When thinking about digital forensics, most people imagine a court and lawyers. But this isn’t true in most cases, as it’s much more than legal processes or procedures. Forensics is essentially the process of understanding why, when and how something happened. This could be done for a criminal investigation, a civil investigation or just as an internal incident response (IR) investigation.

It’s difficult to guess when an incident is going to occur — and even harder to anticipate if that incident will require some sort of forensic investigation, either internally or to present evidence in a court of law.

Companies must be prepared to respond if something unexpected happens. Generally, organizations have two options for IR and digital forensics: Buy or build?

Buying Incident Response and Digital Forensics

What does it mean to “buy” an IR and digital forensics team? It’s simple: A company pays another company to support them in the event of an incident. There are several advantages to this type of service. For instance, the company does not need to invest in equipment and personnel, as the service provider provides everything. The IBM X-Force Incident Response and Intelligence Services (IRIS), for example, offers teams to clients who’ve had a security incident.

Services provided by IRIS include:

  • IR planning
  • Remote threat response
  • On-site incident response
  • Around-the-clock access

Of course, this doesn’t mean that a company using this type of service doesn’t have to do anything in-house. The internal personnel must be trained in IR on a fundamental level. This would be like training your staff in first aid — they don’t need to be experts, but they should have at least some basic knowledge of how to act in an emergency.

There will likely also be a need for a more advanced in-house role. This person will be in charge of contacting and engaging the on-demand IR team. Evidence must be preserved, and a trained staff member should be in charge of ensuring that happens.

Building Incident Response and Digital Forensics

The second option is to build your team. This means investing in qualified and trained personnel, equipment, tools and a laboratory. It’s not every day that a security incident needs to be investigated from a forensics perspective — but when the time comes, it’s always better to be prepared.

There are several types of investigations that you must consider when building an IR team. When investigating an internal incident, the chain of custody is not that critical. For instance, if the IR or digital forensics team has to engage with a possible virus infection, the most important thing is that they secure the infected machine or machines. This allows the team to start working with the secured devices and analyze the software and look for indicators of compromise (IOCs). How the evidence is collected is not vital in a scenario like this. However, if the investigation must be presented to a court of law, how the evidence is collected and secured is vital.

Understanding this, an on-site IR team can be built to match what a company really wants or needs. Perhaps the noncriminal or civil investigations would be handled by the on-site team and the rest by a third-party company. Maybe the company wants to have a team capable of dealing with all sorts of investigations instead, which requires legal advice, a larger team and a lab to meet standards for compliance.

There is one exception that it’s important to mention, which is a sensitive topic that must be treated carefully. If an on-site team or a contracted team encounters child pornography, all tasks being performed must be stopped. The area must then be secured and any person that interacted with the device (computer, cell phone, server, etc.) must stay where they are until the authorities are called and arrive at the scene.

Making Your Choice

The decision to either buy or build an IR and digital forensics team boils down to two questions:

  • What do we want to respond to ourselves?
  • What is our budget?

Answering the first question can give you an idea as to whether you need a team capable of adhering to the lawful way to collect evidence or not. The second question is the tiebreaker. Building an IR team and equipping the team with the necessary tools and infrastructure could be more expensive than contacting these services from third parties — having the trained personnel, or training (if needed), costs money.

A company could transfer those expenses and the risk of having an on-site IR team by contracting these types of services with a team of specialists. In the end, answering these questions can give you an idea as to the right option for you.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today