Computer forensics technology is an emerging field involving security incident and data breach investigations. The general perception is that computer forensics is a highly specialized area that businesses rarely tap into. In reality, it can be used in a wide array of circumstances -- in fact, anyone working in or around IT, legal, compliance and human resources departments can benefit from learning more about computer forensics technology and the impact that it has on the overall information risk management process.
What is computer forensics technology?
Computer forensics technology involves securing, collecting and analyzing digital evidence related to computer security incidents, data breaches and similar abuses of computer systems. Depending on the circumstances, law enforcement officers can perform the detailed technical and operational procedures associated with forensics investigations. Most computer forensics investigations require either commercial or open source software to uncover and preserve the details of what took place during the event in question.
What’s the difference between computer security and computer forensics?
There are information system controls and security assessments for those who take security seriously, and forensics tools and techniques for those who don’t. Computer security is proactive and involves the management of information risks before something happens. Computer forensics is reactive and is something you do after a breach.
The prospect of a security breach is very real, no matter how proactive you are and no matter how tightly things are locked down. Experienced compliance officers and security managers have systems for both the proactive and reactive components of managing their information systems.
How does computer forensics technology tie into incident response?
Incident response is the act of responding in a systematic and methodical way to internal and external security breaches. Forensics is a component of incident response that outlines how breach investigations are actually carried out through a number of tools and techniques.
There are various types of incidents or breaches that may warrant a computer forensics investigation, including:
- External attackers performing an SQL injection against a Web application to siphon data out of the database;
- External attackers breaking into an unsecured wireless network and gaining access to the internal network;
- Rogue employees copying sensitive information to an external hard drive to take off-site and share with a third party;
- A careless employees leaving an unencrypted laptop computer in his car, and the computer is then stolen.
The general assumption is that all security breaches are known and visible, but that’s not always the case. Certain controls such as activity monitoring, audit logging and password lockouts can aid in both detection and forensics investigations when a breach occurs. The important thing is to ensure that the lack of an incident response plan doesn’t leave a hole in your information risk management and compliance strategies. It’s also important to realize that certain breaches may go undetected for a period of time, especially if the proper controls are not in place up front.
Is a formal forensics analysis needed for every suspected or known security breach?
It depends. This needs to be discussed in advance by your security committee. Management, legal, IT and compliance executives need to be involved in such decisions. You may not know if a formal investigation is required until you gather more information postmortem.
Not every breach is serious. It is a good idea however, to approach each one as though it is. You have to determine which systems were compromised, what was accessed, and whether such information is covered by what laws, regulations and contracts. Regardless of what’s compromised, you’ll want to step back to determine what needs to be improved in order to prevent the same occurrence. Your business may also be bound by data breach notification laws that require you to contact everyone whose personal information was compromised, or even suspected of being compromised.
You may also determine that the incident warrants getting law enforcement involved. A good rule of thumb is to get law enforcement involved if you’re unsure. It pays to know your local law enforcement agency’s cybercrime division. Knowing an independent forensics investigator or forensics firm would also be helpful.
How do I integrate computer forensics technology with my compliance program?
Forensics is an aspect of information security, just like compliance. The two areas are intertwined and need to fall under the umbrella of your overall information risk management program. The best advice is to not go at this alone. You don’t want to bear the burden of making the critical business decisions associated with compliance, forensics and information risk management all by yourself. This will come to light when something bad happens and a regulator, auditor or judge pins you down and wants to know the reasoning and business justification for why you did or did not have controls and response procedures in place.
- Get caught up on regulations and more with our IT compliance FAQs.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Principle Logic LLC. He has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance. He's also the creator of the Security On Wheels audiobooks and blog.