Understanding Network Forensics Makes Security Smarter

Sunday, June 05, 2011

Kelly Colgan


By Ondrej Krehel, Identity Theft 911

When I tell people I work in forensics they always mention CSI: Geeks in white lab coats standing over test tubes of blood, or slides of hair, running computer programs with GUIs that look more like Avatar than Windows 7, Ubuntu, or Mac OS.

Then I explain that it’s digital forensics—that I collect information in computer chips instead of tissue samples—and they get that look like I just let them down.

OK, hard drives aren’t as cool as hand gun ballistics, I get that, but the process of data collection and case-building is remarkably similar whether the subject matter is Western Digital or Smith and Wesson.

imageRecently I wrote an article for Forensic Focus, a leading network forensic website, on open source toolkits for analysts.

These are computer programs that help me do my job.

As I mention in the article, it’s important to plan for digital-evidence-gathering when building security systems. In hundreds of cases, network forensics has stood up to legal scrutiny as primary evidence and has put more than one black hat in jail.

Network forensics as a security layer is like adding a close-circuit camera system to your regular home security.

Your IT department has probably already installed the alarm—enabled a firewall, set alerts on suspicious activity—but a forensic appliance can record all data traffic, essentially saving a mirror image of who did what and where.

The benefits of this data in the event of breach should be obvious.

Full-content network monitoring tools are just one component of digital forensics. I could write blog posts all day on the dozens of other strategies I put to work on a regular basis.

But what’s important to take away today is this: If you’re in the market for a security solution, or evaluating an incident response team, make sure you raise your hand on forensic possibilities.

Recovering successfully from a breach is definitely something to shoot for. But nothing makes executives smile, or helps build back customer confidence, more then putting the bad guys behind bars. It makes for good news headlines. Plan for it.

Ondrej Krehel, Chief Information Security Officer, Identity Theft 911 Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Possibly Related Articles:
Information Security
breaches Open Source Forensics Investigation toolkit Digital Evidence
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.