This article can also be found in the Premium Editorial Download "Information Security magazine: Top forensics tools for tracking down cybercriminals."
Download it now to read this article plus other related content.
While forensics is sometimes confused with incident response, their objectives are quite different. Every company should have an incident-response team to deploy when something suspicious takes place and stop malicious activity, but a forensics team has different requirements.
|Click here for a timeline highlighting some of the more than 50 million account numbers that have been compromised (PDF).|
- CHOOSE team members from security, IT, management, legal, human resources and public relations, and assign necessary responsibilities to those roles.
- OUTLINE the forensics methodology that will be used. Include steps such as incident verification, bit-image creation, evidence collection procedures, timeline creation and review, media and operating system analysis, data recovery processes, and report generation.
- IDENTIFY critical systems and how they should be handled if breached. Some systems cannot be brought down for investigative purposes because of the negative business impact.
- DETERMINE the chain-of-custody steps for collected evidence.
- SELECT the various documentation types that will be used for gathering evidence.
- DETAIL recovery procedures by creating standardized steps for rebuilding affected systems and recovered data.
- DEFINE the team's forensics toolkit.
The internal team carries out the investigation and collects evidence, and is responsible for the crux of the case; the external team verifies that the investigation was carried out properly, ensuring the evidence is admissible in court.
While the in-house team has more intimate knowledge of the company, its systems and business needs, the outside team has seen many more types of crimes. Together, these groups can provide more effective results.
There are several tools available to forensics teams to help ensure a proper investigation. Guidance Software's EnCase, AccessData's Ultimate Toolkit, and Paraben's NetAnalysis are some of the most widely used forensics tools in the industry. e-fense's Helix is a strong open-source alternative.
This was first published in December 2005