Incident Response / Investigations / Digital Forensics strategy

[James H Moore <jhmfa () RIT EDU>]

I have appreciated the response that I have gotten, and I am developing
a list of names of good forensic investigators (and cross-checking it
against the list developed from the NIST "CFTT" computer forensics tool
testing mailing list, which unfortunately has had rather light traffic].

But I guess what I am in need of, and think that I am close to, is a
strategy.

1) Most incidents start with events or aberrations that end users or
support people notice.

2) It becomes and incident when someone notices that a safeguard has
failed or has been circumvented.

3) More likely than not, the support person will do a little looking to
see how bad the problem is.  Most forensic investigators hate this, but
the reality of the situation is that here is a trade-off.  I can
forensically grab an image of a hard drive (memory too if I have EnCase
Enterprise) easily, if not quickly. But
  3a) It takes time, lots of time
      3a1) Some of this can be cut short by doing a forensic image and
then have a regular disk copier standing by.  Verifying the forensic
copy.
  3b) It takes storage, lots of storage, especially if you are
interrupting investigations before systems admins poke around
  3c) It takes computers/licenses to analyze the results

                       OR
  3d) It takes money, lots of money to have every incident interrupted
at this point, and then ship the forensic image off for analysis

4) Considering the impact of various Notification laws, such as
California's, New York's, and 20+ other states, consider what is now an
"investigation".  A user gets a worm or virus or spyware, the A/V can't
just be set to clean, because if the worm or virus has the capability of
sending files, or logging keystrokes, then you need to make the
determination that you reasonably believe that the information was
acquired or not acquired by an unauthorized person.  So we are starting
to work a lot of investigations.  

We are trying to look at the incident handling process, and the cost
model for investigations and determine what we need.  Any way that I
slice it, it seems that I need both in-house investigations
capabilities, and real forensics professionals standing by.  This just
seems hard, and it also seems to be hard to justify, because of the
"lots of ...".  I initially had approved $65K to establish a small
forensics lab on campus.  And I am working toward that goal, which is 2
forensic computers (incl write blockers, CRU trays, IDE/SATA/SCSI, and
USB/Firewire), ESD protection, an IDE/SATA disk duplicator, licenses for
SMART and EnCase Forensic workstation.  A pool of disks.  A dual-layer
DVD writer.  DVD media.  Secure lockers.  Etc)

A couple of things out of the list have yet to be purchased (one of the
forensic workstations, and the IDE/SATA duplicator). And although
incidents are going up, I am asked to justify the completion of the lab.
One way that I thought of doing that is to compare the cost of
forensically copying a disk, and outsourcing the investigation to doing
more in house, with the involvement of an outside forensic expert only
if there is a threat of a lawsuit.

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)



"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio






-----Original Message-----
From: Chris Green [mailto:cmgreen () UAB EDU] 
Sent: Tuesday, March 07, 2006 9:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Digital Forensics Professional Services Costs
was [SECURITY] Use of Digital Forensics Professional Services

It's looking like our state could join the ranks of everyone else in the
notification laws. I'm looking at having in house expertise for the
cases
where we need to have some reasonable knowledge if there's a disclosure
and
outsourcing it if it's a high profile target or there is a good chance
that
there will be legal proceedings involving the data.

On 3/6/06 2:15 PM, "James H Moore" <jhmfa () RIT EDU> wrote:

> We are looking at the costs of outsourcing Digital Forensics
> Professional Services, and the costs of keeping it in-house.  Also, we
> are looking at determining the point where we do the transition (when
it
> goes from an investigation to a forensic investigation).  We haven't
> done pricing, and so that is what I am looking for is information /
> experiences that people have in the investigations and forensics area,
> and what influenced their decisions.
-- 
Chris Green
UAB Data Security, 5-0842