kind of data?
- Where it could be
- Any additional, relevant information

Do not compromise electronic data!

 More on Evidence Handling

Maintaining integrity of
Don’t just “pull the plug”
evidence is key

Follow best practices,

Keep in mind the order of
standards, laws and
regulations volatility of electronic data
Protect yourself and your
organization.
 Defined various terms
- Standards
- Best practices
Summary - Laws and regulations
- Policies

Governing bodies and laws

Industry standards
Organizational policy
Incident response procedures
Evidence handling
Why is this important to
you?
 Top Policy Challenges

Keeping policies up to date

*July 21, 2016, Rob Marvin, PC Mag

47%
Training employees on policies

*July 21, 2016, Rob Marvin, PC Mag

40%
“The one who adapts his policy to the
times prospers, and likewise that the
one whose policy clashes with the
demands of the times does not.”
Niccolo Machiavelli