New York's Pelgrin, for example, organizes annual training sessions for New York's infosec employees, where precisely such topics are covered. The issue isn't just about not impeding the investigation, or inadvertently destroying potentially valuable evidence, he stresses; it's also about promulgating clear-cut guidelines for establishing the chain of custody.
"When you take possession of a machine, or possession of a hard-drive image, which could then go on to feature on a disciplinary or court case, it's important to be able to prove in a tribunal or a court just who has had control since that possession was taken," he says. "Evidence must be presented in its original state, and with proof that tampering has not been possible."
But in the era of the blended investigation, and with physical and IT forensic investigators working more closely together, is there actually a need anymore to differentiate between the two skill sets? In short, does the era of the blended investigation bring forth the blended investigator?
The jury, it seems, is out. "Do you take people with a strong investigative background, and train them in computer forensics-or take people who have strengths in computer forensics, and try to train them in investigative skills?" asks Amit Gavish, managing director of corporate intelligence at Shelton, Conn.-headquartered security consultants SSC. "It's something we wrestle with all the time-and typically, we find that the people with the best IT forensic skills don't have the right investigative mind-set."
With some caveats, Peter Yapp agrees. Now the London-based head of network forensics at business risk consultants Control Risks, Yapp actually set up such a team when working for the United Kingdom's customs service in the 1990s.
"In establishing our computer forensic team, what we did was to take existing customs investigators and teach them IT forensics, rather than attempting to do it the other way round," he explains. "It worked, but we were probably lucky in having people with a reasonable IT background already. I'm not sure you could take any investigator and get them up to speed in forensics-just as you can't take any IT technician and turn them into an investigator."
The Investigative Mind
Indeed, Yapp argues, the "forensic" part of the job description probably obscures the essential aspect of the role that is common to both physical and IT forensic investigators: solid investigative skills.
"What I look for is someone who can speak both languages: the language of computers and the language of the real world," he says. "More importantly, though, I want people who don't give up, who look around them and observe what's going on, and who see and then act upon anomalies. It's not just about looking for keywords on a disk-it's about picking up signs that something isn't right."
SSC's Gavish concurs. The mind-set is important, he stresses-and ultimately determines whether an investigation is staffed by two specialist skill sets or one person with both. "The physical investigator will want to stay close to his comfort zone of traditional investigative approaches, while the IT forensic person is going to feel most at home with the IT tools and techniques he or she is most familiar with," he says. "If you can't break that, then it's best to double-staff and task people to do individual parts of the overall investigation."