Computer forensics as portrayed in the media looks impressive; hipster guys and girls are hunched over their terminals, brows furrowed as they tap furiously at their keyboards. Within minutes, they have found what they are looking for and are racing off to tell their supervisors of their findings.

With all that said, computer forensics has been heavily dramatized for effect in the media, but that does not mean it is not exciting. There are many post-secondary institutions that offer certifications in computer forensics, and often tie it in with an information security certification as well.

But what, exactly, is computer forensics, and what significance does it have to information security as a whole?

What Is Computer Forensics?

Computer forensics is the practice of investigating and analyzing evidence in such a way that it can be preserved and presented appropriately for a court of law. The idea is to perform a structured investigation and to maintain a documented chain of evidence. Computer forensics specialists are looking to discover exactly what happened on a computing device and to determine who did it.

Investigators locate the physical device in which potential evidence might be stored, and then make a digital copy of the device. All investigation is then conducted on the digital copy while the physical copy is stored in such a way to ensure there is no contamination of it. Anything found on the digital copy is recorded in a “finding report” and crosschecked with the original copy.

Computer Forensics and Information Security

In many cases, computer forensics and information security can go hand in hand. Anyone who’s got training in information security will be immediately notified as to any possible breaches that have occurred, and knowledge in computer forensics allows the security team to immediately track through the system and discover what and who is responsible for the breach.

For instance, a computer forensics expert named Cindy Jenkins was notified when University of Washington Medicine noticed that several machines were trying to communicate with an IRC server in France. As a security engineer and computer forensics expert, Jenkins was able to work with her team and comb through several drives of infected PCs to find the root cause of the issue – an IRC bot, a rootkit and an FTP server – and made several hash sets, or digital fingerprints, so that when she made further investigations, she was able to just look up the hash sets rather than comb through the files again. Throughout the process, Jenkins also kept meticulous notes about what she’d discovered and when, and when she realized that the resource hogs had attacked the UW Medicine system, in addition to accessing the UW Medicine Windows domain. The FBI was quickly involved after that.

It does take an analytical mind to determine exactly how to prevent and block any intruders from accessing your systems, but it can be done. A response plan needs to be put into place in order that the computer forensics and security team know exactly who to call when there has been a security breach. Whether it’s establishing a phone tree as to whom to call when a breach occurs to quickly removing a suspect machine offline to prevent intruders from further hacking into your system, a plan needs to be put in place in order to prevent further incursions into your system.

The key point is that anyone untrained in forensics shouldn’t be trying to poke around in your system, lest the system become contaminated. Legal counsel should be advised about what happened and if possible, the computer device in question should not be repurposed right away in order to maintain security. Logging should be strictly maintained even though some may think it’s too big of a drain on system resources, but in reality, that’s what keeps a strict “eye” on who is tapping into your system.

Finally, there needs to be a strict chain of custody kept and maintained throughout the investigative process; in the article, What CISOs Need To Know About Computer Forensics, “Kevin Mandia, president and CEO of Mandiant, which provides forensics and other infosecurity services, says chain of custody is maintained by the following steps:

  • Keeping evidence within an investigator’s possession or sight at all times
  • Documenting the collection of evidence
  • Documenting the movement of evidence from one investigator’s custody to another’s
  • Securing the evidence appropriately so it cannot be tampered with.”

There also should be no hesitation to call in a consultant if there is a belief that one is required. While certifications can be a great way of initially assessing a forensics expert, that isn’t the only way. You have to have someone you can trust to not go through your systems blindly, looking for evidence. Larger organizations might find it useful to have forensics experts in house while smaller agencies might call in an expert in the event of a security breach. Regardless, you need to find someone you’re comfortable with that you can trust.

After that, it’s a matter of trying to determine exactly when to involve law enforcement, if at all. There are a lot of cases where it’s difficult to even call in law enforcement, in part because of what could be revealed about an organization. Organizations should consider estimates of downtime, personnel and lost business before even looking at whether to bring in law enforcement; sometimes, particularly in cases where the FBI forensics experts might need to be involved, investigators end up having to tell the organization involved that the losses just aren’t big enough for law enforcement to dedicate its own resources to.

CISSP Training – Resources (InfoSec)

Conclusions

Computer forensics is sometimes a necessary part of information security, which is why for some organizations it makes a lot of sense to have computer forensics experts on staff. There is a lot of painstaking work involved in forensics in order to ensure that investigators have enough properly logged evidence to bring someone to justice in computer crimes, but the evidence is clear: partnering information security with computer forensics makes a lot of sense in the long run.

Sources:

http://www.computerforensicsworld.com/modules.php?name=Forums&file=viewtopic&t=4127

http://searchsecurity.techtarget.com/definition/computer-forensics

http://searchsecurity.techtarget.com/magazineContent/What-CISOs-need-to-know-about-computer-forensics

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan
[i]
[i]