The Corporate Computer Forensic Analyst

Unlike most analysts in the field of criminal forensics, practitioners of computer forensics are not always working for or with law enforcement agencies. The demand for skilled computer forensic analysts in the corporate world exceeds the supply, and experienced analysts are highly sought-after. In addition to supporting law enforcement, a computer forensic analyst might be called upon to:

• Recover files intentionally deleted by a disgruntled employee.

• Determine the root cause of a computer compromise.

• Track down the author of a threatening email.

• Investigate unauthorized copying and intellectual property theft.

• Obtain evidence an employee viewed inappropriate material.

• Refute or support claims of overtime hours worked.

The end goal of an analyst working in a corporation might vary greatly from that of an individual working for or with a law enforcement agency. In the corporate world, the ultimate goal is to protect the company's interests, not to prosecute all potential offenders. For example, if an isolated brochureware website in a remote subsidiary is defaced and no sensitive information is involved, the corporate goals are likely as follows :

1. Identify the cause of the defacement.

2. Restore the site as quickly as possible.

3. Prevent future occurrences.

For most companies, it makes no fiscal sense to track down and prosecute the offender if there is no appreciable loss and reoccurrence can be prevented. If, however, an insider is found transmitting intellectual property to a competitor, the company may very well be interested in both civil and criminal proceedings .

Regardless of the final outcome of an individual investigation, the computer forensic analyst might not know whether his work will be presented in court for weeks, months, or even years after the initial incident. Therefore, he must take the same precautions as law enforcement officials in safeguarding the integrity of the investigation and must always work under the assumption that the results of the analysis will be presented in a court of law at some point. At the same time, the corporate analyst has an array of specialized tools at her disposal and is able to use them to her advantage in investigations. Although the typical computer incident response team (CIRT) in a company does not generally carry Luminol or fingerprint -gathering equipment in their response kits, a corporate CIRT may already have administrative rights (or the ability to obtain them) on corporate assets as well as the ability to search and seize company-owned equipment without the need for a warrant .

Not everyone is cut out for the world of computer forensics. The work requires detail-oriented individuals who are willing to document everything they do. At the same time, analysts must think creatively and respond quickly and effectively to the unique situations that they face in the field. A typical CIRT includes executive management, public relations, corporate security, legal, and IT subject matter experts. For this reason, the analyst must communicate effectively both orally and in writing. In addition to being able to perform the technical tasks associated with the job, the analyst must successfully explain evidence to a variety of audiences, each with vastly different backgrounds.

One question that must be asked when hiring and training analysts is this: "Would I be comfortable with this person testifying on the company's behalf in court?" Individuals who are new to the field must be mentored and supervised appropriately, and a clean criminal history is a necessity. Convicted hackers need not apply.