The recent involvement of the security practice director at Extreme Logic as an expert witness in a computer forensics investigation holds lessons for security professionals in how to preserve cyber-forensic evidence.

Tari Schreider of Extreme Logic, the e-business services firm that designs secure applications for the Global 1000, was involved in an investigation into how a hacker stole confidential files from inside a large non-profit association with several million members. The name of the organization has not been disclosed.

The organization had an IT staff of 75 using Unix and Windows 2000 installed on more than 1,000 desktops. They also had a member portal and were deploying Web applications.

The organization started experiencing abnormal events in its operations, such as local drive files disappearing and then reappearing, and a system administrator's profile appearing on another administrator's workstation.

Extreme Logic was hired in an effort to find out if a hacker was causing the problems. Everyone was deemed a prime suspect and the IT manager was given a code word he could use to establish a chain of trusted persons in the organization. Only six people knew about the project. The group established proper forensic procedures based on the International Origination on Computer Evidence (IOCE) in order to preserve evidence. The IT manager made images of the suspect hard drives and shipped them to Extreme Logic for analysis.

The first pass showed little but when deleted files were examined, the trail began to be uncovered. Evidence was found of personal and business files taken off other workstations including email messages, and confidential documents that were sent outside the organization. Two suspects were eventually identified, both system administrators.

When interviews were conducted, the suspects first denied doing anything wrong. Later it became evident that the suspects acted independently of one another, in separate acts of cyber crime. The suspects were fired as a result of the investigation.

Schreider recommends that companies do the following to preserve cyber forensic evidence:

  • Create a forensics readiness procedure and develop a plan to identify, collect preserve, analyze and present digital information.
  • Make an exact copy of a computer system immediately after an intrusion, backing up data with software that does not update file system accounting.
  • Establish policies for how to respond to a threat and whether to prosecute.
  • Be award that your company may face legal liabilities if you are not able to respond in an appropriate way to an information security incident.
  • Use background checks when hiring.