Investigations: Merge Ahead

In the enterprise setting, there's no such thing as a digital investigation. Or a physical one. Searching for clues and resolutions requires a blend of disciplines governed by a flexible forensic mind-set.

September 10, 2008 — CSO — Not long ago, the legal department at a financial services company in New York got a phone call from a hospital in London. The query: Why are you hacking us? With two known IP addresses, it wasn't difficult for the financial firm's information security staff to go back through the logs looking for traffic between the two organizations. And with the traffic identified, locating the computer from which the hacks were taking place didn't take long, either. The culprit: an individual who—as their human resources records soon confirmed—had formerly worked at that very hospital.

Ah, the good old days. As investigations go, says Winn Schwartau, founder of security awareness certification company SCIPP International and an information security expert who has testified before Congress, the hospital hack was an increasingly rare example of a fast-dying breed: a pure infosec forensic investigation, carried out digitally.

Of course, apprehending the suspect in such a case, or seizing physical evidence, requires a whole new dimension. And that's why CSOs and CISOs increasingly report that purely "computer" investigations, like the hospital hack, are a thing of the past—as are purely "physical" investigations. Pretty much every significant investigation these days now includes elements of both, whether the case at hand requires face-to-face interviews, forensic accounting, e-mail discovery and review, computer and network forensics, cell phone records, video surveillance analytics, access-card logs, inventory audits or all that and more. So in such an environment, how can CSOs and CISOs staff, train and prepare for such "blended" forensic investigations to be effective? What are the areas to concentrate on, and where do the pitfalls lie? And how, in short, can security navigate this blended investigative world?

Blended Investigations: Together Is Better
"No matter how good the forensic investigation is at the IT level, there's always going to be a physical investigation—targeted interviews, building-access logs and so on," says Robert Huff, a former FBI agent and now managing director and global leader for corporate investigative services at Aon Consulting, headquartered in Chicago. "Almost always, computer forensics need to be supplemented by physical inquiries."

Likewise from the other side of the fence, adds Chris Boyd, head of forensic operations at Horley, U.K.-based Detica Forensics, and a former police specialist. "The physical world is going digital," he asserts. "Access logs aren't sheets of paper, but digital records and even CCTV footage are moving from VHS video tapes to hard drives. It used to be that IT forensics supported the physical investigation—and although there's still a place for both types of investigation, it's now the physical investigation supporting the IT one in many cases."