People, Processes, and Tools

Previous page
Table of content
Next page

In order to build a competent computer forensic capability within an organization, the initial focus must be on people, followed by process and tools. Many organizations looking to build competency in the computer forensics space reverse these priorities, spending large sums of money on enterprise-class software and lab hardware. When the hardware is in place, existing staff begin to develop processes around using their newly purchased tools. The tail wags the dog! Finally, companies begin to search for individuals who are certified in or experienced with the tool suite purchased to round out their capabilities.

The more effective way to build forensic capability is to start with people. The first step should be hiring an experienced examiner to mentor existing staff, bring in supplementary staff, and develop sound forensic procedures. To find a qualified individual, one must do the following:

  • Go to a trusted source in information security and ask for recommendations on good people.

  • Look to reputable organizations, including Infragard and the High Technology Crime Investigation Association (HTCIA) for pools of knowledgeable individuals as these groups have performed background/reference validation on members .

  • Hire individuals with direct investigative experience.

  • Evaluate certifications such as CISSP, CISA, SANS, and EnCase carefully .

  • Approach candidates as if they were taking the witness stand in court , asking yourself whether they will hold up to judicial scrutiny as experts.

When the successful candidate is empowered in the role of running a CSIRT, the first order of business is to develop an investigative policy and associated procedures. At a minimum, the policy should address the following:

  • Who is empowered to investigate and under what circumstances?

  • What oversight is needed to approve investigations?

  • How is the investigation run cross-functionally?

  • What scenarios and circumstances warrant an investigation?

  • How are the results of investigations processed , and how are disciplinary procedures carried out?

Policy dictates the operational structure, roles and responsibilities of the team, and the scope of its investigations. Procedures can then be developed for the individual aspects of an investigation, dictating who performs specific investigative actions, what steps must be taken for common procedures, and how these steps are validated . Common procedures involve the following:

  • Evidence handling and chain of custody

  • Forensic acquisition or duplication

  • Communication of incidents

  • Common analysis activities (mailfile, file system, logfiles, and so on)

  • Terms of engagement for bringing in other parties

  • Retention procedures for evidence

Many good sources can be shamelessly plundered for their expertise, including NIST and CERT. After the procedures have been adopted and tested , tools can then be purchased or acquired to fill the gaps or enhance the procedures.

The tools mentioned throughout this book vary greatly in cost, and the capabilities do not always merit the price tag. Since I am talking about Windows forensics, analysts need solid laptops and desktops for performing analysis nothing fancy, but a decent amount of memory and the latest processor will pay for themselves in time savings when they are most needed, during an actual investigation. Secondly, a good tape backup unit, DVD-R drive, and lots of disk space are needed. One may begin using freely available tools, replacing them as necessary with more expensive toolsets. At a minimum, you will need:

  • An acquisition tool to perform forensic duplications

  • An analysis tool to search hard drives

  • Basic text search and manipulations tools

  • A data integrity verification tool

Tip 

Depending on your organization's specific policies, machines confiscated during investigations can become future lab machines.

For a barebones starter kit, free versions of dd can be used for the duplication of files (with netcat for remote duplication and data transfer). WinHex makes an excellent , inexpensive general-purpose drive analysis tool, and Windows ports of common *nix string manipulation utilities (grep, strings, cat, less, and so on) can be used for more complex file search and manipulation operations. Finally, the md5sum program provides data integrity verification. Placed in capable hands, these basic tools will yield a much better cost/benefit ratio than a full implementation of EnCase Enterprise, custom-built forensic computers, and single-purpose specialty tools in the hands of partially trained individuals.


Previous page
Table of content
Next page
Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel
BUY ON AMAZON
Qshell for iSeries
CISSP Exam Cram 2
Documenting Software Architectures: Views and Beyond
Java How to Program (6th Edition) (How to Program (Deitel))
Mastering Delphi 7
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy