Developing a Response Plan for Computer Forensics - Page 3
Again, these are just base guidelines of front-line investigative tools, and they will vary significantly with your specific network type and operating environment. Those companies who feel they are at high risk may want their network managers to look at specialized forensic investigative tool kits. These can include special investigative applications, such as those sold by NTI, or be focused more on proper investigation, evidence handling and case documentation such as those sold by EnCase.
Obviously, the material presented here can be used only as the most general guideline towards specific forensic procedures. Your company, its business, your network environment and operating platform will all determine not only your specific forensic response but also tools and procedures.
The best tip here is maintaining depth. Network administrators need to become expert not only in the operational details of their networks, but in the features, quirks and traps of their chosen operating platforms as well. Keeping the number of operating systems and product platforms on your network limited is one of the best ways of allowing your staff to concentrate on learning the intricacies of only a few platforms rather than attempting to become expert at everything under the sun. Limiting your environment means limiting your perimeter, and that always makes for an easier defense.
Being an expert on your own systems will also enable you to interact more effectively with law enforcement authorities. When they have questions, you'll have answers. When they need to modify the environment, you'll be able to respond. And when a defense attorney attempts to discredit your organization, you'll be armed. For computer forensics especially, knowledge is the ultimate power.
Oliver Rist is a technology journalist and vice president of technology at AIC Inc. A former technology editor of CMP's InternetWeek and expert in the Microsoft Windows and BackOffice product family.