Getting to grips with blended forensics

How to handle forensic IT investigations with the physical inquiries and evidence gathering.


Not long ago, the legal department at a financial services company in New York got a phone call from a hospital in London.

The query: Why are you hacking us? With two known IP addresses, it wasn't difficult for the financial firm's information security staff to go back through the logs looking for traffic between the two organizations.

And with the traffic identified, locating the computer from which the hacks were taking place didn't take long, either. The culprit: an individual who-as their human resources records soon confirmed-had formerly worked at that very hospital.

Ah, the good old days. As investigations go, says Winn Schwartau, founder of security awareness certification company SCIPP International and an information security expert who has testified before the US Congress, the hospital hack was an increasingly rare example of a fast-dying breed: a pure infosec forensic investigation, carried out digitally.

Of course, apprehending the suspect in such a case, or seizing physical evidence, requires a whole new dimension. And that's why CSOs and CISOs increasingly report that purely "computer" investigations, like the hospital hack, are a thing of the past-as are purely "physical" investigations.

Pretty much every significant investigation these days now includes elements of both, whether the case at hand requires face-to-face interviews, forensic accounting, e-mail discovery and review, computer and network forensics, cell phone records, video surveillance analytics, access-card logs, inventory audits or all that and more.

So in such an environment, how can CSOs and CISOs staff, train and prepare for such "blended" forensic investigations to be effective? What are the areas to concentrate on, and where do the pitfalls lie? And how, in short, can security navigate this blended investigative world?

Blended Investigations: Together Is Better

"No matter how good the forensic investigation is at the IT level, there's always going to be a physical investigation-targeted interviews, building-access logs and so on," says Robert Huff, a former FBI agent and now managing director and global leader for corporate investigative services at Aon Consulting . "Almost always, computer forensics needs to be supplemented by physical inquiries."

Likewise from the other side of the fence, adds Chris Boyd, head of forensic operations at the UK-based Detica Forensics, and a former police specialist. "The physical world is going digital," he asserts. "Access logs aren't sheets of paper, but digital records and even CCTV footage are moving from VHS video tapes to hard drives.

It used to be that IT forensics supported the physical investigation-and although there's still a place for both types of investigation, it's now the physical investigation supporting the IT one in many cases."

And in this dual "blended" world, says William Pelgrin, director of the New York state office of cyber security and critical infrastructure coordination, one thing is clear: The era of the blended investigation is not without its advantages.

For in reality, he points out, infosec investigators have long had to bear in mind that there might be a physical dimension to the investigation at hand-and likewise physical investigators.

"Trying to look at things one-dimensionally tended to introduce artificial constraints," he argues. "It was always a smart move to ask if there was a physical component to a cyber attack, and vice versa. Yes, there are pure cyber incidents, and there are purely physical incidents-but it's wrong to assume that's what they are without exploring the possibility that they might not be. You have to look at things from different angles to get the complete picture."

And the importance of this recognition, he stresses, isn't just that more bad guys get caught. Instead, it's that with the need to be multidimensional out in the open, investigations can appropriately "tool up" from the start.

"In today's world of investigations, you can't do-or be-everything, so you bring in the skills and competencies that you need, as and when you need them," explains Pelgrin.

But which precise skills and competencies? During the first few minutes of an investigation is where it's most critical to get things right, and it's here that appropriate training is often required, says David Brown, managing consultant for security advisory services at consultants Forsythe Solutions Group.

"The first few minutes of the initial reaction tend to set the stage for the rest of the investigation, and it's during those first few minutes that it's vital that the physical guys understand the requirements of the IT team, and vice versa," he emphasizes. "There's a balance to be drawn between incident mitigation and preservation of evidence-and that balance often depends on the organization in question-but each team needs to know which actions will help the other team, and which will hinder them."

"Recommended For You"

BCS launches e-crime think tank Researchers: forensic software can be hacked