This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
"There's no one-size-fits-all way of dealing with this from a corporate standpoint," he says. "You'll want well-trained, smart people making those decisions, along with legal counsel."
Many forensics experts say it's best if organizations train their staff to take a hands-off approach in order to preserve evidence.
"If they suspect that they're going to do forensics on anything, be it a server or a laptop, the first rule is don't touch it," Jenkins says. "Stop and call someone in who knows what they're doing, whether it's internal or external resources."
Forensic examiners look at when files were last changed or accessed to put together a timeline of events, says Evan Wheeler, senior consultant in charge of forensics at IT services firm Akibia. "If someone starts poking around, they will change all those values."
A common mistake companies make is turning off or rebooting a computer, which can destroy evidence stored in memory. "If you have an immediate crisis, don't shut things down. Unplug them from the network and leave them running," says Ames Cornish, managing partner at consultancy Montebello Partners.
Another frequent blunder is giving the laptop of a former employee immediately to a new hire, stymieing any investigation of possible wrongdoing on the part of the ex-employee. If the circumstances are odd when an employee leaves, such as an abrupt departure or a firing, it's best to hang on to a computer for a while before repurposing it, Cornish
An investigation is certainly more difficult if evidence is tampered with or lost, but not necessarily impossible. "Part of what a clever investigator can do is find copies of it in other places," Cornish says. "But often it gets overwritten and it's gone or your costs of recovering it start to go way up."
Today's digital forensics involves more than just laptops and desktops; investigators need to look at network and communication data, making logging essential. But Intel- guardians' Hillery says he often gets a blank stare when he asks for logs, the lack of which impedes an investigation.
This was first published in September 2007