Computer forensic investigations aren’t just fodder for popular crime scene television shows. As federal computing environments expand and become more complex, and the numbers of attacks on government systems soar, it is increasingly critical for agency managers to understand how computer forensics fit as an element in their overall cybersecurity strategy, experts say.
You’re going to use these computer forensics tools for either your own internal investigations or to take evidence to court.
Barbara Guttman, manager, National Institute of Standards and Technology (NIST)
“I would think any responsible shop would use [forensics tools],” said Barbara Guttman, manager of the component software group at the National Institute of Standards and Technology (NIST). “I would certainly consider your organization a poor one if you weren’t using these tools in your computer security operations.”
According to the U.S. Computer Emergency Readiness Team (US-CERT), the operational arm of the National Cyber Security Division at the Homeland Security Department, “adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure.”
In a white paper on computer forensics, US-CERT experts say, “You can help your organization if you consider computer forensics as a new basic element in what is known as a ‘defense-in-depth’ approach to network and computer security.”
Computer forensics is a relatively new discipline, and practices in the field are in a state of flux, US-CERT says. Forensics is traditionally associated with the scientific collection of evidence for use in legal procedures and court cases. But as computer forensic tools become more powerful, agency security managers also can use them to meticulously collect information about activities on their networks and conduct a variety of security investigations.
“When people talk about forensics, they tend to use forensics to make sure you’re collecting enough information and that it’s of high quality you can use it later,” Guttman said. “Then there’s the step beyond that where, if you’ve uncovered evidence of criminal activity, you’re going to take evidence to court. Then you will have had to collect your evidence in a forensically sound manner.”
As the federal government tightens information security requirements on agencies, it is becoming necessary for security managers not only to systematically investigate security incidents, but also to prove they are complying with computer security laws and best practices.
“If there is an incident that affects critical data, for instance, the organization that has added a computer forensics capability to its arsenal will be able to show it followed a sound security policy and potentially avoid lawsuits or regulatory audits,” US-CERT says.
Choosing the best computer forensic tools
At NIST, computer scientists are testing commercial computer forensic tools to ensure the software used in the investigation of computer-related crimes produces accurate and valid results. The program is still in the early stages of developing test requirements in a range of technical areas, Guttman said.
“You’re going to use these computer forensics tools for either your own internal investigations or to take evidence to court,” Guttman said. “You would like to know they do what you think they do. So we’re providing for the computer forensics community a rigorous set of test methods so you can understand what your tool does and doesn’t do.”
As part of the program, scientists are creating general classifications of tools in order to group similar testing requirements in a computer forensics testing framework. They are concentrating immediate efforts on disk imaging products, write blockers and selected suites of tools.
The bottom line is computer forensics tools can add depth and utility to agency security operations. “It’s strongly driven by the need for scientific evidence, but it’s also because everyone wants quality [evidence], so they go together,” Guttman said.
Next: A closer look at computer forensic tools and how they can strengthen security operations.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.