More than 70% of UK homes have a computer, with over 93% connected to always-on broadband. In the majority of criminal and corporate cases, somewhere in the background a computer, PDA or cell phone may be lurking - hence the case for computer forensics, writes Prof John Walker, member of ISACA Security Advisory Group and CTO of Secure-Bastion.
No matter whether SME or corporate, there is no doubt that, with the array of available systems capabilities free, and at-cost tools, organisations with internal technological capabilities can maintain a technological computer forensics capability to respond to incidents, and any requirement for collection and analysis of artefacts. This complex capability is in two parts, of which the technological aspect amounts to the lesser of the evils. The question is, if the results of a case, artifact(s) or applied processes were subjected to test or challenge, seeking to validate the scientific approach, would they meet the expectations of evidentiary reliability? Where analysis has been conducted, would the processes meet the necessary quality expectations of the ISO/IEC 17025:2005, and ISO 9000? And would processes, procedures and associated disciplines be robust enough to satisfactorily counter any challenge?
By its nature, computer forensics depends heavily on technical capabilities, tools and snazzy technological prowess. But this is a game of two halves, with the most critical components representing the applied rigour of process, applied disciplines, and documentation used to underpin such activity. Any weakness, gap or break in the chain could result in those impressive skills employed to react to an incident being entirely wasted. A disc image that has been obtained outside of a rigorous process may not be a completely wasted effort because it may be considered a high-cost backup - but would it represent a reliable, robust forensic artefact - possibly not.
Based on experience and case history, it has been demonstrated continually that it is absolutely essential for a computer forensics policy that an operational first responder documentation set exists. Agreed, having in-house forensic tools and applications is a must, but the most important part is to apply rigour, then process, finishing off with, yes, you guessed it, process.
Read more think tank articles