Cybercrimes make computer forensics one of the fastest growing markets in the information security industry. Forensics tools are not only used to help track down perpetrators in some high-profile cases, they are also being used in everyday civil and criminal cases to prepare for potential lawsuits over intellectual property theft, enforcement of non-compete clauses and regulatory compliance issues.
One of the requisites in SOX, SB 1386, GLBA and HIPAA is the ability to discover deceitful activity, which is where forensics usually comes into the picture. Together with increased cybercrime, regulatory compliance is yet another business driver that is making more businesses bring forensics competence in-house and search for tools to assist them.
But prior to making your IT staff invetigators, forensics requirements must be truly understood.
Defining Process
Your forensics team needs technical proficiency and a firm understanding of all legal requisites. The team must also know how to collect and preserve the evidence, and have the ability to present the information. Forensic detectives must be equipped to defend their activities in court because, on the witness stand, their work and reputation will be dissected and assaulted. If they don't properly collect and analyze the evidence and present their results satisfactorily in court, their evidence can be thrown out–which could cost the company the case.
A hybrid method combining internal forensics competence with external advisors is often the best method. The internal team conducts the investigation and gathers evidence, and is accountable for the crux of the case; the external team verifies that the investigation was carried out properly, guaranteeing the evidence can be permitted in court. While the internal team has more first-hand knowledge of the company, its systems and business needs, the external team has seen many more types of crimes. Together, these groups can provide more effective results.
There are several tools available to forensics teams to help make sure a proper investigation. Guidance Software's EnCase, AccessData's Ultimate Toolkit, and Paraben's NetAnalysis are a few of the most widely used forensics tools in the industry. e-fense's Helix is a strong open-source option.
Guidance Software's EnCase
Guidance Software has long been the leader in forensics software with EnCase, the most-used forensics acquisition and analysis tool by law enforcement and the private sector. EnCase supports the acquisition of evidence from just about every operating system, file system and media type, including live systems. EnCase has an exceptionally flexible Unix grep-like searching capability. These searches parse evidence byte by byte and can reveal deleted files and other non-file data. EnCase then crafts well-organized, thorough reports that are understood by experts and lawyers alike.
AccessData's Ultimate Toolkit
AccessData's Ultimate Toolkit (UTK) contains a password recovery tool capable of decrypting just about every file, an enhanced registry viewer designed to uncover evidence hidden in system-only accessible registry keys, a disk wiper and a distributed-computing encryption breaker.
UTK's edge is its database-driven platform. As evidence is imported (typically drive and partition images), it's scanned and indexed into a case database. This allows for rapid ad hoc string inquiries and organization of extracted files and data without the need to rescan.
Characteristic of a commercial tool, FTK can handle a case from acquisition to completion, and includes polished and flexible reporting capabilities that can be effortlessly installed onto an auto-play CD-ROM for distribution.
e-fense's Helix
e-fense's Helix, developed by forensics specialist Drew Fahey, is an open-source Linux LiveCD distribution that contains many forensics- and security-related tools designed to help in the recovery and analysis of digital evidence from live and post-mortem (powered off) systems.
Among the tools Helix employs are its feature-packed Sleuth Kit and graphical interface Autopsy Browser. Used in tandem, these give the digital investigator a very capable graphical analysis platform comparable in functionality to many commercial software. Since Helix is a shareware tool, it's economical but lacks the technical support and fixes to bugs when required. Also, its youth is a disadvantage; there is little if any court case history in which Helix has been used.
Paraben's NetAnalysis
Paraben has an wide-ranging suite of tools that can be used to scrutinize e-mail, retrieve passwords, analyze chat logs and carry out powerful Web surfing investigation.
Paraben's NetAnalysis tool can scrutinize AOL history files, rebuild a cache for viewing, retrieve deleted Internet history files, identify Google searches, and provide a cookie and URL decoder. Its ability to capture evidence from most cell phones and PDAs is more comprehensive than similar capabilities in other tools. Although Paraben has an wide-ranging toolset, it has not caught on in the industry as well as the EnCase and AccessData products.
Post Mortem
After your internal forensics team has carried out an incident or crime investigation with the suitable toolkit, it's worthy to comprehend what went right and what went wrong so the procedure can be improved.
Some questions the team should deal with include whether extra training or tools are required for future incidents, and whether every recovery activities brought in vulnerabilities or affected the company's regulatory status. Based on the forensics team's findings and its assessment of damages from a particular incident, a company can decide whether to bring the case to court.
The team should be able to determine the technical sophistication of the offender and the chance of being able to catch him. It's also worthy to determine what type of personality did this type of crime. Was it a competitor or just some kids hacking for fun?
Find out who you are battling with. Don't waste your money and effort in filing a multimilion-dollar lawsuit against some rogue teenagers who have no money.
Ultimately, having a skilled computer forensics team will ensure your company is prepared for the worst. Knowing how to track digital footprints can help your business catch a thief before he escapes into cyberspace.
Shon Harris, security consultant and best-selling author, founded Logical Security, http://www.logicalsecurity.com, in 2003 to help companies acquire the skills to confront and combat today's complex security and compliance issues.
|
