What CISOs need to know about computer forensics


This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."

Download it now to read this article plus other related content.

"There's no one-size-fits-all way of dealing with this from a corporate standpoint," he says. "You'll want well-trained, smart people making those decisions, along with legal counsel."

Many forensics experts say it's best if organizations train their staff to take a hands-off approach in order to preserve evidence.

"If they suspect that they're going to do forensics on anything, be it a server or a laptop, the first rule is don't touch it," Jenkins says. "Stop and call someone in who knows what they're doing, whether it's internal or external resources."

Forensic examiners look at when files were last changed or accessed to put together a timeline of events, says Evan Wheeler, senior consultant in charge of forensics at IT services firm Akibia. "If someone starts poking around, they will change all those values."

A common mistake companies make is turning off or rebooting a computer, which can destroy evidence stored in memory. "If you have an immediate crisis, don't shut things down. Unplug them from the network and leave them running," says Ames Cornish, managing partner at consultancy Montebello Partners.

Another frequent blunder is giving the laptop of a former employee immediately to a new hire, stymieing any investigation of possible wrongdoing on the part of the ex-employee. If the circumstances are odd when an employee leaves, such as an abrupt departure or a firing, it's best to hang on to a computer for a while before repurposing it, Cornish

    Requires Free Membership to View


An investigation is certainly more difficult if evidence is tampered with or lost, but not necessarily impossible. "Part of what a clever investigator can do is find copies of it in other places," Cornish says. "But often it gets overwritten and it's gone or your costs of recovering it start to go way up."

Today's digital forensics involves more than just laptops and desktops; investigators need to look at network and communication data, making logging essential. But Intel- guardians' Hillery says he often gets a blank stare when he asks for logs, the lack of which impedes an investigation.

This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: