Don't trample evidence in a breach. Missteps in an investigation will cost you in court.

From all indications, something bad had happened. After installing an intrusion prevention system, the security team at UW Medicine spotted several machines trying to communicate with an IRC botnet server in France. Cindy Jenkins, a security engineer and computer forensics expert at the medical and research organization, immediately went on a hunt for clues behind the suspicious activity.

Hours spent combing through images of the hard drives from the infected PCs turned up the attackers' tools: an IRC bot, a rootkit and an FTP server. Passive network scanning detected more compromised systems. To save time, Jenkins made hash sets--digital fingerprints--of the malware so she could look just for the hash sets when inspecting additional images. She determined the machines were infected 18 to 24 months earlier--before the IPS and other security measures were installed.

It appea...

"I pretty much stopped breathing there, then lit up the phone tree," Jenkins says, recalling her startling discovery in December 2005.

Although there was no evidence the intruders had used the passwords, time stamps indicated they had accessed them. The case was turned over to the FBI, along with Jenkins' carefully documented work.

"Forensics is a lot like coding. You have to have very strong concentration and you have to be able to think analytically," says Jenkins. "You need to pull apart all the little pieces, add up the puzzle. It's like being a detective."

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   9  |   10  |   NEXT PAGE  >