September 19, 2006 8:16 AM PDT

Experts: Take computer forensics seriously

Businesses must gain an understanding of computer forensics if they are to keep pace with the growing level of internal security threats, experts say.

Bruce Nikkel, head of the IT investigation and forensics department at UBS, said areas such as the military and law enforcement have been using forensics for some time, but he urged big business to get up to speed and understand the challenges.

Nikkel's advice, offered at a Gartner security summit in London this week, coincides with a strong warning from the analyst house about the growing threat from within organizations.

"We are going to see a dramatic increase in the number of information security breaches where insider collaboration or involvement was a major factor, whether intentional or accidental," said Tom Scholtz, research vice president at Gartner.

Scholtz said preventing security breaches may in part come down to keeping the "bad guys" from getting through a company's security perimeter. But he noted that bad guys also might use social engineering techniques to dupe insiders into betraying information or breaching security.

Earlier this year the FBI reported that 44 percent of all computer-related crimes are carried out by people within organizations.

One of the most common mistakes made by companies in the wake of an incident is to get affected systems up and running again without giving thought to doing forensic work on the systems, said Nikkel. In layman's terms that's the equivalent of cleaning up a crime scene before evidence has been taken.

Nikkel said it's very easy to destroy digital evidence, especially on live systems. "All the information may be stored in memory, so even if you power down that machine you may lose that information," he added.

Similarly, any number of activities, such as plugging in a suspect USB key or rebooting a PC, can destroy the time line of events and should be left for experienced investigators to uncover.

Other challenges faced in establishing forensics best practices include understanding the scale of the task. It isn't just collecting evidence but also preserving it, analyzing it and being able to present it in a format that is admissible in court, if necessary. That means a thorough understanding of regional regulatory requirements as well as local data protection laws.

Nikkel said showing the board of directors how forensics can save a company money can help shore up the board's support for forensics work.

Password recovery, data recovery and data retention policies are all issues that could be addressed by a forensics team and, potentially, deliver a return on investment.

Similarly, human resources and legal departments could benefit from working with forensics teams if digital evidence needs to be gathered and analyzed. The same is true for companies trying to comply with tightening regulations.

"Preventing even one high-cost court case could justify the costs of that forensics team," Nikkel said.

Will Sturgeon of reported from London.

See more CNET content tagged:
forensics, evidence, Gartner Inc., expert, London


Join the conversation!
Add your comment
Crime Scene Investigation
This is essentially the same as any other crime scene investigation.

The search for finger prints, strands of hair, drops of blood, other paraphanalia that might be found at the scene can give law enforcement teams clues which can aid in figuring out whom the culprit is.

Thus computer forensics is just the digital form of the old fashion crime scene investigation, but rather than looking for finger prints, strands of hair, blood, etc. they now use various different logs stored on your PC to figure out who did what and where.

Firewall logs, anti-spyware logs, anti-virus logs, even Microsoft's Event Logs and MRU's (Most Recently Used file lists) amongst other things are quite useful in providing investigators clues as to what happened, when where and by whom.

Posted by wbenton (522 comments )
Reply Link Flag
Nice to see my major wont go to waste.
Posted by InsaneJediGirl (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.