What are the four steps in the NIST digital forensics process give a brief description of each case?

Incident response is a plan for responding to a cybersecurity incident methodically. If an incident is nefarious, steps are taken to quickly contain, minimize, and learn from the damage.

Not every cybersecurity event is serious enough to warrant investigation. Events, like a single login failure from an employee on premises, are good to be aware of when occurring as isolated incidents, but don’t require man hours to investigate. Your cybersecurity team should have a list of event types with designated boundaries on when each type needs to be investigated. From there, you should have customized incident response steps for each type of incident.

The Importance of Incident Response Steps

A data breach should be viewed as a “when” not “if” occurrence, so be prepared for it. Under the pressure of a critical level incident is no time to be figuring out your game plan. Your future self will thank you for the time and effort you invest on the front end.

Incident response can be stressful, and IS stressful when a critical asset is involved and you realize there’s an actual threat. Incident response steps help in these stressing, high pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.

The Two Industry Standard Incident Response Frameworks

Introduced in no particular order, NIST and SANS are the dominant institutes whose incident response steps have become industry standard.

NIST

NIST stands for National Institute of Standards and Technology. They’re a government agency proudly proclaiming themselves as “one of the nation’s oldest physical science laboratories”. They work in all-things-technology, including cybersecurity, where they’ve become one of the two industry standard go-tos for incident response with their incident response steps.

The NIST Incident Response Process contains four steps:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

Helps you develop a plan to quickly respond to attacks and mitigate the impact of incidents.


Learn more

What are the four steps in the NIST digital forensics process give a brief description of each case?

SANS

SANS stands for SysAdmin, Audit, Network, and Security. They’re a private organization that, per their self description, is “a cooperative research and education organization”. Though more youthful than NIST, their sole focus is security, and they’ve become an industry standard framework for incident response.

The SANS Incident Response Process consists of six steps:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

The Difference Between NIST and SANS Incident Response Steps

With two industry standard frameworks, there’s a chance you’re familiar with one but not the other. So let’s do a walk-through of their similarities and differences. First, here’s a side-by-side view of the two processes before we dive into what each step entails.

What are the four steps in the NIST digital forensics process give a brief description of each case?

Placed side-by-side in a list format, you can see NIST and SANS have all the same components and the same flow but different verbiage and clustering. Let’s walk through what each of the steps entail to get into the nuanced differences of the frameworks.

For consistency, NIST steps will always be presented on the left and SANS on the right during the steps side-by-side comparisons.

Step 1) Preparation = Step 1) Preparation

Preparation is key to rapid response. We beat this drum earlier when discussing the importance of having incident response steps.

This step is similar for both NIST and SANS. In this step you compile a list of all your assets, including but not limited to: servers, networks, applications, and critical endpoints (like C-level laptops). After you’ve compiled your asset list, rank them by level of importance. Then monitor their traffic patterns so you can create baselines to be used for comparisons later.

Create a communication plan, with guidance on who to contact, how, and when based on each incident type. Don’t forget to get buy-in from everyone on this contact list to prevent hiccups or finger pointing later.

Determine which security events, and at what thresholds, these events should be investigated.

Then create an incident response plan for each type of incident. It can be improved through security event simulations, where you identify holes in your process, but it will also be improved after actual events (more on that later). The point is, get a process in place.

Step 2) Detection and Analysis = Step 2) Identification

Again, this step is similar for both NIST and SANS, but with different verbiage.

At this point in the process, a security incident has been identified. This is where you go into research mode. Gather everything you can on the the incident. Then analyze it. Determine the entry point and the breadth of the breach. This process is made substantially easier and faster if you’ve got all your security tools filtering into a single location.

Step 3) Containment, Eradication, & Recovery = Steps 3-5) Containment. Eradication. Recovery.

What are the four steps in the NIST digital forensics process give a brief description of each case?

Here is where NIST and SANS kind-of part ways in their similarities before agreeing again on the final step. NIST views the process of containment, eradication, and recovery as a singular step with multiple components. SANS views them as their own independent steps.

Containment aims to stop the bleeding. Here is where you patch the threat’s entry point.

Eradication aims to remove the threat. If the threat gained entry from one system and proliferated into other systems, you’ll have more work on your hands here.

Recovery aims to get the system operational if it went down or simply back to business as usual if it didn’t.

Step 4) Post-Incident Activity = Step 6) Lessons Learned

NIST and SANS are in agreement again in their last step, if not in verbiage, in spirit.

This step provides the opportunity to learn from your experience so you can better respond to future security events. Tempting as it may be to skip, with your never ending to-do list, this step is strongly recommended.

Take a look at the incident with a humble but critical eye to identify areas for improvement. Then go add those improvements to your documentation.

No process is perfect for absolutely every possible scenario. Some scenarios can’t even be fathomed until they’ve occurred. The threat landscape is also ever-evolving so your incident response process will naturally need the occasional update. Remember, your future self will thank you.

The Incident Response Steps Poll

In an informal Twitter poll on a personal account, one of us got curious and asked people where their incident response guidance comes from. Check out the result:

What are the four steps in the NIST digital forensics process give a brief description of each case?

While not a statistically significant poll, 69% of respondents use NIST or SANS. Not surprising since they’re industry standards, but it scratched our curiosity itch.

Which Incident Response Steps Framework is Better?

Ah, to be definitely told an answer. No such chance here. It really does come down to personal preference. Does it make more sense to you to break containment, eradication, and recovery into their own steps or keep them grouped in a single step? Let your answer to that question guide you to the right choice.

Both are popular and have supporters. Regardless of which you choose, both NIST and SANS have incident handling checklists available to get you started. Just remember to customize them to your specific needs and company’s environment...and before you’re in the midst of an incident response.

If you'd like to further explore incident response, check out our free Insider's Guide.

In the increasingly dynamic world of technology, the number of smart devices (computers, smartphones) is dramatically increasing leading to a huge amount of data being inter-exchanged. These smart devices are becoming more and more responsible for cyber fraud and cyber-crimes. Today more information is stored in its digital format, and due to increasing criminal activities using either computers or smartphone, it becomes very important and crucial that digital investigators could conduct their analysis properly, this is why and as early as 1984, the FBI and many other law enforcement agencies started to develop processes and adopt procedures in digital investigations.

Since then, the number of proposed models and frameworks keeps on increasing, and many enhancement has been applied to existing once, this and upcoming articles will drive you through some of the proposed models.

All models agree on the importance of some phases as we will see later, most of the proposed frameworks accept some common starting points and give an abstract frame that forensic researchers and practitioners apply and use to develop new research horizons to fill in continually evolving requirements.

Computer forensic investigative process

Back in 1984, Politt proposed the first methodology to deal with digital evidence in a way to remain scientifically reliable and legally acceptable, the model proposed was discussed in Proceeding of the National Information Security Conference, this model consists of four main phases as you can see in the following diagram:

What are the four steps in the NIST digital forensics process give a brief description of each case?

Figure 1 Computer Forensic Investigative Process

The first phase is Acquisition, where evidence is acquired with approval from authorities and in an acceptable manner, it’s followed by Identification step whereby all evidence is transformed from digital format to a human understandable format. The Evaluation phase comprises of tasks that determinate the accuracy of gathered evidence, and if indeed they can be considered as relevant to the being investigated case. The final step is Admission where all extracted evidence is presented.

DFRWS investigative model

The research roadmap from Digital Research Workshops proposed in 2001 a general purpose digital forensic framework composed of six main phases:

What are the four steps in the NIST digital forensics process give a brief description of each case?

Figure 2 DFRWS Investigative Model

This model was the base fundament of further enhancement since it was very consistent and standardized, the phases namely: Identification, Preservation, Collection, Examination, Analysis and Presentation (then a pseudo additional step: Decision). Each phase consists of some candidate techniques or methods. The first is Identification and comprises event or crime detection, resolving signature, anomalous detection, system monitoring, audit analysis, etc. Followed by Preservation step in which a proper case management is set, imaging technologies are used, and all measurement are taken to ensure an accurate and acceptable chain of custody, preservation is a guarded principle across all forensic phases. Collection comes directly after in which relevant data is collected based on approved methods, software, and hardware; in this step, we make use also of different recovery techniques and lossless compression. Following this step are two interesting and very crucial phases, Examination and Analysis, whereby evidence traceability, pattern matching are guaranteed, then hidden data must be discovered and extracted, at this point data mining and timeline are performed. The latest phase of this model is Presentation. Tasks related to this step are documentation, clarification, mission impact statement, recommendation and countermeasures are taken and experts testimony.

Abstract digital forensics model (ADFM)

As seen DFRWS Investigative Model was meant to be a generic “technology-independent” model, and in 2002 Mark Reith, Clint Carr, and Gregg Gunsch was inspired from DFRWS and presented the Abstract Digital Forensic Model an enhanced model composed of nine phases:

What are the four steps in the NIST digital forensics process give a brief description of each case?

Figure 3 Abstract Digital Forensics Model (ADFM)

As, by this model, the Identification phase assumes that the incident type is well recognized and determined, this is an important step since all upcoming steps depend on it. Followed by the Preparation step, this is the first introduced step where tools, techniques, search warrants, monitoring authorization and management support are prepared, this step is followed by the second introduced step Approach Strategy, this step is meant to maximize the collection of the evidence while minimizing the impact on the victim by formulating different approaches and procedures to follow. In the following phase, Preservation, all acquired data must be isolated and secured to keep them in their actual state. All acquired digital evidence is duplicated, and the physical scene is recorded, based on standardized procedures, these tasks are performed under the Collection phase. The next phase is Examination whereby an in-depth systemic analysis is conducted to search the evidence relating to the current case. The probative value of the examined evidence is determined in Analysis phase. The following step is Presentation where a summary of the process is developed, then comes the third introduced step: Returning Evidence that closes the investigation process by returning physical and digital evidence to the proper owner.

The most important value that added this model (in contrast with DFRWS Investigative Model) consists of a comprehensive pre and post investigation procedures.

Integrated digital investigation process (IDIP)

The model was first proposed by Carrier and Spafford in 2003, the goal was to “integrate” all available models and investigative procedures, the effort was held to map the digital investigative process to the physical investigative one. The model itself is quite big since it organized into five groups consisting of 17 phases.

What are the four steps in the NIST digital forensics process give a brief description of each case?

Figure 4 The five groups of phases in the IDIP model

The model starts with the Readiness phase, which ensures that we are fully able to support fully the investigation (including operations readiness, a phase in which we provide all training and equipment for investigators; and infrastructure readiness phase that ensures that the needed data exists). This is followed by the Deployment phase, a phase where we provide mechanisms for an incident to be detected and confirmed, this phase consists of detection and notification then confirmation and authorization phases. Followed immediately by Physical Crime Scene Investigation phase where we collect and analyze physical evidence, this is meant to reproduce the actions that took place during the incident, this phase consists of six phases as shown below:

What are the four steps in the NIST digital forensics process give a brief description of each case?

After this comes the Digital Crime Scene Investigation phase, this model consider each digital device as a separate crime scene, this phase ensure the collection of all electronic evidence, and just like the previous, this phase contains six ‘identical’ phases:

What are the four steps in the NIST digital forensics process give a brief description of each case?

Both phases include Preservation, Survey for Physical/Digital Evidence, Document Evidence and Scene, Search for Physical/Digital evidence, Physical/Digital Crime Scene Reconstruction and Presentation of Physical/Digital Scene Theory. The latest phase of the model is the Review phase in which the whole process is reviewed to find points of improvements and to identify new procedures or new training requirements.

Today’s digital world is becoming an important (if not the most important) part of any criminal investigation, it’s important to have in mind that using tools and having technical skills is not usually enough to fully and properly investigate a digital crime. Digital forensic examiners must follow a well-defined process that goes beyond technical needs, this is why we must have an in-depth look at previously done efforts and existing forensic frameworks. This article is the first of a series that will go through the historical evolution of digital forensic models and frameworks, today we described the first four major models that were developed and upcoming articles will cover more recent ones.