COI Report – Part VII
Page
253 of
425 physically go to individual machines to image them, or to take memory dumps – this is a process
that simply takes too long, according to Vivek, and valuable time is lost in responding to a security incident.
728. In any event, even with the use of the
open source forensics software, IHiS had no dedicated and suitably-equipped computers to run the desktop-based forensic software Benjamin in fact used his personal laptop when running the software during forensic investigations.
This being the only computer that could be used to carryout forensic investigations, the processing of digital forensic evidence required a painfully long amount of time.
729. The gap in the response technologies available at IHiS undoubtedly hampered the response to the Cyber Attack, and their ability to limit the impact of the Cyber Attack.
730. We recommend the implementation of a centralised enterprise-level forensics platform for collection and analysis of digital evidence. Features of such a system would include a) degree visibility across all endpoints b) Remote collection of forensic artefacts and c) An ability to search and collect forensic evidence across multiple devices concurrently.
731. In
the case of the Cyber Attack, the IHiS SMD did not have access to an endpoint detection and response (“
EDR”) system
55
that would have allowed rapid isolation and containment of the infected systems, and enabled the
rapid collection of forensic evidence from multiple systems at the same time. Vivek testified that an EDR system would have allowed the team to fast-track the See section 37.3 below for further elaboration on EDR systems.
