Page last updated on Thursday, January 6 2005 at 1927 UK

Investigation Planning and Execution

Preparing for an incident and responding efficiently and proportionately

The attraction of computer crime is clear. Not long ago, a thief would need to steal drawers full of paperwork to get their hands on valuable company information. Now, the same can be achieved at the click of a mouse, by copying data or a disc or e-mailing it out of the organisation.

Despite huge spending on ICT security, computer crime is still growing. In 2005, 89% of all UK businesses were targeted by e-criminals, according to research by the National Hi-Tech Crime Unit.

e-Crime comes a in a variety of flavours; data theft, email abuse and computer misuse three common examples. Yet around 94% of all computer-based crime goes unreported because companies fear adverse publicity and further disruption to their operations during an ensuing investigation.

As computer connectivity grows, exposure to security threats will rise. Just as in the real world, computer criminals leave their electronic fingerprints all over a digital crime scene and proper investigation is the surest way to ensure business continuity in the mid to long-term.

There are some practical steps a business can take to mitigate risk. These should form part of a practical incident response procedure, which every business ought to have.

Planning Your Response

Your incident response plan will depend partly on the size, nature and geographical dispersal of your business but there are some general principals to follow in all cases.

Legislative compliance – your response to an incident must comply with appropriate legislation. In the United Kingdom, for example, you will need to consider the Data Protection Act 1998 and the Computer Misuse Act 1990, as well as the European Convention on Human Rights, which applies across Europe. Legislative compliance protects you from claims of unfairness, harassment and invasion of privacy.

Who will respond? – Who will take the lead when an incident is discovered? Will you need to form an internal investigation team? Which external companies will you call upon for assistance and on what terms would you involve the Police?

Involvement of decision makers – which members of your company will you involve when an incident is discovered? Human resources, legal and corporate security departments may all need to take part and having a senior management representative involved will help when key business decisions need to be made quickly.

What to do When an Incident Occurs

Before doing anything else, stop and think about the nature of the incident. Some situations – for example, those thought to involve paedophilia or organised crime – must be reported to the Police immediately. In other circumstances, it might not be appropriate to call in the authorities so soon.

Preserve the evidence – this means sealing the crime scene. Computers are just as much a part of the crime scene as physical locations. Don’t be tempted to ‘take a quick look’; computer-based evidence is volatile and can be easily destroyed or tainted through improper handling. It is vital that proper forensic techniques are used from the outset, otherwise any evidence you find is unlikely to be admissible. Don’t switch computers on or off and don’t interact with them in any way.

Make notes about the scene – record the details of any potential witnesses and suspects, including dates and time of their known movements. Gather together details which might help the investigation later on: usernames and passwords, for example. Also think about other equipment to which the suspects might have access. Do they use company mobile phones, laptop computer or PDAs?

Start collecting evidence – most of what has happened so far should have taken place within an hour or so of discovering an incident. Now is the time to call in a specialist computer forensics team to assist in securing potential sources of evidence.

How we Proceed with a Forensic Investigation

The first job is to identify computers and storage media which might contain evidence. In a company environment, the most obvious source is the computer on the suspect’s desk as well as nearby disks and CD-ROMs.

Our forensic specialist will record the details of the suspect’s computer, including its make, model and serial number. He will record what, if anything, is displayed on the screen and he will note the details of removable storage media.

Depending on the operating system running on the suspect’s computer, he will either pull the plug or carry out a safe shutdown in the most evidentially secure manner. Ideally, the computer will then be packaged and moved to our laboratories for analysis. In situations where this is not viable, the computer will be moved to a secure area on-site.

In either case, the next stage is imaging. This is the process of taking an identical copy of the computer’s hard drives and the contents of any removable storage media. At this early stage, important evidence could be stored in any number of places and so all available data should be imaged. In most cases, two images are made – one for backup purposes and one for use as a working copy.

To ensure the integrity of imaging process, our specialists follow some important guidelines…

Always use new, unopened media for storing data images
Always use recognised forensic software to carry out the imaging process
Ensure that suitable write-protection devices are used to prevent changes being made to the source data
Create backups of material gathered during the imaging process

All of our specialists are thoroughly trained and experienced in the use of specialist forensic hardware and software. This level of training and experience is important in demonstrating competency should the veracity of the imaging process be challenged later on.

Having completed the imaging process, the next phase is analysis of the data collected. Depending on the nature of the investigation, this is carried out most quickly and efficiently in our laboratories, although we do provide on-site facilities should circumstances dictate that this is the most appropriate approach.

Successful analysis of the evidence relies upon us talking to you to gain a thorough understanding of the incident. Based on their discussions with you, our specialists will use sophisticated search techniques to extract important evidence from the potentially vast amounts of imaged data.

Reaching a Conclusion

Drawing conclusions from the distilled evidence is the final stage of an investigation. Any conclusions must be objective and well-substantiated. In cases where there appears to be evidence of a significant issue, we advise you to seek legal advice on how to proceed.

Should you chose to pursue legal action, our rigorous chain of evidence procedures, thorough documentation and robust Expert Witness testimony will provide you with a firm foundation for your case.

Print page Print this article