This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
Late last year he dealt with a case involving a small online company in which two former employees--the CFO and the senior developer--conspired to steal intellectual property in order to launch a competing firm. The client company also suffered a cyberattack--possibly launched by the former developer--that knocked down its Web site for a few hours and disabled a shopping cart function.
But proving an incident occurred was impossible with just a hand-sketched network diagram and some Web access logs but no firewall, router or IDS logs. Ultimately, the company dropped any hope of obtaining restitution in court and went back to business--along with the new competitor.
"The original company said, 'Oh the heck with it, we weren't prepared,' " Hillery says.
David Lang, director of information assurance and forensics at risk management firm Abraxas, also often encounters a lack of logging when investigating intrusions. System administrators tell him they turned off logging because it slows things down too much. "It's going to cost you some system performance to have logging turned on, but if it's a critical system, that's a risk management decision you need to look at," Lang says.
Chain of Custody
A big part of forensics is carefully documenting how evidence is handled so it can be presented in court. Without a chain of custody, lawyers can allege evidence was tampered with and prevent a successful prosecution.
"Every decision and every
If an organization is going to do the forensics in-house, it needs to have a procedure employees can follow that details how evidence will be copied and transferred.
"That's the mantra of forensics. You're preserving data, documenting, and proving it didn't change during your investigation," Jenkins says.
This was first published in September 2007