Latest news
"Expert vs. Expertise" - Computer Forensics and the Alternative OS
by Melisa LaBancz-Bleasdale - IT Journalist - Thursday, 31 July 2003.
Dave explains, "PDA and cell phones handle data differently, but there is still a spot on them which identifies the location of all the files/programs. How different is this from Win98 OS? It really isn't, the issue stems from how to get the data from a non-standard device in a forensically sound manner."
Conducting an investigation on a single PC is a daunting enough task without having to search the entire network for criminal activity. I asked Dave to explain the major challenges between conducting a single PC audit and conducting a full-scale WAN based investigation.
"Basically, the major problem becomes the overwhelming size of evidence and preserving the chain-of-custody. If I seize a 2TB server, then I will need a 2+TB server to examine the data. I have had occasion to examine 29TB of data, and one must stay extremely organized and patient in such a case," states Dave.
Expertise?
The meteoric rise of computer forensics is clearly noticeable when browsing today's security conference agendas. There are numerous courses taught by what are termed "experts" in their respective fields. Since computer forensic technology is ever-evolving, it would be difficult to term oneself an expert in a field that has not yet finished developing. Many corporations get themselves into trouble when they hire an expert investigator with almost no real investigative experience. The use of poorly trained individuals for the purpose of conducting a digital investigation can prove costly to a corporation trying to recover both their reputation and their data.
Dave explains, "There are a lot of civil and criminal issues that could come into play if an untrained person (let's use a sysadmin) was to conduct a forensic examination. For example: The sysadmin identifies user X on their network who is downloading child pornography. The sysadmin show the evidence to his employer, who then transfers the evidence to senior executives. User X is fired on the spot and escorted out of the building. Several issues occur here: Are you sure the files are there? Are you sure you got the right user? How about User Y borrowing User X's machine for a while? As for the emailing of the evidence to people within the company; the sysadmin has just unknowingly committed distribution of said illegal materials over the network and there is a distinct possibility that the wrong user was fired and the corporation will be facing an embarrassing lawsuit.
Another example: The sysadmin identifies a user doing something very unseemly such as threatening another employee via email. However, because the sysadmin is untrained, he contaminates the evidence. Now, someone in law enforcement has to figure out a way around the contaminated data to continue with the investigation."
Computer forensics in the hands of a properly trained investigator can prevent these issues by providing detailed facts regarding the origination of the illegal material and accurate user identification. It can also preserve the digital evidence for use in pressing charges following best practice, court-upheld standards.
Conducting an investigation on a single PC is a daunting enough task without having to search the entire network for criminal activity. I asked Dave to explain the major challenges between conducting a single PC audit and conducting a full-scale WAN based investigation.
"Basically, the major problem becomes the overwhelming size of evidence and preserving the chain-of-custody. If I seize a 2TB server, then I will need a 2+TB server to examine the data. I have had occasion to examine 29TB of data, and one must stay extremely organized and patient in such a case," states Dave.
Expertise?
The meteoric rise of computer forensics is clearly noticeable when browsing today's security conference agendas. There are numerous courses taught by what are termed "experts" in their respective fields. Since computer forensic technology is ever-evolving, it would be difficult to term oneself an expert in a field that has not yet finished developing. Many corporations get themselves into trouble when they hire an expert investigator with almost no real investigative experience. The use of poorly trained individuals for the purpose of conducting a digital investigation can prove costly to a corporation trying to recover both their reputation and their data.
Dave explains, "There are a lot of civil and criminal issues that could come into play if an untrained person (let's use a sysadmin) was to conduct a forensic examination. For example: The sysadmin identifies user X on their network who is downloading child pornography. The sysadmin show the evidence to his employer, who then transfers the evidence to senior executives. User X is fired on the spot and escorted out of the building. Several issues occur here: Are you sure the files are there? Are you sure you got the right user? How about User Y borrowing User X's machine for a while? As for the emailing of the evidence to people within the company; the sysadmin has just unknowingly committed distribution of said illegal materials over the network and there is a distinct possibility that the wrong user was fired and the corporation will be facing an embarrassing lawsuit.
Another example: The sysadmin identifies a user doing something very unseemly such as threatening another employee via email. However, because the sysadmin is untrained, he contaminates the evidence. Now, someone in law enforcement has to figure out a way around the contaminated data to continue with the investigation."
Computer forensics in the hands of a properly trained investigator can prevent these issues by providing detailed facts regarding the origination of the illegal material and accurate user identification. It can also preserve the digital evidence for use in pressing charges following best practice, court-upheld standards.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
