The 2011 (ISC)2 Security Congress

Big Data
Forensics:
What’s in a Tool?
In today’s ever-expanding world of big data, organizations are
not only taking on considerably more responsibility for protecting information assets, but
are also facing the likelihood of a continued rise in potential data incidents.
According to Dov Yoran, CEO at New York City-based
cyber security company ThreatGRID, security threats have
evolved so extensively in recent years that it is inevitable
that incidents will occur even at mid-sized businesses. “It’s
imperative to have a solid incident response process, which
should include data forensics capabilities and recovery methods
after the breach,” Yoran says. “Additionally, it is always
paramount to have a disaster recovery plan, which normally
includes recovery processes, procedures and solutions.”
All tools are not created equal
Fortunately, an array of forensic and recovery tools exists,
including data integrity tools provided with the operating
system, automated data recovery tools, and specialized
forensic data recovery tools. The most advanced tools allow
experts to recover significantly corrupted data or structural
damage, partially deleted files, and forensically reassemble
short fragments of files into their original form. The tools
even allow an expert to document the chain of events that
led to the data destruction. This all depends on the expert
using the tool having an intimate knowledge of how media
data structures operate, and good working knowledge of the
tool itself.
However, as Yoran explains, not all data recovery tools
are created equal. “Some tools are strictly for data recovery,
while others have other incident response practical features
such as case management,” he says. “The requirements for
recovering your data set should be carefully considered. It
8 INFOSECuRITY PROFESSIONAl ISSUE NUMBER 16
Incident response
and data recovery
require a solid
plan, the right
people, and
specific tools
by Peter Fretty
is often essential to budget for not just data recovery tools
but data extraction and analysis tools. These tools can aid the
investigator in determining the root cause of breaches. Technologies
such as sandboxing [a security tool for separating
running programs] and other malware analysis tools, which
can reveal compromises, should be considered as crucial as
the physical disk recovery.”
Some tools also fail to function in a forensically sound
manner, which is necessary for producing defensible electronically
stored information (ESI) in legal matters or regulatory
investigations, explains Jeff Fehrman, vice president
of forensics and consulting for global IT service provider,
Integreon. “Defensible collection demonstrates that the
appropriate procedures and chain of custody are maintained
throughout the process, in order for the ESI to be admissible
in court,” he says. “Even the best forensic tools in the hands of
untrained users can still present some serious issues for the
defensibility.”
Fehrman recommends looking for tools with a track
record of successful use in legal and compliance matters
and that have respected certification training for users.
“There are also expert consultants in the field that have
entire toolkits of software available for their use, and the
experience to know which ones are best suited for specific
types of storage media or environments,” he says. “Some
services also allow IT personnel to essentially perform the
work under an expert’s remote guidance as a cost-effective
approach to ensuring defensibility without the risk of data
spoliation.”
photo By ChRIStophER J. MoRRIS