Exploring Digital Forensic Readiness: A Preliminary Study from a Law Enforcement Perspective

Abstract

In today’s world of cybersecurity, it is not a question of whether an organization will experience a cyber attack, but rather a matter of when it will happen. These incidents can cause significant disruption and financial losses to organizations. Forensic readiness is becoming increasingly crucial as it can help maximize the use of digital evidence and reduce the investigative cost after an attack. It can also aid law enforcement in identifying and prosecuting cybercrime perpetrators. Our observation of cybercrime investigations indicates divergent stakeholder priorities during a cyber attack. Victimized organizations prioritize resuming normal operations, and incident responders focus on restoration, potentially neglecting criminal evidence integrity. Law enforcement involvement occurs post-incident, usually after the initial incident handling is completed. Due to divergent focus areas, there is a lack of a comprehensive overview. This made us question the relationship between forensic readiness practices in the industry and criminal investigations performed by law enforcement after an attack. This paper investigates whether forensic readiness and criminal investigation are aligned. To assess alignment, we compare forensic readiness and criminal investigation definitions and their core components. Our research shows that forensic readiness does not sufficiently focus on criminal investigation; thus, the current forensic readiness approach does not adequately encompass criminal investigations. We propose incorporating criminal investigation integration as a new domain to address this issue while developing future forensic readiness models and practices. Furthermore, we propose using the term cross-organizational investigative readiness instead of forensic readiness to underline the importance of the industry, incident responders, and law enforcement working together to prevent, mitigate, and prosecute cybercrime.