The following is a guest post by Jonathan Care. Jonathan is a Sr. Consulting Manager inside the EMEA practice at VeriSign.

Why do we want to do a forensic investigation?
The goal of a forensic investigation is to establish certainty of fact in a particular situation, normally as part of an incident response. Therefore one chooses to perform a forensic examination when one needs to establish facts relating to activities performed on a computer. The scenario for forensic computing is usually around a litigation support case, for example, tracing fraud, unauthorised activity, illicit content perpetration, or other computer misuse.

Where are forensic investigative results commonly used?
Forensic computing reports are normally used as part of a court process, or an internal employee disciplinary event. Therefore one question that must be ascertained is where the case is likely to end up – if a criminal case, then forensic reports must establish certainty of fact beyond any reasonable doubt, whereas in a civil matter the forensic report must establish a balance of probablity that alleged activities did (or did not) occur. The burden of proof in a criminal matter is therefore a much higher hurdle to clear.

What kinds of businesses will use forensic computing?
Traditionally, forensic computing has been in use by the public sector law enforcement agencies, however it is now being seen as a mainstream activity as part of the ICT and corporate governance of commercial organisations. Where an organisation is operating in a regulated framework (for example, a financial services company), forensic computing can be seen as evidence of the duty of care required in loss management and fraud recovery. Typically, the use of forensic computing services depends on the risk appetite of the organisation, in addition to externally imposed regulation. For a company operating under the controls of PCI-DSS, forensic computing investigations can be seen as a best practice under principles 3,6, and 10. However it cannot be denied that undertaking a forensic computing investigation can be a timely, costly, and intensive process, although should the case end up in a court of law, then the omission of such an investigation can prove even more so!

Who is involved in a forensic computing investigation?
Forensic computing activities are best performed by specialist personnel – these can be either internal staff, or more commonly external experts. The use of external experts demonstrates impartiality that may not be accepted by an organisations internal employee. A recent case dismissed an internal IT manager as an “expert” due to concerns over impartiality and formal accreditation. Of course the use of external experts can add to costs, and the risk assessment must be made over potential losses in court vs. the costs of establishing a solid evidential base.

When to engage in a forensic investigation
As part of incident response planning, the organisation’s appetite to risk should be established. Strategic and tactical planning in this area is essential – during the “heat and noise of battle” when an incident is detected, it is hard to make a balanced risk based decision that is in the best interests of the business. Scenario based planning should address:

  • Where is this case likely to go? (criminal/civil court, employee tribunal, internal disciplinary, liason with security service providers e.g. Antivirus)
  • What is the estimated financial loss? While stories such as “The Cuckoo’s Egg” make interesting reading, commercial realities dictate that if the estimated financial loss is below the acceptable loss percentage, then a strategy of internal recovery – patching systems, reviewing firewall/IDS configuration, and moving on, can be appropriate. It is important to consider not only a single incident loss, but the likely annualised loss.
  • How will the case affect the organisations external reputation? Due to data protection legislation, organisations are commonly required to publically state when personal information has been disclosed as part of an incident. This can range from the “lost laptop” through to web site breaches and fraudulent insider activity. It can be argued that the engagement of external digital forensics expertise can not only have practical and immediate benefit, but can also assist in the organisations PR activitity surrounding the incident, demonstrating a concern and care for the information under their control.
  • Is the scope of the incident completely understood? In a qualitative analysis of the incident, an understanding must be gained of how much impact has occured. For example, in the “lost laptop” scenario:
  • Was the data encrypted? Bear in mind that in addition to items stored on the hard disk in a secure area such as PGP’s PGPZip or Virtual Disk) that the laptop may contain useful artefacts to an attacker in the web browser cache and history, or in email storage (for example an Outlook PST or OST file). If whole disk encryption has not been deployed, then there is a non-neglible risk of additional information security breaches.
    • Were any authentication tokens (passwords, certificates, ID keys and so on) lost?
    • Is the likely suspect known? (that is, is the suspect an internal employee/subcontractor, an external partner, or an unknown attacker from elsewhere)
    • What logging and audit measures exist for affected systems?

So, where:

  • the scope of the incident is clearly bounded
  • the external impact is low
  • the loss is below the acceptable loss ceiling
  • it is certain that the case will not progress to court

then it is safe not to progress with a full forensic investigation. However, a graded response may be of benefit. For example, where employee malfeasance is clearly indicated through other channels, a full forensic investigation of the employee’s personal computing equipment may not be carried out immediately, as HR have enough evidence to terminate the employee’s contract of employement. However, in anticipation of a future employmet tribunal, evidential images of the affected systems can be taken, and stored against the necessity of future legal activity.

In addition, where the affected equipment involves card information in the clear, that an investigation is warranted to ascertain the business processes that caused this breach of PCI-DSS standards to occur, and that an impact analysis is highly advisable.

This post originally appeared on BrandenWilliams.com.