A remote forensic solution has many benefits, as long as it does not compromise security or business operations, says Andrew Sheldon.
The number of investigations requiring a digital forensic responsecontinues to grow, driven by a dramatic rise in the number of internaland external threats.
The key to successful forensic intervention is a combination ofspecialist skills and speed of response. No matter if the incident isdesktop abuse, eDisclosure, theft of intellectual property or hacking,you need to protect the evidence and get forensic investigation skillson site quickly.
In organisations with multiple geographic risk locations, thetraditional approach has been to send a specialist from a centralforensic team - a time-consuming and costly process. Alternatively, theevidential items are shipped to a forensic facility - a process fraughtwith security and evidential continuity issues.
Existing solutions tend to access targeted systems via the corporatenetwork. This means there must be connectivity to the suspect machines,which usually involves installing a "client" application on everymachine first. Alternatively, some systems allow a server to push aclient to the suspect machine remotely.
Imaging a remote disk over a network can be done - but at what cost tonetwork performance? It is for this reason that most large-scaleenterprises still prefer to mobilise a forensics team to the site of anincident, even though this is a costly and time-consuming procedure. Aviable remote forensics solution should avoid this.
In order for organisations with a dispersed IT population to reactfaster and smarter to digital incidents within a forensically soundenvironment, the skills and technologies need to be located where therisks are. This means each risk site needs to either have the skills andequipment on-site or they need the ability for the central forensicskills to reach and use forensic tools via a network.
Remote forensic solutions should therefore obey a number of basicprinciples:
1. You shouldn't need to learn a new forensic package to respondremotely. An ideal solution should allow you to remotely deploy any ofthe tools your forensic specialists are familiar with.
2. A viable solution should enable response to both networked andnon-networked digital media - an urgent forensic response might beneeded when your critical system has gone offline or has beendamaged.
3. Remote response should not impact the normal operation of thenetworks. If you need to take a forensic image of a remote workstationhard disk, pulling that volume of data over a corporate network couldhave a significant impact.
4. Security and confidentiality of business data should be maintained atall times - and creating a forensic image over a transnational networkmay not be permitted from some legal jurisdictions.
5. The presence of the remote forensics solution should never allowbusiness security to be compromised.
6. The incident response team should be able to gain secure access atany time from anywhere via a secure, authenticated-access network - evenwireless.
By meeting all the above principles, an economic remote forensicsolution can be deployed quickly with maximum security, efficiency andflexibility while producing minimal impact on business operations.
Likewise, organisations facing geographically dispersed risk or thosewishing to offer a global forensic service to their customers cansignificantly reduce setup and ongoing response costs while providing afaster and more flexible service.