Be Prepared for Computer Forensics
The science of finding, gathering, analyzing and documenting any sort of evidence is typically defined as 'forensics.' That discipline has branched off into a new specialty, that of 'computer forensics.' Network managers and corporate security teams don't need to be dedicated computer forensics specialists, but they do need to be at least acquainted with the edges of this discipline in order to effectively interact with law enforcement officials at the 'scene' of a computer crime. Oliver Rist reports.
Congress, the FBI and even larger metropolitan police departments are devoting significant specialized resources towards investigating all types of cyber-crime. That's good news not only for corporations, but network managers as well since at least the bad guys now have some consequences to worry about. But along with new power always comes new responsibility, and it can't be all up to the cops. Network managers and network security teams will need to be prepared for interaction with cyber-law enforcement. This practice is called computer forensics, and it's a discipline with which no network manager should be unfamiliar, mainly because it may come knocking at your door regardless of whether you want it to or not.
This is an important additional consequence of the new attention being paid to cyber-crime by law enforcement. Companies may no longer have a choice as to whether or not to involve law enforcement. If a hacker compromises a large e-commerce site, for instance, and steals a load of credit card numbers, the compromised company is now obligated to involve law enforcement simply to offer some measure of protection to its customers. Since outside investigators are primarily concerned with collecting and handling evidence and not the smooth continued operation of your network, network administrators need to know what to expect from such an investigation even if it's just to keep things running during the investigation.
Basic Practices & Definitions
The science of finding, gathering, analyzing and documenting any sort of evidence is typically defined as 'forensics.' For cyber-victims, that discipline has branched off into a new specialty, that of 'computer forensics.' Corporate security teams and network managers don't need to be dedicated computer forensics specialists, but they do need to be at least acquainted with the edges of this discipline in order to effectively interact with law enforcement officials at the 'scene' of a computer crime.
This is largely due to the transient nature of cyber-related evidence. The fleeting nature of any kind of electronic data is such that its preservation, especially for legal proceedings, requires well-defined and documented procedures. Thus, even with as relatively recent a specialty as this, a standard methodology already exists; actually quite a simple one that can be broken down into three key elements:
- Acquire the evidence;
- Document the evidence;
- Analyze the evidence.
For corporate security specialists and network managers, steps one and two are certainly the most important when you know you'll be dealing with a law enforcement investigation. But, while step 3 requires the most specialized expertise, it's also useful for network managers to delve into, not only because that knowledge will help with steps one and two, but also because it can also assist with your day-to-day network management tedium, too.
But while analyzing computer forensic evidence might be the more interesting part of cyber investigation, acquiring the evidence can certainly be the trickiest. That's because law enforcement often requires first-hand evidence, not simply log reports. Finding the evidence is often not nearly as difficult as maintaining it, especially true in cases where some form of malevolent code has been deposited on one or more machines on the network.