To Clutch A Thief: Having An In-House Forensics Team, Tools Of The Trade And Its Pitfalls

Cybercrimes abound nowadays and these make personal computer forensics as one of information security's fastest growing markets. While forensics tools are used to track down perpetrators in high-profile cases, they are also being used in preparing evidence for prepatent civil and criminal lawsuits over intellectual property theft, enforcement of non-compete clauses and regulatory compliance issues.

One of the requirements in SOX, SB 1386, GLBA and HIPAA is the ability to discover fraudulent activity, which is where forensics usually comes into the picture. Together with increased cybercrime, regulatory compliance is yet another business chauffeur that is making more companies bring forensics influence in-house and case for tools to aid them.

On the contrary before you cause your IT staff digital sleuths, forensics requirements must be truly understood.

Defining Process

Your forensics team needs scientific knowledge and a sound understanding of all legal requirements. The team must also know how to gather and preserve the evidence, and have the ability to present the information. Forensic detectives must be equipped to stand up for their activities in court because, on the witness stand, their growth and epithet will be inspected and challenged. If they don't properly collect and analyse the evidence and present their outcomes well in court, their evidence can be thrown outâ "which could cost the company the case.

A hybrid method combining internal forensics competence with outside consultants is often the best method. The internal band holds the investigation and gathers evidence, and is accountable for the crux of the case; the outside contingent verifies that the investigation was carried elsewhere correctly, ensuring the evidence is admissible in court. While the internal troupe has more thorough letters of the company, its systems and business needs, the outside company has seen multifarious more types of crimes. Collectively, these groups can offer more effective results.

There are quite a few tools available to forensics teams to help warrantly a proper investigation. Guidance Software's EnCase, AccessData's Outlook Toolkit, and Paraben's NetAnalysis are some of the most extensively utilized forensics tools in the industry. e-fense's Helix is a enduring open-source substitute.

Guidance Software's EnCase

Guidance Software has spread out been the leader in forensics software with EnCase, the most-utilized forensics acquisition and debate tool by law enforcement and the private sector. EnCase assists in the acquisition of evidence from just about every operating system, dossier system and media type, including breathing systems. EnCase has an largely flexible Unix grep-like searching ability. These searches parse evidence byte by byte and can reveal deleted files and other non-file data. EnCase then creates well-organized, detailed reports that are understood by experts and attorneys alike.

AccessData's Time to come Toolkit

AccessData's Ultimate Toolkit (UTK) incorporates a password recovery tool capable of decrypting just about any file, an enhanced registry viewer designed to uncover evidence hidden in system-only accessible registry keys, a disk wiper and a distributed-computing encryption breaker.

UTK's edge is its database-driven platform. As evidence is imported (typically impel and partition images), it's scanned and indexed into a case database. This allows for rapid ad hoc string queries and assemblage of extracted files and data without the desideratum to rescan.

Characteristic of a business tool, FTK can manage a case from acquisition to completion, and comprises polished and supple reporting capabilities that can be easily installed onto an auto-play CD-ROM for circulation.

e-fense's Helix

e-fense's Helix, created by forensics specialist Drew Fahey, is an open-source Linux LiveCD distribution that contains many forensics- and security-related tools designed to assist in the recovery and analysis of digital evidence from live and autopsy (powered off) systems.

Among the tools Helix uses are its feature-packed Sleuth Kit and graphical interface Autopsy Browser. Used together, these cede the digital detective a very capable graphical analysis platform comparable in functionality to many commercial products. Since Helix is a shareware tool, it's economical but lacks the technical support and fixes to bugs when required. Also, its salad days is a drawback; there is little if any court case history in which Helix has been utilized.

Paraben's NetAnalysis

Paraben has an extensive suite of tools that can be utilized to examine e-mail, recover passwords, analyze chat logs and perform competent Netting surfing scrutiny.

Paraben's NetAnalysis tool can examine AOL history files, rebuild a cache for viewing, recover removed Internet history files, distinguish Google searches, and provide a cookie and URL decoder. Its ability to extract evidence from most mobile phones and PDAs is more comprehensive than similar capabilities in other tools. Although Paraben has an extensive toolset, it has not caught on in the industry as able-bodied as the EnCase and AccessData products.

Post Mortem

After your internal forensics team has carried away an incident or crime issue with the appropriate toolkit, it's valuable to comprehend what went right and what went wrong so the process can be improved.

Some questions the bunch should take up include whether extra training or tools are required for outlook incidents, and if any recovery activities introduced vulnerabilities or affected the company's regulatory status. Based on the forensics team's discoveries and its evaluation of damages from a particular incident, a company can come to a decision whether to take the situation to court.

The team should be able to ascertain the practical sophistication of the criminal and the likelihood of life able to capture him. It's also meaningful to ascertain what type of individual did this type of crime. Was it a rival or decent some youngsters hacking for fun?

Find out who you are battling with. Don't waste your money and effort in filing a multimilion-dollar lawsuit against some rogue teenagers who have no money.

Ultimately, having a skilled computer forensics team will ensure your company is prepared for the worst. Knowing how to track digital footprints can help your event catch a thief before he escapes into cyberspace.

Shon Harris, security consultant and best-selling author, recognizes that there is a need to help the data security industry become more mature, consistent, and predictable, and to provide companies with innovative educational tools and solutions. She founded Logical Security, http://www.logicalsecurity.com, in 2003 and assembled an unparalleled team of security experts to develope the curriculum and labs to help companies acquire the skills to confront and combat today's circuitous security and compliance issues. And she created a new teaching methodology designed to instil in-depth knowledge.

Keywords: