This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
While CSI-style forensics are splashed all over today's TV screens, cybersleuths like Jenkins are quietly using technical savvy to track down digital criminals. Computer forensics is more important than ever in the enterprise as organizations battle increasingly sophisticated attackers in cyberspace and the ever-present insider threat. Yet companies can be caught off guard after an incident and make costly mistakes when it comes to a forensics investigation.
"Corporations are often their own worst enemy. They only think about being ready for forensics after the fact," says Bob Hillery, co-founder and senior security analyst at Intelguardians, a provider of digital forensics and other security services.
From what he's seen, many businesses don't have their environment forensically ready. They're not logging system activity and they don't have an incident response plan. When something does happen, a system administrator clatters away at the keyboard to figure out what's wrong. "Because they don't recognize what the problem is, they start stomping around. They've essentially been over the crime scene in muddy boots," Hillery says.
So how does an organization avoid such missteps? With forensics needed for civil litigation and human resources investigations in addition to criminal cases, experts say organizations need to ensure they're prepared and that evidence is preserved. Having a strategy for what you'll do when something does happen is the first step.
If there's an intrusion--from outside or by a malicious insider--an organization should have a response plan and a team of IT, management, legal and HR representatives ready to take charge. Those on the front lines--typically the IT staff--need to know whom to call and the first course of action, says Chris Beeson, FBI supervisory special agent and director of the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, Calif.
For the most part, he recommends taking a suspect machine offline to block an intruder from further access. Any disks needed for evidence must be duplicated. If the system is connected to a massive amount of storage, however, a company will need to weigh whether it's worth duplicating everything--and taking a system offline for hours--or only certain areas, Beeson says.
This was first published in September 2007