Tuesday, November 13, 2007

Computer forensics - are you ready?

In the field of computer forensics, traditionally an investigative discipline called upon after a crime is committed or evidence of misconduct is discovered, action taken before an incident occurs can have a significant impact on the success of a subsequent investigation. The essence of these actions is not incident prevention (the work of computer security professionals) although a reputation for being able to carry out effective investigations may have a preventive effect, but rather preparation, specifically preparation which allows an organisation to investigate effectively and efficiently within the bounds of relevant legislation and prepare evidence for presentation in any subsequent court case.

When an incident occurs which warrants investigation, a company needs to decide exactly what the goal of the investigation is and how that investigation will be carried out. Before these decisions can be made, however, the company also needs to know exactly what investigative techniques the law allows. In a computer forensics investigation where data generated by and transmitted between people is being examined the rules regarding privacy need to be very carefully considered before embarking on a particular course of action such as analysing data on hard disks or monitoring network traffic. Organisations where reasonable privacy policies already exist which make clear the rights and responsibilities of both employer and employee are likely to encounter less restrictions on the range of investigative techniques available to them as employees have already been made aware of the circumstances under which an investigation may be carried out.

In addition to legal issues, those responsible for incident investigation also need to have a firm grasp of computer forensic principles and techniques. By its very nature, a forensic investigation demands that evidence is collected and handled in such a way that it may be presented in court. Probably the biggest implication of this requirement is that every care needs to be taken to ensure that digital data is acquired and preserved in its original form and is not altered by the investigator (a relatively simple requirement in theory which involves careful handling in practice.) Detailed documentation of an investigator's activities also forms a critical part of the investigative process and is often neglected during a non-forensic incident response. Crucially, the best time for an organisation to develop the skills and procedures required in a forensic investigation is before, not after, they are needed. By doing so an investigation is much more likely to be carried out in a timely and forensically sound fashion.

Finally, investigators need tools. The forensic tools available today, both hardware and software, cover all requirements of a forensic investigation from evidence acquisition through to analysis and reporting. Some are small, single-task utilities available for free or at low cost whereas others are large, multi-functional commercial packages. Again, the time for an organisation to consider which tool best meets their needs (and to become familiar with its use) is before the tool needs to be deployed in a real investigation.

No comments: