Computer forensics do not follow you home in your car. Enterprise Forensics, or "Large Scale Forensics", are installed on a base server with a specified number of licenses issued to monitor a specified number of systems on the network. The sys. admin. (or examiner as it may be) does not monitor all systems on the entire network. It isn't really possible and is very inefficient. The company chooses areas that it feels need monitoring, or a specific individual that is most likely committing some type of internal policy violation, and they monitor thusly.
Mirroring a system does not affect performance of that system. Copying down information gleaned from the system while it's in use may slow up the performance a bit, but again, it's highly specific information that an investigator is looking for, not random emails about Friday night's date.
Computer forensic tools can compile custom reports that run unattended 24-7 to monitor certain areas of concern. As an example, because of new regulations for American companies traded on the public market, the Security Exchange Commission (SEC) requires that all corporate heads personally vouch for their company's financial reports. To ensure that these reports are indeed accurate, a CFO might want to employ a forensic solution to monitor cash flow in and out of Sales or Finance. A custom report could be programmed that would glean specific information for the CFO through the network capabilities of the enterprise forensic tool. In this way, there is consistent visibility into areas of the company that might otherwise go unnoticed but may cause catastrophic downfall all the same. Read: Enron.
Also of note, enterprise computer forensics do not work across the internet. They are company network specific. The Administrator exchanges a digital key with the vendor company and the vendor company holds the master agreement in an extremely secure location off-site. This again leads back to the licenses, and how many a company is utilizing. There is the potential to have a license to mirror every system on the network, but this is defeating to any real purpose and there are definitely not enough IT folks in a single company to do the monitoring on that scale.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.