Investigations: Merge ahead

In the enterprise setting, there's no such thing as a digital investigation. Or a physical one. Searching for clues and resolutions requires a blend of disciplines governed by a flexible forensic mind-set.

And sometimes, of course, the experts in question will be external investigators from law enforcement agencies. Rules and procedures vary with jurisdiction, but a good operating assumption is that when the investigation uncovers the fact that a crime may have been committed, local law enforcement agencies will need to be informed.

At which point, there's likely to be the need to call the human resources department, and usually the legal department as well. "The 'people' component of an investigation is always the most difficult," warns Schwartau. "People management is the remit of the legal and human resources folk, and they don't fold well into the world of geeks and geekdom."

In short, he sums up, recognize that legal and human resources people are going to show up; train investigators in what they will be looking for and the consequences of noncompliance-such as a countersuit from an employee with a grievance.

Investigations and Law Enforcement

Just as internal investigators from the cyber and physical organizations need to understand each other's procedures and preferences, the same holds true when law enforcement agencies are called in.

While physical security people tend to be familiar with chain-of-custody requirements, IT forensics people don't always pay the attention they should to this, warns Howard Schmidt, a former CSO for Microsoft and eBay with a background in law enforcement, who these days serves on the board of (ISC)2.

In today's wired world, he points out, locking down corporate systems until the law shows up isn't usually a practical proposition. The result-internal investigators gathering evidence usually while they fix whatever the problem is-calls for schooling in evidence gathering and preservation.

"It's partly about specific training in what to do and what not to do, and it's partly about building a sense of mutual trust between the internal investigators and external law enforcement agencies," says Schmidt. "Physical investigators tend to understand this better: Now the IT people are getting trained, and they need to understand that an image of a file dump isn't as good as evidence with a full chain of custody."

Tags corporate issuesintrusion

Show Comments