What CISOs need to know about computer forensics


This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."

Download it now to read this article plus other related content.

Kevin Mandia, president and CEO of Mandiant, which provides forensics and other infosecurity services, says chain of custody is maintained by the following steps:

  • Keeping evidence within an investigator's possession or sight at all times
  • Documenting the collection of evidence
  • Documenting the movement of evidence from one investigator's custody to another's
  • Securing the evidence appropriately so it cannot be tampered with.
Besides the chain of custody, it's important to create hash values for a piece of evidence, says Bill Spernow, a consultant and former director of infosecurity, investigations and incident response at Experian. Creating hash values "substantiates the fact this is what it was on Monday, and when we show it to the court six months later, it's still the same thing," he says.

Forensics investigators typically make copies of a compromised system or other evidence and perform analysis on one of the copies. Jenkins usually makes three copies and puts the original system in an evidence bag for safe storage.

Courts will also accept evidence that is produced in the normal course of business, Spernow says. For example, if a firewall administrator routinely examines logs on a daily basis and sees evidence of a hack, those logs will be considered a normal business record.

Getting Help
While some organizations have in-house resources to conduct forensics examinations, many need to call

    Requires Free Membership to View

in a consultant. Resources for finding an expert include professional associations, forensic tool vendors, and certification providers such as the SANS Institute, which lists online those who have earned its GIAC forensics certification.

But there are no hard-and-fast rules for evaluating forensic experts. Certifications can be one means of assessing skill--there are vendor and vendor-neutral certifications available in the field--but hardly the only measure. In fact, Mandia says in his work, reputation and experience weigh more heavily than certifications.

This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: