What CISOs need to know about computer forensics


This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."

Download it now to read this article plus other related content.

Late last year he dealt with a case involving a small online company in which two former employees--the CFO and the senior developer--conspired to steal intellectual property in order to launch a competing firm. The client company also suffered a cyberattack--possibly launched by the former developer--that knocked down its Web site for a few hours and disabled a shopping cart function.

But proving an incident occurred was impossible with just a hand-sketched network diagram and some Web access logs but no firewall, router or IDS logs. Ultimately, the company dropped any hope of obtaining restitution in court and went back to business--along with the new competitor.

"The original company said, 'Oh the heck with it, we weren't prepared,' " Hillery says.

David Lang, director of information assurance and forensics at risk management firm Abraxas, also often encounters a lack of logging when investigating intrusions. System administrators tell him they turned off logging because it slows things down too much. "It's going to cost you some system performance to have logging turned on, but if it's a critical system, that's a risk management decision you need to look at," Lang says.

Chain of Custody
A big part of forensics is carefully documenting how evidence is handled so it can be presented in court. Without a chain of custody, lawyers can allege evidence was tampered with and prevent a successful prosecution.

"Every decision and every

    Requires Free Membership to View

single step you take in forensics, you document it," UW Medicine's Jenkins says. "What you did, why you did it, what time you did it, and what effect it may have."

If an organization is going to do the forensics in-house, it needs to have a procedure employees can follow that details how evidence will be copied and transferred.

"That's the mantra of forensics. You're preserving data, documenting, and proving it didn't change during your investigation," Jenkins says.

This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: