NIST Guide Details Forensic Practices for Data Analysis
For Immediate Release: September 14, 2006
TV shows such as "CSI: Crime Scene Investigation" have popularized the role of forensic science in solving crimes. Now, computer security experts at the National Institute of Standards and Technology have issued a guide to help organizations use similar techniques to troubleshoot operational problems, investigate computer security incidents and recover from accidental system damage.
The guide recommends a four-step process for digital forensics: (1) identify, acquire and protect data related to a specific event; (2) process the collected data and extract relevant pieces of information from it; (3) analyze the extracted data to derive additional useful information; and (4) report the results of the analysis. Lessons learned during the forensic process should be incorporated in future forensic efforts.
The guide contains eight different scenarios, including a denial of service attack and an unknown wireless access point that can be used by organizations conducting tabletop exercises. The scenarios include general questions that can be applied to most scenarios as well as additional scenario-specific questions, such as how particular types of forensic tools or techniques might be used.
Created primarily for incident response teams; system, network, and security administrators; and computer security program managers, the guide recommends that others in the organization, including legal advisors and physical security staff, also participate in digital forensic activities.
Guide to Integrating Forensic Techniques into Incident Response (NIST Special Publication 800-86) is available at http://csrc.nist.gov/publications/nistpubs/.