The 2011 (ISC)2 Security Congress
The 2011 (ISC)2 Security Congress
The 2011 (ISC)2 Security Congress
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Big Data<br />
Forensics:<br />
What’s in a Tool?<br />
In today’s ever-expanding world of big data, organizations are<br />
not only taking on considerably more responsibility for protecting information assets, but<br />
are also facing the likelihood of a continued rise in potential data incidents.<br />
According to Dov Yoran, CEO at New York City-based<br />
cyber security company ThreatGRID, security threats have<br />
evolved so extensively in recent years that it is inevitable<br />
that incidents will occur even at mid-sized businesses. “It’s<br />
imperative to have a solid incident response process, which<br />
should include data forensics capabilities and recovery methods<br />
after the breach,” Yoran says. “Additionally, it is always<br />
paramount to have a disaster recovery plan, which normally<br />
includes recovery processes, procedures and solutions.”<br />
All tools are not created equal<br />
Fortunately, an array of forensic and recovery tools exists,<br />
including data integrity tools provided with the operating<br />
system, automated data recovery tools, and specialized<br />
forensic data recovery tools. <strong>The</strong> most advanced tools allow<br />
experts to recover significantly corrupted data or structural<br />
damage, partially deleted files, and forensically reassemble<br />
short fragments of files into their original form. <strong>The</strong> tools<br />
even allow an expert to document the chain of events that<br />
led to the data destruction. This all depends on the expert<br />
using the tool having an intimate knowledge of how media<br />
data structures operate, and good working knowledge of the<br />
tool itself.<br />
However, as Yoran explains, not all data recovery tools<br />
are created equal. “Some tools are strictly for data recovery,<br />
while others have other incident response practical features<br />
such as case management,” he says. “<strong>The</strong> requirements for<br />
recovering your data set should be carefully considered. It<br />
8 INFOSECuRITY PROFESSIONAl ISSUE NUMBER 16<br />
Incident response<br />
and data recovery<br />
require a solid<br />
plan, the right<br />
people, and<br />
specific tools<br />
by Peter Fretty<br />
is often essential to budget for not just data recovery tools<br />
but data extraction and analysis tools. <strong>The</strong>se tools can aid the<br />
investigator in determining the root cause of breaches. Technologies<br />
such as sandboxing [a security tool for separating<br />
running programs] and other malware analysis tools, which<br />
can reveal compromises, should be considered as crucial as<br />
the physical disk recovery.”<br />
Some tools also fail to function in a forensically sound<br />
manner, which is necessary for producing defensible electronically<br />
stored information (ESI) in legal matters or regulatory<br />
investigations, explains Jeff Fehrman, vice president<br />
of forensics and consulting for global IT service provider,<br />
Integreon. “Defensible collection demonstrates that the<br />
appropriate procedures and chain of custody are maintained<br />
throughout the process, in order for the ESI to be admissible<br />
in court,” he says. “Even the best forensic tools in the hands of<br />
untrained users can still present some serious issues for the<br />
defensibility.”<br />
Fehrman recommends looking for tools with a track<br />
record of successful use in legal and compliance matters<br />
and that have respected certification training for users.<br />
“<strong>The</strong>re are also expert consultants in the field that have<br />
entire toolkits of software available for their use, and the<br />
experience to know which ones are best suited for specific<br />
types of storage media or environments,” he says. “Some<br />
services also allow IT personnel to essentially perform the<br />
work under an expert’s remote guidance as a cost-effective<br />
approach to ensuring defensibility without the risk of data<br />
spoliation.”<br />
photo By ChRIStophER J. MoRRIS