Feature

What CISOs need to know about computer forensics

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."

Download it now to read this article plus other related content.

Complexity hinders Investigations


Mobile devices and monstrous hard drives are giving specialists fits.

Multiple types of computing devices, bigger hard drives and increased use of encryption are making the job of a digital forensic examiner tougher than ever.

"Go back seven years or so, all forensics in the business world was based on PCs. It was very simple," says Luther Martin, security architect at vendor Voltage Security. "It's a lot more complex today. Now you have PDAs, cell phones, BlackBerries, iPods--all which contain potentially interesting data."

An investigation usually starts with a single system and grows to wherever evidence may reside, which can include digital cameras, USB drives and even printers, says Brian Gawne, managing director of forensics at risk management firm Veritas Global. But the bigger challenge in forensics today is the sheer size of hard drives, he says.

"You're seeing hard drives from desktops and laptops that are 400 gigabytes and growing," he says. "So the amount of data we have to parse through is ever mounting."

The 14 Regional Computer Forensics Laboratories across the U.S., which are jointly operated by the FBI and local law enforcement agencies, processed a whopping 2.8 petabytes of data last year.

"With

Requires Free Membership to View

disks getting as big as they are, we're trying to find ways to work smarter, not harder," says Chris Beeson, FBI supervisory special agent and director of the Silicon Valley RCFL. "The days of being able to go through every sector on a drive just don't exist."

One way investigators can work smarter is by tapping databases with hash sets of known software files; the hash values allow them to reduce the number of files they need to inspect, Beeson says. One such database is the National Software Reference Library, a project supported by the U.S. Department of Justice and federal, state and local law enforcement.

But encryption can pose a big problem for investigators. Attackers are encrypting files and stripping out references, which makes analysis harder, says Evan Wheeler, senior consultant in charge of forensics at IT services firm Akibia.

"Encryption can slow us down and stop us in our tracks," Beeson says.

"It just depends on the amount of resources we can plug into that case."

--MARCIA SAVAGE

This was first published in September 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: