Educause Security Discussion mailing list archives
Incident Response / Investigations / Digital Forensics strategy
From: James H Moore <jhmfa () RIT EDU>
Date: Tue, 7 Mar 2006 11:40:34 -0500
I have appreciated the response that I have gotten, and I am developing a list of names of good forensic investigators (and cross-checking it against the list developed from the NIST "CFTT" computer forensics tool testing mailing list, which unfortunately has had rather light traffic]. But I guess what I am in need of, and think that I am close to, is a strategy. 1) Most incidents start with events or aberrations that end users or support people notice. 2) It becomes and incident when someone notices that a safeguard has failed or has been circumvented. 3) More likely than not, the support person will do a little looking to see how bad the problem is. Most forensic investigators hate this, but the reality of the situation is that here is a trade-off. I can forensically grab an image of a hard drive (memory too if I have EnCase Enterprise) easily, if not quickly. But 3a) It takes time, lots of time 3a1) Some of this can be cut short by doing a forensic image and then have a regular disk copier standing by. Verifying the forensic copy. 3b) It takes storage, lots of storage, especially if you are interrupting investigations before systems admins poke around 3c) It takes computers/licenses to analyze the results OR 3d) It takes money, lots of money to have every incident interrupted at this point, and then ship the forensic image off for analysis 4) Considering the impact of various Notification laws, such as California's, New York's, and 20+ other states, consider what is now an "investigation". A user gets a worm or virus or spyware, the A/V can't just be set to clean, because if the worm or virus has the capability of sending files, or logging keystrokes, then you need to make the determination that you reasonably believe that the information was acquired or not acquired by an unauthorized person. So we are starting to work a lot of investigations. We are trying to look at the incident handling process, and the cost model for investigations and determine what we need. Any way that I slice it, it seems that I need both in-house investigations capabilities, and real forensics professionals standing by. This just seems hard, and it also seems to be hard to justify, because of the "lots of ...". I initially had approved $65K to establish a small forensics lab on campus. And I am working toward that goal, which is 2 forensic computers (incl write blockers, CRU trays, IDE/SATA/SCSI, and USB/Firewire), ESD protection, an IDE/SATA disk duplicator, licenses for SMART and EnCase Forensic workstation. A pool of disks. A dual-layer DVD writer. DVD media. Secure lockers. Etc) A couple of things out of the list have yet to be purchased (one of the forensic workstations, and the IDE/SATA duplicator). And although incidents are going up, I am asked to justify the completion of the lab. One way that I thought of doing that is to compare the cost of forensically copying a disk, and outsourcing the investigation to doing more in house, with the involvement of an outside forensic expert only if there is a threat of a lawsuit. - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio -----Original Message----- From: Chris Green [mailto:cmgreen () UAB EDU] Sent: Tuesday, March 07, 2006 9:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Digital Forensics Professional Services Costs was [SECURITY] Use of Digital Forensics Professional Services It's looking like our state could join the ranks of everyone else in the notification laws. I'm looking at having in house expertise for the cases where we need to have some reasonable knowledge if there's a disclosure and outsourcing it if it's a high profile target or there is a good chance that there will be legal proceedings involving the data. On 3/6/06 2:15 PM, "James H Moore" <jhmfa () RIT EDU> wrote:
We are looking at the costs of outsourcing Digital Forensics Professional Services, and the costs of keeping it in-house. Also, we are looking at determining the point where we do the transition (when
it
goes from an investigation to a forensic investigation). We haven't done pricing, and so that is what I am looking for is information / experiences that people have in the investigations and forensics area, and what influenced their decisions.
-- Chris Green UAB Data Security, 5-0842
Current thread:
- Incident Response / Investigations / Digital Forensics strategy James H Moore (Mar 07)