When I tell people I work in forensics they always mention CSI: Geeks in white lab coats standing over test tubes of blood, or slides of hair, running computer programs with GUIs that look more like Avatar than Windows 7, Ubuntu, or Mac OS.
Then I explain that it’s digital forensics—that I collect information in computer chips instead of tissue samples—and they get that look like I just let them down. OK, hard drives aren’t as cool as hand gun ballistics, I get that, but the process of data collection and case-building is remarkably similar whether the subject matter is Western Digital or Smith and Wesson.
Recently I wrote an , a leading network forensic website, on open source toolkits for analysts. These are computer programs that help me do my job. As I mention in the article, it’s important to plan for digital-evidence-gathering when building security systems. In hundreds of cases, network forensics has stood up to legal scrutiny as primary evidence and has put more than one black hat in jail.
Network forensics as a security layer is like adding a close-circuit camera system to your regular home security. Your IT department has probably already installed the alarm—enabled a firewall, set alerts on suspicious activity—but a forensic appliance can record all data traffic, essentially saving a mirror image of who did what and where. The benefits of this data in the event of breach should be obvious.
Full-content network monitoring tools are just one component of digital forensics. I could write blog posts all day on the dozens of other strategies I put to work on a regular basis. But what’s important to take away today is this: If you’re in the market for a security solution, or evaluating an incident response team, make sure you raise your hand on forensic possibilities.
Recovering successfully from a breach is definitely something to shoot for. But nothing makes executives smile, or helps build back customer confidence, more then putting the bad guys behind bars. It makes for good news headlines. Plan for it.
Ondrej Krehel, Chief Information Security Officer,
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.