Security Laboratory

Security Laboratory


The Changing Face of Digital Forensics


By Stephen Northcutt
Rob Lee[1] recently sent us a tool review article[2] describing something he has discussed in his class, SEC 508, System Forensics, Investigation and Response[3] for several years now. It seems the cutting edge digital forensic tools are not being created and driven by law enforcement, but by private companies who need them for regulatory compliance and incident management. According to Peter Stephenson[4] of SC Magazine,[5] "We also found that law enforcement no longer is the force behind forensic tool development. Rather, corporate needs driven by regulatory necessity and incident management are beginning to call the shots in the forensic arena."

Rules and case precedent are different when someone performs computer forensics for regulatory reasons versus purely a law enforcement one. In Rob's opinion, this trend will continue to be true as organizations that are required to follow HIPAA, SOX, and even state reporting regulations, will now need to perform forensics to follow through on the regulatory demands. However, it is starting to show a bit of age; the article, ELECTRONIC EVIDENCE AND COMPUTER FORENSICS[6] from CAIS, helps lay out these issues. Another fine article that illustrates the changes in the field of forensics is Digital Forensics Tools: The Next Generation.[7]

It also explains why we have such a high number of private companies send their students to SANS SEC 508, System Forensics, Investigation and Response[8] training course as we teach a very neutral approach to running an investigation. To summarize the course in a nutshell, it covers file system structures, MAC times, and forensic auditing, and the content and difficulty level of this track advances rapidly. Students learn more than just how to use a tool; they learn to show how the tool is able to recover data, find the smoking gun, and present your data in a format that can be easily understood by others. Students learn how and when to use various tools such as the Sleuthkit, Autopsy Forensic Browser, and the Windows Forensic Toolchest (WFT), and then quickly move on to advanced digital forensic and incident response topics and techniques. They also spend time discussing and contrasting a law enforcement investigation and corporate investigation constraints.

Finally, this serves as another example of the increase in role based tasking, training and certification. Since computer forensics is changing rapidly, for the reasons we have discussed, it is no longer enough to have a basic understanding of Encase. There is a forensics role in medium-to-large organizations that has significant responsibility for both compliance and incident response. This is a specialist position; small wonder that companies don't just send employees to be trained and require them to achieve a technical certification like the GIAC GSFA[9] to prove they can really do system forensics, because the stakes are too high to screw up.

1. http://www.sans.org/training/instructors.php#Lee
2. http://www.scmagazine.com/uk/grouptest/details/e7d1bb8e-fc93-2f33-0bb1-49fb952f6f78/forensic-tools-2007/
3. http://www.sans.org/training/description.php?tid=677
4. http://www.peltierassociates.com/peters.htm
5. http://www.scmagazine.com/uk/
6. http://cais.isworld.org/articles/12-27/article.pdf
7. http://www.cs.uno.edu/~golden/Stuff/ideagroup2006.pdf
8. See Reference 3 above
9. http://www.giac.org/certifications/security/gcfa.php