Working with Law Enforcement | Windows Forensics: The Field Guide for Corporate Computer Investigations

In the past, corporate executives believed that reporting criminal activity associated with IT security meant creating bad press for their organizations. As a result, corporations often suffered unreported losses. Statistics on corporate IT security breaches were frequently inaccurate, and criminals were able to repeatedly and unabashedly perpetrate the same actions against different organizations.

Today, however, attitudes have changed. Thanks to increased pressure from federal legislation like Sarbanes-Oxley and state legislation in locations like California, many IT security incidents are required to be reported . Simultaneously, law enforcement outreach initiatives like the FBI's Infragard program foster industry partnerships to protect the national infrastructure. This allows individuals who work in corporate security to form all-important relationships with federal, state, and local law-enforcement agencies. They can then receive warnings of new threats and assistance with existing threats and give and obtain support in investigating incidents.

Tip

Information security professionals should look to joining their local Infragard chapter. The contacts with professional colleagues as well as law enforcement officials are invaluable, and there is a negligible cost to join (free for some chapters). More information on this organization can be found at http://www.infragard.net.

The best time to engage law enforcement is before an incident occurs. If the investigator makes contacts with local, state, and federal officials ahead of time, she will find it much more efficient to work with them after the proverbial excrement hits the fan. Law enforcement agents bring skills and capabilities not generally accessible in the corporate world to the table. They are able to track incidents across borders (both corporate and geographic), pursue criminal actions against attackers , and provide expertise in the technical, legal, and logistical areas of an investigation.

At the same time, the corporate security investigator may be able to provide agents with information and expertise that they do not necessarily possess. The investigator may assist law enforcement by:

Acting as a liaison to internal staff. By coordinating with corporate staff, the computer investigator frees law enforcement from the difficulties of navigating a complex organizational structure.
Acquiring and preserving evidence. Not all evidence can wait for law enforcement to be engaged, and some evidence ( especially evidence that is transitory in nature) may be easier for a corporate investigator to acquire based on existing laws (for example, keystroke monitoring of an employee). This information should be collected and preserved in a forensically sound manner for later law enforcement involvement.
Analyzing evidence. Specifics regarding both one's business model and IT infrastructure may be useful to law enforcement. From the operations of proprietary IT systems to the analysis of the organization's supply chain, the computer investigator may have invaluable domain expertise.
Providing loss figures. Many federal crime statutes require a loss to be shown in order to prosecute to the fullest. By calculating the dollar loss of an incident appropriately, the computer investigator can improve the chance of a successful prosecution .