Extreme Lessons In Computer Forensics
How should security pros go about preserving cyber-forensic evidence? The recent involvement of the security practice director at Extreme Logic as an expert witness in a computer forensics investigation holds some lessons.
Tari Schreider of Extreme Logic, the e-business services firm that designs secure applications for the Global 1000, was involved in an investigation into how a hacker stole confidential files from inside a large non-profit association with several million members. The name of the organization has not been disclosed.
The organization had an IT staff of 75 using Unix and Windows 2000 installed on more than 1,000 desktops. They also had a member portal and were deploying Web applications.
The organization started experiencing abnormal events in its operations, such as local drive files disappearing and then reappearing, and a system administrator's profile appearing on another administrator's workstation.
The first pass showed little but when deleted files were examined, the trail began to be uncovered. Evidence was found of personal and business files taken off other workstations including email messages, and confidential documents that were sent outside the organization. Two suspects were eventually identified, both system administrators.
When interviews were conducted, the suspects first denied doing anything wrong. Later it became evident that the suspects acted independently of one another, in separate acts of cyber crime. The suspects were fired as a result of the investigation.
Schreider recommends that companies do the following to preserve cyber forensic evidence: