This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
"It's more important that you've been involved in a lot of cases," he says.
Forensics investigators use a number of different tools-- commercial, open-source and custom--depending on the job at hand, so it's tough to judge them based on the tools they use. "I don't think there's any one tool set that guarantees proficiency," says Montebello's Cornish.
"You need someone you can trust," he adds. "Someone who has knowledge of IT systems, who's not going to walk around like a bull in a china shop, and understands you have a business to run."
When Spernow interviews candidates for organizations' in-house forensics teams, he looks for people with an in-depth understanding of network architectures and how syslog environments function. "So they have a rounded picture of what a corporate infrastructure looks like."
For her part, Jenkins is well versed in multiple platforms--Unix, Windows and Macintosh--and uses multiple tools including Guidance Software's EnCase and Helix, an open source Linux-based bootable live CD. She has the EnCase forensics certification and a SANS incident handling certification. Master's degrees in ancient history and library science also prepared her well for her job, she says.
Building an in-house forensics team makes sense for some organizations, particularly large ones. Boeing has handled computer forensics in-house for years because it was cost effective, says spokesman Tim Neale.
In a 2004 presentation, Spernow estimated
"Depending on how big you are, the economies of scale come into play pretty quick," he says.
This was first published in September 2007