Requirement text: IR.5.106: In response to cyber incidents, utilize forensic data gathering across
impacted systems, ensuring the secure transfer and protection of forensic data.
DISCUSSION FROM SOURCE: CMMC
Organizations need to have the ability to gather attack forensics as part of responding to
security incidents. During a cyberattack an attacker may seek to hide the activities taken to
gain access, maintain persistence, and perform reconnaissance of an organization’s
networks. However, in the course of their activities the attackers will leave artifacts that
indicate their presence. This could be a local event indicating a system login, files associated
with malware, or processes running in the system memory. To avoid detection an attacker
may erase local logs or delete files. To allow for a thorough investigation the security
operations center (SOC) should seek to collect forensic data from systems in real-time and
be able to collect volatile data such as system memory when needed. Collection of the
forensic data should be protected during transit and storage.
CMMC CLARIFICATION
The security operations center (whether in-house or outsourced) must have the necessary
forensic data to develop situational awareness across the organization’s infrastructure. One
solution identifies and collects security relevant system events, data, or images using an
agent on the system. The agent transfers the events in real-time over a secure channel to a
protected network enclave. Other solutions require physical access to the machine from
which the data is gathered.
Many individual system security tools such as anti-virus or endpoint detection and response
(EDR) tools can create logs, access system information in real-time, or image memory for
secure transfer to a central management server. These logs would allow a SOC to begin the
investigation. The SOC should also consider software tools used to push software or patches
to systems. This would provide an on-demand capability for the SOC to send a security
application when needed for forensic data collection.
Example
You are responsible for security operations at your organization. You implement a central
log collection tool and configure your organization’s laptops and desktops to send syslog and
security event logs to this tool. The tool is used by the SOC staff to monitor for abnormal
activity. When suspicious activity is detected, the SOC has access to an open source utility
you have installed to collect additional forensic information from a target laptop or desktop
about operating system process creation, network connections, and changes to files. This
additional capability complements the security application forensic data.
ADDITIONAL READING
NIST Computer Security Incident Handling Guide:
NIST Special Publication 800-86 Guide to Integrating Forensics Techniques into Incident
References
• CMMC
• NIST CSF v1.1 RS.AM-3
• NIST SP 800-53 Rev 4 AU-12