Software Engineering Institute

Traditionally digital forensics has taken a post-mortem or reactive approach. That is, once a security incident is identified, evidence acquisition begins, and this step generally takes place long after the incident is identified. By then, it is possible that the evidence no longer exists or has been modified. In these scenarios, it is unlikely that the digital forensic investigator, with the little evidence gained, can provide accurate answers about what happened to the evidence. It then becomes necessary to develop a more proactive approach, “Preventive Digital Forensics,” which proposes a modification to the traditional digital forensics (NIST SP 800-86), and is based on experimentation, iteration, and learning. This approach (1) allows us to design, develop, and evaluate a set of digital forensic capabilities that are implemented in an organization’s critical IT services, and (2) facilitates digital forensic tasks, making it easier to discover and evaluate indicators of malicious behavior. The approach then contributes to forming an effective response to computer security incidents in the shortest possible time and with reduced cost. In this context, the pre-incident evidence—the product of Preventive Digital Forensics—is a reliable source to detect and to mitigate threats.