Use of organisational topologies for forensic investigations

In today's highly regulated business environment, it is becoming increasingly important that organisations implement forensic-ready systems and architectures to aid the investigation of security incidents and data breaches. Previously, different solutions have been proposed for implementing forensic readiness within organisations. One of these solutions is that organisations implement an organisational structure that takes into consideration digital forensics by establishing roles and responsibilities to assist with investigations. However, no previous research has defined how this can actually be accomplished within an organisation. In this paper, we put forth the idea of using the topology of an organisation's structure to define the roles and responsibilities to assist with handling a forensic investigation. In the past, the role of topology has been examined from various perspectives, including software engineering. We draw on this previous research and use the topological properties of containment, proximity and reachability in order to define a representation of the organisational structure that takes into consideration digital forensics. For example, topology can be used to express and provide a context regarding the location of assets that need to be investigated, as well as the individuals, whose assistance is required to investigate such assets. Furthermore, knowing the topology of an organisation's structure can also assist investigators identify stakeholders that could be of interest to an investigation, based on their relationship to the asset(s) under investigation.