My favorite TV shows and books are detective mysteries. When I started in the information security business, I was immediately exposed to the "investigative" side of IT security. In my last article, I wrote about incident handling -- what you should do if there's a security breach. In many instances, part of that process involves collecting and preserving the evidence found during an incident. But the exciting part (at least for me) is when I'm asked to investigate the incident to try to determine the extent of the damage and trace the incident back to the source.

A computer forensic investigation is the term used to describe the detailed examination of the event. If the security incident in question is, for instance, a hacker attack (and subsequent unauthorized access to your network), it might be part of your incident handling response to collect all of the evidence possible on this break-in so that it can be used to prosecute the intruder. Many organizations use a data forensics specialist. That person's job is to review the case by first identifying, processing, analyzing and finally reporting the findings to management or the authorities.

The following steps are involved in the data forensics investigation process:

1. Acquiring the evidence -- The first step is to determine the appropriate evidence to collect, which could be in the form of data on hard drives or perhaps hard-copy evidence. Because evidence can be subject to modification, it must be handled and controlled carefully. The term "chain of evidence" is used to describe the steps taken when handling evidence. You must document the following:
   
   a. The location of the evidence
   b. The time it was obtained
   c. The names of those who discovered the evidence
   d. The names of those who secured the evidence
   e. The names of those who controlled or possessed the evidence
2. Examining the evidence -- This involves examining the computer media. One important point is that the integrity of the media must be maintained at all times. Any output generated from the examination must be clearly marked and controlled.
3. Presenting evidence -- Present the relevant findings to be used by prosecutors.

When using evidence in a prosecution, the evidence must meet the following requirements:

• It must be relevant -- The evidence must clearly show that it is related to the crime committed.
• It must be permissible by law -- The evidence was obtained in a lawful manner.
• The evidence must be reliable -- The evidence must not have been tampered or altered in any way. (That's why we need the chain of evidence.)
• The evidence must be identified without changing or damaging it.
• The evidence must be preserved without possibility of damage or destruction.

The bottom line when conducting a forensic investigation: document, document, document. And be sure to follow the legal procedures for collecting evidence. If the proper steps aren't followed, it is possible for the attacker to go free on a legal technicality. Before conducting an investigation, consult with management and/or legal authorities to make sure you are in compliance with the rules and regulations.

About the author
Mark Edmead CISSP, SSCP, is president of MTE Software, Inc. and has more than 22 years of experience in software development, product development and network systems security. He is also co-author of the book Windows NT: Performance, Monitoring and Tuning published by McMillan Press. In addition, he has written numerous articles for technical publications and is currently writing a book on Internet security certifications.