< Day Day Up > 


The following case study illustrates the organizational benefits of a planned forensic response:

Scenario One

An IT manager reviews a detection tool report that indicates a company employee is accessing restricted Internet sites and downloading objectionable material. After discovering the activity, the IT manager remotely accesses the employee’s personal computer to obtain evidence. The employee is then dismissed, based on the evidence located and obtained.

Scenario Two

An IT manager reviews a detection tool report indicating a company employee is accessing restricted Internet sites and downloading objectionable material. After discovering this activity, the IT manager follows procedures, reporting his suspicions to the nominated computer incident response contact, in this case the Chief Information Officer (CIO).

The CIO then invokes the company’s incident response plan by contacting the Incident Response Team, which includes computer forensic experts. This team isolates the offending machine; conducts a forensic examination of the computer system following methodologies known to be acceptable to criminal, civil, and arbitration courts or tribunals; and establishes where the material came from, how often, and who else knew about it. By following its effective policies and procedures, the organization (via the CIO) is in an excellent position to take immediate legal and decisive action based on all the available facts and evidence.

Which Scenario Works?

Only one of these scenarios illustrates a planned forensic response. In Scenario One, the evidence was obtained remotely. This fact alone may put the obtained evidence in doubt.

Any court of law would want to know whether there were policies and IT infrastructure for ensuring the IT staff member knew the correct PC was accessed. Other issues surround the need for evidence to prove that a particular employee’s PC was responsible for downloading the objectionable material. Can it be proved that the objectionable material was viewed on a particular PC? Who else had access to that PC? It is likely that there is not adequate evidence in this scenario to answer these questions.

The IT manager detecting activity is only the first step in forming grounds for suspicion. If action is taken without proper policies, procedures, and processes in place, it is nothing more than an unplanned knee jerk reaction.

Unplanned reactions potentially expose an organization to risk. Clearly, any investigation must not only be thorough and methodical, but also staffs need procedures for reporting the activity, conducting the investigation, and appointing investigators.

In Scenario Two, the established policies let the organization clearly identify the incident and carry out appropriate immediate action. This places the organization in a comfortable position to resolve the situation, contain the potential damage, and effectively seek compensation or prosecution. The bottom line here is that without the appropriate procedures in place to counter detected attacks, an organization is exposed to the risks of lost data, financial loss, network damage, and loss of reputation.

 < Day Day Up > 

 < Day Day Up > 


Don’t react, respond! Cyber crime is rapidly increasing and is striking at the heart of many organizations. By ensuring measures such as effective policies and rapid response capabilities, excellent information technology security positioning and forensic support can exist. Businesses can respond quickly, minimizing the risks of lost data, financial loss, network damage, and loss of reputation.

Organizations wanting to counter cyber crime need to apply risk management techniques that allow a speedy response and minimize harm. Although organizations cannot prevent a cyberattack, they can have a planned response and even turn e-crime preparedness, or effective security, into a new competitive advantage.

Conclusions Drawn from Types of Vendor and Computer Forensics Services

  • The technological revolution marches on at a frantic pace, providing the world with an immense availability of resources. The same technological revolution has also brought forth a new breed of investigative and legal challenges.

  • Computers are now at the core of people’s activities and evidence contained in them is being introduced with greater frequency in both civil and criminal judicial proceedings. Questions arise regarding location of evidence stored on digital media, analysis of that evidence, and authentication of that evidence in court. The field of computer forensics seeks to answer these questions and provide experts to introduce this digital evidence in court.

  • Computer Forensic services include: digital evidence collection; forensic analysis of digital evidence (including analysis of hidden, erased, and password-protected files.); expert witness testimony; and litigation support.

  • Who can benefit from Computer Forensic services: Attorneys involved in complex litigation that deals with digital evidence; human resource professionals involved in administrative proceedings such as wrongful termination claims, sexual harassment, or discrimination allegations, and employee violations of company policies and procedures, where key evidence may reside in e-mails, word processing documents, and the like; and company executives who are interested in confidentially auditing their employee computer usage concerning proprietary information, misuse of company resources, and trade secret issues.

  • Insurance companies that are interested in reducing fraudulent claims by using discovered digital evidence.

  • Documentary evidence has quickly moved from the printed or type written page to computer data stored on floppy diskettes, zip disks, CDs, and computer hard disk drives.

  • Denial of service attacks have always been difficult to trace as a result of the spoofed sources.

  • With the recent increasing trend toward using distributed denial of service attacks, it has become near impossible to identify the true source of an attack.

  • ISPs need automated methods as well as policies in place to attempt to combat the hacker’s efforts.

  • Proactive monitoring and alerting of backbone and client bandwidth with trending analysis is an approach that can be used to help identify and trace attacks quickly without resource-intensive side effects.

  • Subsequent detailed analysis could be used to complement the bandwidth monitoring.

  • Timely communication between ISPs is essential in incident handling.

  • Deleted computer files can be recovered.

  • Even after a hard drive is reformatted or repartitioned, data can be recovered.

  • In many instances, encrypted files can be decrypted.

  • Forensic analysis can reveal: What Web sites have been visited; what files have been downloaded; when files were last accessed; when files were deleted; attempts to conceal or destroy evidence; and attempts to fabricate evidence.

  • The electronic copy of a document can contain text that was removed from the final printed version.

  • Some fax machines can contain exact duplicates of the last several hundred pages received.

  • Faxes sent or received via computer may remain on the computer indefinitely.

  • E-mail is rapidly becoming the communications medium of choice for businesses. People tend to write things in e-mail that they would never consider writing in a memorandum or letter; e-mail has been used successfully in civil cases as well as criminal cases; and e-mail is often backed-up on tapes that are generally kept for months or years.

  • Many people keep their financial records, including investments, on computers.

An Agenda for Action in Types of Vendor and Computer Forensics Services

The following is a provisional list of actions for some of the principle types of vendor and computer forensic services. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these services have been mentioned in passing already:

  1. Computer Forensics services should provide: Analysis of computers and data in criminal investigations; on-site seizure of computer data in criminal investigations; analysis of computers and data in civil litigation; on-site seizure of computer data in civil litigation; analysis of company computers to determine employee activity; assistance in preparing electronic discovery requests; reporting in a comprehensive and readily understandable manner; court-recognized computer expert witness testimony; computer forensics on both PC and MAC platforms; and fast turnaround time.

  2. Computers systems may crash. Files may be accidentally deleted. Disks may accidentally be reformatted. Computer viruses may corrupt files. Files may be accidentally overwritten. Disgruntled employees may try to destroy your files. All of these can lead to the loss of your critical data. You may think it’s lost forever, but you should employ the latest tools and techniques to recover your data.

  3. In many instances, the data cannot be found using the limited software tools available to most users. The advanced tools that you utilize should allow you to find your files and restore them for your use. In those instances where the files have been irreparably damaged, your computer forensics expertise should allow you to recover even the smallest remaining fragments.

  4. Business today relies on computers. Your sensitive client records or trade secrets are vulnerable to such intentional attacks as computer hackers, disgruntled employees, viruses, and corporate espionage. Equally threatening, but far less considered, are unintentional data losses caused by accidental deletion, computer hardware and software crashes, and accidental modification. You should safeguard your data by such methods as encryption and back-up. You should also thoroughly “clean” sensitive data from any computer system you plan on disposing of.

  5. Your files, records, and conversations are just as vital to protect as your data. You should survey your business and provide guidance for improving the security of your information. This includes such possible information leaks as cordless telephones, cellular telephones, trash, employees, and answering machines.

  6. Always keep in mind that the IP you are investigating is only the apparent source of the activity you see on your logs. As mentioned earlier, this does not mean that you should ignore the IP address, only be cognizant of its limitations for determining the possible attribution of the event you are investigating. Although this process will educate the administrator on how to characterize the threat to his or her company from analyzing IP addresses that appear in the logs, a complete determination of the threat your organization faces is a more involved process.

  7. What you can be sure of is that many threat entities will probe and attempt to intrude on your systems over time. These may range from Class I (privacy), II (industrial espionage), or Class III (terrorism) attacks. Attackers may range from the script kiddy aimlessly probing the networks, to a dedicated industrial espionage hacker looking for your company’s secrets. Depending on your company’s resources and the value of those resources, you should also investigate the possibility of staffing a professional competitive intelligence cell in your company or in sponsoring an assessment of the threat to your company’s systems from a group of intelligence and information security specialists.

  8. The serious threat to your IT infrastructure is not a teenage hacker defacing your Web site. The true dangers are information and monetary theft, business disruption, and critical infrastructure failure. Perpetrators are likely to be professional criminals, hacktivists, competitors, or even foreign intelligence agencies. The most costly intrusions are likely to be those that you fail to detect. The bottom line, you need to know the threat against your systems as well as its vulnerabilities.

 < Day Day Up >