Computer
Forensic Investigation Computer
Forensics Training Information
CyberTip 3:
Computer Forensics: The RISKS of Self Investigation
- Compromising Evidence
- Friendly Environment: Where are the loyalties
in your staff?
- Do those doing investigations have freedom
from retaliation?
- Who do your investigators report to?
What about Whistle Blowers? Do they have
enough "cultural” protection?
Will their office or function come under
scrutiny if they get close to an executive’s
suspicious activity?
- Litigation against “discrimination”
if done internal
- Be prepared to hire “independent”
investigators to get access to data at the “source”
if the suspect is a competitor
- Best teaming is independent legal and
investigative representation
- Balancing daily operations of staff with
overhead of an investigation
- Daily operations will suffer till investigation
completed
- Independent specialists are important in
settlements, hearings, mitigation, and trials
- Experience in testifying, expert witness
experience, ability to eloquently present facts
and defend findings without question by the
opposing party
Determining the Best Corporate
Value for Computer Forensic Investigations
- Corporate Key Result Areas vs. Outsourcing
Matrix
- Is it a core business area?
- Can you accomplish the work more affordably
and effectively then a specialized company?
- What are the sensitive business assets
that have to be protected when outsourcing
work?
- Logistics – Dedicated Forensic Systems:
safes, limited access rooms, audits, software
updates and maintenance, acquisition hardware
tools, and inventory of systems
- Examiner Recruitment - there are very few
suitable people available
- Cost - if they can be found they are usually
very expensive to employ
- Time - it takes time to recruit, hire, validate
qualifications, train, and orient
- Loss - they are easy to lose and can be poached
by competitors, incurred cost to replace
- HR – employees do not have 100% availability,
need depth--24/7/365/Holidays/Vacation
- Waste – as full-time resource, talents
will not be fully utilized due to “fire
of the day”
- Professional qualifications – will
they be proficient when the “big one”
hits or will you be advised to bring in a specialist?
Incurring double the cost of salary and specialists
fees
- Dissatisfaction - they could become bored
by the volume of repetitious work
- Questionable Loyalty - employee investigators
could be friends with their subjects
- Delay - a backlog will quickly accumulate
and internal strife between managers on IT/Security
staffing priorities may ensue
Initiating and following
through on a corporate computer forensic investigation
- Establish and Set a Methodology and Train
Staff to be Proficient 1st Responders
- Virus responses serves as good Disaster
Recovery training, however viruses are really
nuisances and not focused attacks on your
company or data
- Ensure staff trained to respond to focused
incidents
- Identify Response Team (CERT) with First
Responder Training
- Experience: Network, OS, Database, Applications,
Security, Analysts
- Be careful not to overload talented IT staff:
Don’t appoint your e-mail expert with
storage system security or your FW expert to
forensic examiners
- Ensure most IT Staff have skills to execute
“1st Responder” duties as stop-gap
for business continuity and disaster recovery
- Control the Rumor Mill: Staff members who
found the suspicious activity will want to “gossip”
or warn peers
- Do not disclose investigation till after
HR has a chance to review policies
- Teamed process: IT Security and Corporate
Security
- Other entities: HR, Accounting, Executive
Management, Public Relations
- Be prepared to notify law enforcement
- Many investigations can be kept internal
within the company and handled in civil
settlements, but be prepared when the investigation
crosses the line
- Expect some downtime during system restoration
unless “High Availability”
|
