Forensic Readiness Planning

Posted on March 19, 2010


Apparently businesses and organisations are now being encouraged to formulate Forensic Readiness Plans (‘FRP’, pronounced ‘Furrrp’) to have in place for when Something Bad happens and they need to get computery stuff forensicked. This is probably a good idea (although not as good as my idea for dividing supermarkets into ‘Things that are pickled’ and ‘Things that are not pickled’), and gets a coveted Monkey Seal of Approval.

From what I can see, most FRPs are aimed at commercial incident response scenarios. This is all very well, but I think that it would make good sense to also have one for when an organisation has to call in the po-po, as we’re the people who are going to be making a case out of the evidence they provide us with. With this in mind, it’s important that the evidence we get from the organisation concerned is the best it can be.

In the spirit of forming good relations with the business, education, local government and other sectors, I would like to offer my own Law Enforcement Guidelines for Creating an FRP (pronounced ‘Legufurrrrp’). Feel free to repackage this and sell it on as your own, all you slick-suited shysters out there.

If you’re reporting an incident in your organisation:

  1. Don’t let IT Support anywhere near the exhibit.
  2. Really, we mean it. I know they mean well, but they’ll do nothing but harm.
  3. Seriously, we’ll probably reject the exhibit if it’s been messed with. We’ll be able to tell – we can smell IT Support on an exhibit.
  4. I mean, if you found a headless corpse in the boiler room you wouldn’t ask the first-aider from Marketing to perform an autopsy, would you? *
  5. If the computer has Deep Freeze or similar software on it, don’t let somebody uninstall it ‘to help the police’ (we’re looking at you, library staff).
  6. Keep the exhibit in a locked room. Don’t let the suspect use it to ‘get some personal documents back’.
  7. If the room has a glass panel in the door, feel free to sell tickets to office gossips who want to ‘have a look at the paedo’s machine’.
  8. If the suspect isn’t in work, please don’t phone him at home to tell him that the police are coming to look into his 20GB of indecent images and grooming chat logs. We don’t get much fun in our lives and we love to surprise people.
  9. When pulling off logs from the proxy server, it helps if you isolate the output just to the user of interest. We also prefer electronic copies, not a crate full of paper.
  10. If you can possibly avoid bringing in a senior manager who knows nothing about the case in question but who just wants to make random obstacles because he thinks it’s his job, that’d be great.
  11. We know it’s all very inconvenient and you wish it’d go away, but ignoring the problem for a year and then telling the police isn’t a good idea. Particularly if you’re an educational establishment with, y’know, kids on the premises.

If you’re the organisation under investigation:

  1. If your sysadmin cooperates with us, he’s not being disloyal or ‘a grassing weasel who’s going to get it’. He’s merely trying to ensure that your business is left able to trade tomorrow.
  2. If the police are from a force that isn’t your local one and have had to spend the previous night in a hotel, they will stink of stale beer and curry. You may want to open a window as soon as possible.
  3. Decent coffee is preferred. If we see facilities for making good stuff and you provide instant, we may take offence.
  4. Your solicitor will probably end up hanging out with us rather than you. The banter’s better.
  5. If you have comfy office chairs, we’ll covet them and discuss them at great length. We lead simple lives.

OK, so that’s pretty much it. You may want to circulate this to your IT managers.

*I know that this is grossly offensive to all the knowledgeable, skilful IT Support people out there but if it gets me even one cheap laugh then I can deal with that.

This post was brought to you with the help of a breakfast smoothie and a cup of green tea.

Posted in: Forensics