Looking for a suspicious needle in a haystack of data? Data reduction software tools can help your computer forensics team find that needle—and find it fast.
It’s extremely important to quickly and efficiently collect and identify the critical information that’s there, no matter what type of investigation it is.
Jason Lord, director of cyber security services, AccessData
“It’s extremely important to quickly and efficiently collect and identify the critical information that’s there, no matter what type of investigation it is--human resources, network intrusion, incident response or a law enforcement-type case,” said Jason Lord, director of cyber security services at AccessData, which produces computer forensics tools. Other forensics tools on the market include the EnCase suite of products from Guidance Software, enterprise, hard drive and mobile forensics software from Paraben Corp., ProDiscover Forensics from Technology Pathways, and the DS line of network forensics appliances and DeepSee Forensics Suite from Solera Networks.
A critical component of the computer forensics process is data reduction—eliminating “known” files, such as operating system and application files, during an investigation.
Computer forensics software such as AccessData’s Forensic Toolkit can automate the process of screening files for specific profiles and signatures during an investigation.
If a specific file’s profile and signature match the database of “known” files, that file can be excluded from review, saving investigators valuable time. Only those files that don’t match would be subject to further investigation.
“When you get a drive to look at, the first thing you want to do is figure out what’s known on there already that you don’t have to deal with,” said Barbara Guttman, manager of the component software group at the National Institute of Standards and Technology.
NIST has created a National Software Reference Library, which is designed to collect software from various sources and incorporate file profiles from the software into a Reference Data Set (RDS) of information. The RDS is a collection of digital signatures of known, traceable software applications. It currently contains data for about 11,000 software apps.
Using RDS data imported into commercial data reduction software, “known” file filters give managers investigating an incident a repository of “ignorable” files. Lord offered this example, using the Windows 7 operating system:
“We can take all the files that are in there and add them to the ‘known filter’ so every time we look at a Windows 7 machine, we can just ignore all those and quickly reduce the subset of data,” he said. “If you eliminate as much known data as possible, you have a smaller working set.”
For government managers who include forensics tools in their computer security quiver, Lord provided this tip: Make sure your administrators and other key systems personnel get plenty of training and experience with the tool. “It’s a matter of using the tool and getting to know the tool inside and out,” Lord said. “It’s getting the tool in the hands of the people that need it, because it goes back to the fundamentals of an investigation: If you don’t see all the data you can’t create absolute conclusions.”
According to U.S. Computer Emergency Readiness Team (US-CERT), the operational arm of the National Cyber Security Division at the Homeland Security, such training and experience will pay off in the long run for agencies. “If systems administrators possess the technical skills and ability to preserve critical data related to a suspected security incident in a forensically sound manner and are aware of the legal issues related to forensics, they will be a great asset to their organization,” US-CERT says in a white paper on computer forensics. "Should an intrusion lead to a court case, the organization with computer forensics capability will be at a distinct advantage."