Home > Information Security Magazine > Features > CSI for the CISO
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

CSI for the CISO
by Marcia Savage
Issue: Sep 2007
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   9  |   10  |   NEXT PAGE  >

"There's no one-size-fits-all way of dealing with this from a corporate standpoint," he says. "You'll want well-trained, smart people making those decisions, along with legal counsel."

Many forensics experts say it's best if organizations train their staff to take a hands-off approach in order to preserve evidence.

"If they suspect that they're going to do forensics on anything, be it a server or a laptop, the first rule is don't touch it," Jenkins says. "Stop and call someone in who knows what they're doing, whether it's internal or external resources."

Forensic examiners look at when files were last changed or accessed to put together a timeline of events, says Evan Wheeler, senior consultant in charge of forensics at IT services firm Akibia. "If someone starts poking around, they will change all those values."

A common mistake companies make is turning off or rebooting a computer, which can destroy evidence stored in memory. "If you have an immediate crisis, don't shut things down. Unplug them from the network and leave them running," says Ames Cornish, managing partner at consultancy Montebello Partners.

Another frequent blunder is giving the laptop of a former employee immediately to a new hire, stymieing any investigation of possible wrongdoing on the part of the ex-employee. If the circumstances are odd when an employee leaves, such as an abrupt departure or a firing, it's best to hang on to a computer for a while before repurposing it, Cornish says.

An investigation is certainly more difficult if evidence is tampered with or lost, but not necessarily impossible. "Part of what a clever investigator can do is find copies of it in other places," Cornish says. "But often it gets overwritten and it's gone or your costs of recovering it start to go way up."

Logging
Today's digital forensics involves more than just laptops and desktops; investigators need to look at network and communication data, making logging essential. But Intel- guardians' Hillery says he often gets a blank stare when he asks for logs, the lack of which impedes an investigation.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   9  |   10  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts