Conducting an investigation on a single PC is a daunting enough task without having to search the entire network for criminal activity. I asked Dave to explain the major challenges between conducting a single PC audit and conducting a full-scale WAN based investigation.
"Basically, the major problem becomes the overwhelming size of evidence and preserving the chain-of-custody. If I seize a 2TB server, then I will need a 2+TB server to examine the data. I have had occasion to examine 29TB of data, and one must stay extremely organized and patient in such a case," states Dave.
The meteoric rise of computer forensics is clearly noticeable when browsing today's security conference agendas. There are numerous courses taught by what are termed "experts" in their respective fields. Since computer forensic technology is ever-evolving, it would be difficult to term oneself an expert in a field that has not yet finished developing. Many corporations get themselves into trouble when they hire an expert investigator with almost no real investigative experience. The use of poorly trained individuals for the purpose of conducting a digital investigation can prove costly to a corporation trying to recover both their reputation and their data.
Dave explains, "There are a lot of civil and criminal issues that could come into play if an untrained person (let's use a sysadmin) was to conduct a forensic examination. For example: The sysadmin identifies user X on their network who is downloading child pornography. The sysadmin show the evidence to his employer, who then transfers the evidence to senior executives. User X is fired on the spot and escorted out of the building. Several issues occur here: Are you sure the files are there? Are you sure you got the right user? How about User Y borrowing User X's machine for a while? As for the emailing of the evidence to people within the company; the sysadmin has just unknowingly committed distribution of said illegal materials over the network and there is a distinct possibility that the wrong user was fired and the corporation will be facing an embarrassing lawsuit.
Another example: The sysadmin identifies a user doing something very unseemly such as threatening another employee via email. However, because the sysadmin is untrained, he contaminates the evidence. Now, someone in law enforcement has to figure out a way around the contaminated data to continue with the investigation."
Computer forensics in the hands of a properly trained investigator can prevent these issues by providing detailed facts regarding the origination of the illegal material and accurate user identification. It can also preserve the digital evidence for use in pressing charges following best practice, court-upheld standards.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.