Properly investigating incidents takes training, so don't be fooled by the snake oil salesmen touting themselves as "experts" in this field. Many people attend courses without actually having taken part in significant investigations. Being a network detective boils down to one thing only: your level of expertise.
Essentially the era of computers ushered in a new type of criminal that pervades exclusive office echelons as easily as mid-western internet cafes. As technology progresses, so shall digital crime and the unwavering devotion of its miscreants to find newer and more complex routes to follow. The danger for the world's corporations is that e-predators reside within the walls of their own organizations. These internal criminals are busy perpetrating crimes that range from identity theft to the disbursement of illegal internet images. Moving away from illegal activity on the standard operating system, more savvy criminals have utilized UNIX and Linux as their tools of choice. Seemingly more difficult to investigate, these alternative operating systems are a less explored area in the science of computer forensics.
The Evolution of Computer Forensics
Recently I had the opportunity to discuss alternative OS forensics with "Dave", an agent with years of expertise who has asked that I do not identify his last name or office due to the secretive nature of his job.
In discussing the rise of computer forensics, I asked how technology has changed the face of corporate investigations for Dave and his colleagues.
"Like everything else, when people started to use computers on a daily basis, people soon figured out methods for doing illegal things. Fraud, threats, insider trading, and pornography just to name a few things. All of this was present before the dawn of computers, but the internet just makes it easier and faster to perpetrate crime. "
I was interested in some case examples of things that would have been impossible without t today's available computer investigative tools. Dave answers, "Some of the tools that stand out are Firewire, faster machines and Gig E. In 1999, the common practice to image a single drive machine was to turn off the computer, boot from a controlled floppy disk and send the image to a 2GB Jaz drive. In practice, an 8 GB HDD would have taken about 8-10 hours. Using Firewire, I can image the same drive in 15-20 minutes. The major choke point of imaging single drive machines is the speed of the hard drive being imaged.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.