Following the digital trail

JOHN SUIT, CTO of Linthicum, Md.-based SilentRunner, a spin-off of contracting giant Raytheon, found himself dealing with a problem no CTO wants to face. While a manager at Raytheon, it was discovered that some intellectual property had been moved off the network. But it wasn’t clear whether the move was done inadvertently or intentionally.

“All of a sudden, the fire got lit, and people started pointing fingers,” Suit says. “I said, ‘We need to get a group of people together, and we’re going to go in and understand what actually happened.’ ”

Suit and an ad hoc team dug deep for evidence using computer forensics. “Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer data,” explains Warren G. Kruse II, an investigations manager at Lucent Technologies and co-author of Computer Forensics: Incident Response Essentials.

CTO expertise and interest in this area is growing, as more enterprises work to discover and uncover the sources and damage done by viruses and security breaches. Computer forensics are also being used outside the IT department as evidence for potential lawsuits over everything from intellectual property theft to the enforcement of noncompete clauses.

“[People] assume that because they have the computer background they can jump right into this,” says Christine Siedsma, program manager of the Computer Forensic Research and Development Center (CFRDC) at Utica College in New York. “Just sitting down and learning a piece of software doesn’t make you an expert by any means. What do you know about handling evidence? You’ve got to understand computers to the nth degree. … But you have to have a good understanding of the legal side [as well].”

Preparing for potential investigations takes planning. CTOs also need to have a process in place as a follow-up when a situation arises.

Setting up your own sleuths

Acknowledging the importance of computer forensics, some large companies are creating their own forensics groups within their IT or security departments. “Timely response is crucial to a successful forensics case,” Lucent’s Kruse says. “Putting a plan or team together after an incident occurs may result in critical evidence being lost.”

To staff a computer forensics team internally, enterprise recruiters often pull from the government and law enforcement fields; they also hire groups of security workers and then train them further in forensics. The keys to creating an internal computer forensics team, experts say, include getting sign-offs from all those involved — not just management but also legal, security, and all departments overseeing data storage or transfer. In doing so, CTOs must identify the level of need and define exactly what the forensics team will be responsible for.

Although SilentRunner’s Suit had to conduct his investigation without being fully prepared, he did have some advantages other CTOs may not have. Raytheon had already been working on a network discovery and analysis tool that could be used to present and analyze the flow of information. The company also had many in-house people recruited from the intelligence industry.

Without such expertise at hand, the potential for loss or destruction of evidence exists. “If a system administrator finds something on a machine and doesn’t just lock it down, … if the first thing the system administrator does is reload his operating system, all of the evidence is gone. That’s an awareness problem,” explains David Ferguson, director of the computer forensics laboratory at the Department of Defense in Linthicum, Md.

Suit understood the potential for loss of data. During the two-and-a-half-week investigation, he touched base with individuals from a forensics consulting company, who offered some “relatively simple” suggestions that were helpful because they were “old-school. … It’s important to have an understanding of what you can do on the low-tech side, too.”

During an investigation, computer forensics specialists enlist a slew of technologies — from hard drive mirroring to specialized data recovery and search tools, intrusion analysis, and audio/video enhancement technology — coupled with a defined methodology. The basic methodology, according to Lucent’s Kruse, involves the “three A’s”: acquiring evidence without altering the original, authenticating that the recovered evidence is the same as the original, and analyzing the data without modification.

Beyond the growing number of tools and suites available to handle computer forensics, CTOs need to understand the end-use of the data to be collected. Awareness of evidence-handling and documentation procedures — the ongoing list of details, including who touched the evidence, what they did to it, and where it was stored — is just as critical.

“Let the information rise to the top because you have all the 1s and 0s if you’ve collected [evidence] properly and you’re analyzing it properly,” SilentRunner’s Suit adds. “If you have all the evidence and you have the tools to put it together, then you can more clearly approach it.

“The biggest thing I learned in doing this is that your initial biases will come into play, but you really need to set that aside,” Suit says, noting that in this case the investigations outcome was “totally different” than expected.

Outsourcing requires research

Although an internal forensics team brings benefits, it also brings extra costs in the form of specialized training, equipment, and employees. An alternative to internal staffing is to hire forensics services or consultants to do investigations or analysis on a case-by-case basis.

Some forensics companies work only with attorneys or large corporations that have a strong handle on the legal side of forensic evidence. Others offer forensics consulting or training built out of their own expertise in security and forensic incident analysis.

Working with an outsourcer or service allows you to tap its experience and provides an independent source of analysis. But there is a risk. “Unfortunately, when you start outsourcing [forensics], you really have to know the background of the people you might be outsourcing it to,” CFRDC’s Siedsma says, noting that it is extremely important to do in-depth research on potential forensics partners, especially if you’re looking to use any evidence collected in a legal case.

Changing the face of forensics

As technology becomes even more pervasive, computer forensics stands to become another piece of the corporate security plan. Although the basic methodology may not change, the tools themselves will grow more sophisticated. Still, the expanding realm of computers and other high-tech devices means the very nature of forensic investigations must expand beyond their traditional boundaries.

“There’s an electronic trail everywhere you go,” the Defense Department’s Ferguson says. “The days of the fraud investigator showing up at a site with a couple of dollies to wheel out the guy’s files are gone. The investigator needs to go in there with a pile of tapes and copy the server.”