Security incidents and cyber crimes often call for in-depth investigation which most companies do not pursue (mostly due to lack of capabilities). This is where Syntel, a leading IT and knowledge process outsourcing company, has recently acquired disk forensic capabilities to get an extra edge for incident investigation.
Disk forensics can be seen as a small subsection of computer forensic capabilities, which allows the analysis of all parts of a disk for gathering digital evidence to help in investigating an incident. Sandeep Godbole, the senior manager of information security for Syntel, explains that disk forensics provides the ability to gather digital evidence (from storage devices and disks) that can be presented in a court of law. These can be hard disks, CD-ROMs or external hard disks. Syntel serves many sensitive industries, including BFSI and healthcare. Hence information security assumes the utmost priority for the company.
The main reason behind acquiring disk forensic capabilities was to develop a scientific approach for investigating security incidents. "We have tried to be more proactive in developing disk forensic capabilities so as to build additional confidence among customers. They will be aware that the company is geared with the requisite tools for investigation in case of a security incident," says Godbole. Although Syntel could have opted for disk forensic capabilities as a service, it didn't want to depend on external parties, primarily for reasons of flexibility and privacy.
Enterprises often feel that expertise in disk forensics is only required by law enforcing agencies or in the case of very serious crimes, but Godbole says that this tool can offer much more than criminal investigation. It can also help enterprises to maintain compliance levels. Such disk forensics tools can actually give evidence that corroborate non-compliance. For example, there's a mandate on the kind of content a user can access on the Internet, so certain pointers like proxy logs can help indicate non-compliance, if any. The strongest evidence in such cases appears when one is able to trace certain activity on the client hard disks of the person (to whom the asset has been assigned).
Syntel's process of acquiring the competence began around the end of 2008, when the company started looking for a disk forensics solution. The main criteria involved accuracy in collecting credible evidence, a simple user interface, availability of a macro tool which to help log monitoring, and ability to take a hash value of images. After evaluating some free as well as proprietary solutions, Syntel decided to go in for Guidance Software's EnCase application. This tool also helps to recover deleted content from the disk in the event of fraud or a security incident.
A disk stores a lot of data that users are not actually aware of. For instance, a disk will have the file system, boot information and other temporary storage, which will not be apparent on the application layer. Disk forensics helps the IT team to analyze all sectors of the disk for investigating an incident.
The content is recovered by a process called imaging, which creates an exact duplicate of the original evidential media. This is usually done at the sector level, making a bit-stream copy (rather than duplicating the file system) of every part of the user-accessible areas of the hard drive which can physically store data. A hardware write-block device is also used to prevent tampering and damage of a drive's content; this device fits between a computer and a hard drive.
Godbole has trained five of his team members in usage of the disk forensics tool. The core skills required to operate such tools include knowledge of the OS, file system and registry. The person must have thorough understanding of disk geometry, that is, the knowledge of different sectors of the disk. According to Godbole, the only challenge they faced in deploying the disk forensic tool was that the solution was ahead of its time. Not many organizations have developed such abilities.
After developing its disk forensic capabilities, Syntel's security team feels more confident and capable of investigating security and fraud incidents. Use of disk forensics has also helped Syntel develop new skillsets among employees, as well as increase customer confidence.