Thursday, February 9, 2012

The Need For Forensics - Finding The Why and The How In Security

Computer forensics has been around ever since crimes were first committed by using computers.  People have stolen money, information and disabled businesses all while thinking they are the smarter criminal since they are using an electronic device.  So what happens when law enforcement is notified of a cyber crime or IT security is notified of a security breach?  Every crime or security breach is investigated and goes through a computer forensic process.  Law enforcement and IT security are trained as computer forensic specialists to try and find out not only the why a crime or breach was committed but also how it was done.

Forensics is the first part of a good incident response plan.  It is the first action item that is performed during the IRP when a crime or breach is detected.  It is also the most crucial.  In the last 10 years computer forensics has come along way.  New tools and techniques have been developed to help not only law enforcement but also security professionals in the private sector.  Computer forensics is more than just using your troubleshooting skills or break it and fix skills. Its about using that knowledge in a methodical way to prepare a hypothesis about an event.  Maybe its finding out how someone got a password for accessing files that they were not authorized to see or even how they developed a script to change a time sheet remotely.  Regardless of the event, there is always a need for a computer forensic professional.

There are two main areas of forensics we deal with in IT security.  One is the network and the other is the host. Each area has different methodologies and tools we use to dissect the why and the how.  Also each area has its different areas of expertise and knowledge.  To understand how a security event happened in forensics you have to first understand how the network or host is suppose to work.  This is where training and experience play a crucial role in becoming a computer forensic investigator.

For over 7 years I have taught Eccouncil's Certified Hacking Forensic Investigator (ChFI) course.  In March of 2012 Eccouncil will be bringing out a new version 8 of ChFI. This course will be bringing a fresh perspective for those interested in getting into computer forensics.  The course will have plenty of hands on learning as well as an introduction into a wealth of forensic tools.  The major premise behind using the tools in the labs is to get a base understanding of the forensic process which includes:

  1. Search and seizure
  2. Secure a crime scene
  3. Documenting the chain of custody
  4. Acquiring electronic evidence and secure transportation of evidence
  5. Examine and analyze forensic images using sound methodology 
  6. Design your review strategy of the e-evidence and interpret and draw inferences based on facts gathered from the e-evidence.
  7. Prepare a report on your analysis and findings
  8. Expert witness
So if you would like to know more about computer forensics and use those break and fix skills to find out the how and what, make sure you sign up at Centriq Training for ChFI.

Hope to see you there.

Tom Pruett

Consultant/Instructor
CCSI, CCNA, MCSE (NT, 2000, 2003), MCITP SQL 2005, MCDBA SQL 7 & 2000, MCP+1, MCT, CTT+, CISSP, CWNA, CEI, CEH, CHFI, A+, Network+, Security+
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)