This article can also be found in the Premium Editorial Download "Information Security magazine: Top forensics tools for tracking down cybercriminals."

Download it now to read this article plus other related content.

Defining Process
While forensics is sometimes confused with incident response, their objectives are quite different. Every company should have an incident-response team to deploy when something suspicious takes place and stop malicious activity, but a forensics team has different requirements.

    Requires Free Membership to View

Click here for a timeline highlighting some of the more than 50 million account numbers that have been compromised (PDF).
Your forensics team needs technical know-how and a sound understanding of all legal requirements. The team must also know how to gather and preserve the evidence, and have the ability to present the information. Forensic investigators must be prepared to defend their activities in court because, on the witness stand, their work and reputation will be scrutinized and attacked. If they don't properly collect and analyze the evidence and present their results well in court, their evidence can be thrown out--which could cost the company the case. Therefore, it's important to set up an internal forensics team to perform the following tasks:
  • CHOOSE team members from security, IT, management, legal, human resources and public relations, and assign necessary responsibilities to those roles.
  • OUTLINE the forensics methodology that will be used. Include steps such as incident verification, bit-image creation, evidence collection procedures, timeline creation and review, media and operating system analysis, data recovery processes, and report generation.
  • IDENTIFY critical systems and how they should be handled if breached. Some systems cannot be brought down for investigative purposes because of the negative business impact.
  • DETERMINE the chain-of-custody steps for collected evidence.
  • SELECT the various documentation types that will be used for gathering evidence.
  • DETAIL recovery procedures by creating standardized steps for rebuilding affected systems and recovered data.
  • DEFINE the team's forensics toolkit.
A hybrid approach combining internal forensics capabilities with external consultants is often the best approach.

The internal team carries out the investigation and collects evidence, and is responsible for the crux of the case; the external team verifies that the investigation was carried out properly, ensuring the evidence is admissible in court.

While the in-house team has more intimate knowledge of the company, its systems and business needs, the outside team has seen many more types of crimes. Together, these groups can provide more effective results.

There are several tools available to forensics teams to help ensure a proper investigation. Guidance Software's EnCase, AccessData's Ultimate Toolkit, and Paraben's NetAnalysis are some of the most widely used forensics tools in the industry. e-fense's Helix is a strong open-source alternative.

This was first published in December 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: