Conclusions | Incident Response: A Strategic Guide to Handling System and Network Security Breaches

‚ < ‚ Free Open Study ‚ > ‚

Computer forensics is a vital tool in incident response. It has the potential to provide conclusive evidence in an investigation and to assist in corroborating other evidence. It is, however, a discipline for the trained professional only. Well-meaning amateurs can cause irreparable damage to the evidence and should not be allowed to conduct an investigation without the proper training.

Fingerprints on the Floppy

There was a suspected case of sabotage at a U.S. government site. All the Macintosh file servers had the contents of their hard drives erased. During the investigation, a floppy disk labeled "OOPS BOOM" was discovered in an adjacent room. One of the investigators ran the program on a test machine and found that it erased the contents of the hard drive. Never examine or test the actual evidence.

Based on the location of the floppy and access to the file servers, the team suspected a summer intern. They contacted the FBI to conduct the investigation. When the FBI agents arrived and attempted to test the floppy disk for fingerprints, they found that so many people had handled the disk by that point that any fingerprints were unusable. Furthermore, the disk had been handled and tested by so many people without any controls that its contents also could not be verified . Preservation of the evidence is paramount. Investigation kits should contain latex gloves and evidence bags for the acquisition and storage of evidence.

It also has the potential to be an enormous task. When computers had small (or even no) hard drives, it was feasible to conduct a sector-by-sector search. When computers were relatively uncommon, it was feasible to seize a company computer and search it. When an entire team has computers, and each of those computers has a very large hard drive, the search task can become overwhelming. If the incident is not particularly serious, if the range of suspects cannot be constrained to a manageable number, or if the amount of data cannot be reduced to a controllable amount, management should ask whether it is an effective use of resources (internal or external) to conduct an in-depth investigation on potentially terabytes of data.

The fundamental limitation of forensics cannot be overstated. Computer forensics can, at best, identify that a specific computer might have been involved. At that point, the forensics investigator must then look for other sources of evidence to place the person at that computer at the time of the incident.

The forensics examination can provide the incident response team with additional evidence. This evidence, even if inconclusive per se, can be valuable when interviewing potential suspects or when viewed in the context of a complete investigation including physical security logs, network logs, eye witnesses, and other factors.

‚ < ‚ Free Open Study ‚ > ‚