We're going to move on and look at digital forensics in the role of investigations because it is an important part of it. The thing, again, some of these tools and techniques overlap across the different phases, and this is definitely one of those. You may be doing digital forensics all the way from the beginning throughout the end of an incident. Now, it's heavily used for investigations because remember, we're trying to answer questions. You want to remember again, to not interfere with the overall incident response process because remember, there are other phases in IR that's going to be pulling from forensics resources as well. You want to make sure that you address that and schedule that appropriately and not step on the toes of that. Now, forensics is really a supporting role in the IR process. A lot of people mistakenly call incident response and forensics the same thing, and it's definitely not. Oftentimes we use forensics as part of an incident response process, but forensics in and of itself is not an incident response effort. The goal of forensics is different than in IR, it's really just to answer questions and answering questions is just part of the role of incident response. In incident response, we need to answer questions. But the main goal in incident response remember, is we want to get things back to normal operating state, recover from the incident, respond to it properly with the least amount of impact, whether it'd be financially, operationally, and PR and reputation wise for the organization. Now, traditional primary goal was evidence preservation and admissibility, that's what we primarily set forensics up for. Response forensics primary goal is usually just to help us to move from one phase to another, and this is again where the investigation could tie in all the different phases. Admissibility to court is a consideration, but I just want to reiterate that it's usually not the primary consideration. It's a vitally important function, though, it's needed to answer IR questions. It's often needed to add contexts of discovered artifacts. Like we'll find a piece of malware or we'll find a document or some behavior on a system or a configuration that just seems out of place. A lot of times we will have to perform forensics to get context around what we discovered so that it actually makes sense, and we can tie it to things like eventually getting to a root cause on stuff like that. It's also a key component of the investigative functions that we were just talking about previously. A lot of the questions that we're trying to answer, a lot of things that we're trying to ascertain, we can't do that without proper digital forensics. Now, traditional forensics procedures may not work because they could be contrary to IR goals. A lot of times, again, forensics procedures are all about trying to maintain the admissibility, preserve evidence, whereas incident response the focus is to recover. Sometimes those two things can go contrary to each other. Now, we need to keep in mind too that traditional forensics analysts, you can't take them, plot them right into an IR role and expect them to fit right in without giving them proper training on IR. They need to understand incidence response, they need to understand the difference in the focus on goals and things like that, so that they may do their job efficiently and more in line with forensics for incidence response. Also maintain the evidence gathered. The evidence should still be life cycled, it should be treated as something that could go to court. When an incident is over, you have to look at how to dispose off that evidence if it's not something that's going to help you with training or getting you prepared for future incidents and that type of thing. You still want to follow solid and sound forensics procedures, documentation, and chain of custody principles still apply. Again, it's just not the primary goal there. You want to refer to whatever the overall corporate strategy is or the agency strategy on evidence maintenance, like this is something that should already be established in the organization and you want to refer to that and reference that back anytime you can. Some reasonably investigative things may be happening throughout the incident, so this is why it's important to make sure you keep it separate. Also, forensics is a supporting function for IR, just like business continuity, and this other things that we'll talk about. Key function of investigative procedures is this whole thing of our forensics, or it could be a key function. Remember the rules of evidence and preservation still apply, however, they may not be primary factors. If it's a situation where you need to quickly get a piece of evidence to someone else on the team, if you're thrown in between that and doing some preservation thing for court, you probably want to lean more towards getting it to the other person on the team so that they can handle the incident more efficiently and faster. Thank you for watching this session of the skills incident response path here. I hope to see you again in another one very soon.
