DIGITAL INSIGHT EDITION 4
IN THIS EDITION > Forensic first response
FORENSIC FIRST RESPONSE
> Thoughts for the month > DPAs: Cutting down on corporate crime in a ‘Peculiarly British’ way > Information security governance > Q&A with Kinetic Partners > The Real CSI > First response course > About CCL
In 2011, the UK Cabinet Office published a paper (The Cost of Cyber Crime), which quantified the cost to UK businesses of intellectual property theft as £9.2bn, and industrial espionage as £7.6bn. Whilst these figures have since been challenged and the true cost of cybercrime in 2014 is difficult to estimate, its impact on UK industry cannot be ignored. CCL is increasingly being asked to help investigate cyber-based crime on behalf of UK private companies and public sector organisations. Incidents range from ‘simple’ misuse of computer resources to more complex computer based intellectual property theft and organised fraud. When cybercrime is first suspected, its seriousness and full extent is often unknown. It is also difficult to judge how the suspect is going to react when confronted. Will they admit to their misdemeanour and take their punishment, or will they protest their innocence and seek legal representation in court? The great majority of computer security incidents will never be taken
01789 261200
|
to court, but the possibility still exists that they might, and thus proper precautions should be taken to collect and preserve digital evidence from the outset. In contrast with typical crime scene evidence, digital evidence can be very fragile. Also, the very existence of evidence may not be obvious upon initial examination. Performing such an analysis is a slow and difficult process that begins with first seizing the computer as evidence. Upon that seizure, however, the computer is usually turned off and taken back to a laboratory. When that happens, all of the data on the computer that has not been saved to the hard drive can be lost forever. In modern systems, that can be a substantial amount of data and can be comprised of several parts. Even without the power being turned off, evidence can still be destroyed. If the computer is still connected to a network, evidence such as log files could be accidently or deliberately deleted or overwritten by other network users. In addition, the programmable nature of computers allows an
WWW.CCLGROUPLTD.COM
|
individual to instruct the computer to erase information without any human interaction. For example, an intruder could use a compromised machine to launch another attack and then automatically erase all evidence of the attack and initial intrusion upon completion. Beyond outright destruction, an investigator must also be careful that digital evidence is not tainted before it can be secured. Most often tainting occurs because of the good intentions of a first responder. That is, the first people to discover the crime look around to determine what happened, and unwittingly, alter data on the system. For these reasons, CCL recommends its clients put in place First Response processes and procedures that allow them to find out if an incident has occurred, determine the nature of the incident, and the correct steps to follow to ensure evidence is sound enough to be taken to court if necessary. Leaving it until after the event may result in the loss of vital evidence and an unsuccessful, yet costly, outcome.
INFO@CCLGROUPLTD.COM
1