It is almost inevitable that IT managers will be confronted at some point or other by computer crime or an IT security breach. And when that happens, it is also inevitable that the investigation of such a breach will rely on electronic evidence. But not many companies – and unfortunately not all police investigators – appreciate the need to ‘lock down’ electronic evidence from the outset to ensure its integrity.
The first step in any IT forensics investigation is to reach for the electronic equivalent of blue and white police tape to seal off the scene of the crime. Doing this requires expert knowledge and forward planning. Even a simple and understandable reaction to a security problem – such as shutting down an affected server – can erase vital evidence as the operating system clears its cache files.
“The most important step is to have an incident response plan,” says Mark Morris, head of the computer forensics department at LogicaCMG, and a former detective. “In 20 years of dealing with crime, most mistakes have been made in the first couple of hours, if not the first 10 minutes of an investigation. That is when the evidence is live and needs to be seized and locked down.” This, he cautions, applies equally to IT forensics as it does to conventional policing.
Planning is essential so that companies can act quickly to prevent intruders or insiders from erasing any evidence, and also to make sure that the right procedures are followed to gather evidence that can be used in a disciplinary hearing or even in court.
Experienced investigators caution that companies all too often fail to follow even their own internal rules when they suspect cyber crime. This can make it impossible to discipline a culprit – if suspicion lands on an employee – or even leave the business open to an expensive counter-claim.
As a result, there has been a significant growth in IT forensics training courses for internal IT staff. This is important even where a company’s cyber-crime plan involves bringing in external investigators, because measures that might otherwise be good IT practice, such as running scheduled backups, can still hinder investigations.
But according to investigators, success relies as much on knowing what to do as what not to do; when to stand aside and call in the experts. Too often, however, organisations prefer to brush it all under the carpet rather than go to the time, trouble and expense of investigating an incident to its conclusion.