When it comes to forensics certain ways have been defined to help investigators to perform their investigation. In this article, we are going to discuss a similar framework called the OSCAR framework. Whether it’s an IT incident or a physical incident, the OSCAR framework will help you how to perform an investigation.
OSCAR stands for Obtain, Strategize, Collect, Analyze and Report. OSCAR is a standard methodology for forensics.
By the full form, you might understand what phases forensics has to go and OSCAR is about the same.
Obtain:
In this phase, the goal is to collect/obtain as much information as required about the incident. Some of the information like date, time, systems or endpoints affected, logs, steps taken to contain evidence, and steps taken to continue the business. This phase is more about where and what details and how is something that will come later.
Strategize:
This phase is all about planning your investigation, a blueprint plan on the action plan. Every incident is different unless the incident belongs to the same family of malware or the same group so the forensic team must help the IT team to trace back the event and work in reverse.
For Example:
Consider a ransomware attack, the first thing to do is to preserve logs from the infected machine after isolating it from the network. These logs contain who connected to the infected system and from where. This phase is more about asking for necessary details than all the details. These details include logs, IP addresses and more.
Collect:
This phase is all about collecting evidence as per the plan that we made in the Strategize step. Evidence typically contains all the systems accessed, capturing and saving data streams, hard drives, logs from servers, applications, firewalls, and proxies. All the information about what falls into the scope of the incident.
Some of the best practices for collecting evidence are
- Create copies of evidence
- Work on a copy of the evidence and preserve the original as is.
- Use best tools or industry-standardized tools
- Document everything.
Analyze:
This is the phase where the story is made. In this phase, the forensics team will try to understand the data to derive the story behind the incident. In this phase of OSCAR forensics team will try to use automated or manual methods to visualize what happened and how it happened with the help of all the evidence collected in the previous step.
Report:
This phase is about reporting all the findings the forensics team identified about the incident. The report is usually read by most of the management people like CISO, CEO, CIO, CFO, Legal, Insurance and many more so it must be in layman’s language.
Leave a Reply