SANS Digital Forensics and Incident Response Blog

SANS Survey of Digital Forensics and Incident Response #DFIR

More than 450 participants completed the SANS 2013 Digital Forensics Survey, conducted online during April
and May 2013. A primary goal of this survey was to identify the nontraditional areas where digital forensics
techniques are used. The survey can be downloaded HERE.

A webcast introducing the Survey earlier this month can be found here: https://www.sans.org/webcasts/digital-forensics-modern-times-survey-96645

The survey written by Paul Henry, Jacob Williams, and Benjamin Wright.

In the survey 54% of respondents indicated their digital forensics capabilities are reasonably effective.
Although the majority of their investigations still take place on company-issued computers and laptops
and internal networks and systems, participants also conduct forensic investigations on virtual and cloudbased
systems and other unconventional endpoints. When it comes to investigating these new media types,
participants are nearly equally divided among several challenges inherent to such investigations?including a
lack of specialized tools, standards and training, and visibility into potential incidents.

A chief finding of the survey was that participants identified deficiencies in standards, tools and training
as the fundamental challenges to investigating incidents involving the cloud, mobile devices and other
unconventional endpoints.

As organizations adopt bring-your-own-device (BYOD) policies and cloud (particularly "public cloud")
technologies, they should ensure that the policies cover digital forensics and incident response (DFIR) in
these and other emerging technologies. IT professionals should also engage the advice of their legal teams
or consultants so that the policies actually achieve the desired outcomes and protections, while avoiding
undesired ones. For instance, some incident response (IR) teams routinely reload compromised workstations
without obtaining forensic disk images or memory captures. Although accomplishing the IR goals of
containment and eradication, this method undermines the value of evidence that may be required for
subsequent legal action.

Forensic investigations of so-called "new" computing devices and media are increasing, affecting enterprise
governance (and society in general) more than ever before. Increasingly, these investigations involve
technologies such as cloud computing and mobile devices.

To assess the current state of forensic investigations and emerging trends, the SANS Institute conducted this
online survey of digital forensics practitioners. The results, summarized in this whitepaper, will help forensic
professionals and their clients better prepare for future investigations and allocate resources, while helping
guide educators and forensic tools vendors.

The survey can be downloaded HERE.

AUTHOR BIOS:

Paul A. Henry: Paul Henry is one of the world's foremost global information security and computer forensic experts with more than 20 years' experience managing security initiatives for Global 2000 enterprises and government organizations worldwide.Paul is a principle at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security. Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia. Paul is frequently cited by major and trade print publications as an expert in computer forensics, technical security topics, and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, firewall architectures, security architectures, and managed security services.

Ben Wright: Benjamin Wright is the author of several technology law books, including Business Law and Computer Security, published by the SANS Institute. With over 25 years in private law practice, he has advised many organizations, large and small, private sector and public sector, on privacy, computer security, e-mail discovery and records management and been quoted in publications around the globe, from the Wall Street Journal to the Sydney Morning Herald. He teaches the law of data security and investigations at the SANS Institute. Wright maintains a matrix of popular blogs accessible at benjaminwright.us. Wright graduated from Georgetown University Law Center in 1984. Russian banking authorities recently tapped him for advice on the law of technology and electronic payments.

Jacob Williams: Jacob Williams a principal consultant at CSRgroup Computer Security Consultants, has over a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Before joining CSRgroup, he worked with various government agencies in information security roles. Jake is a two-time victor at the annual DC3 Digital Forensics Challenge.