I add that bit of wisdom to my collection of axioms. It goes right in there with "there are only two kinds of people: those who back up, and those who wish they had." In the case of recalling the past, however, there are reasons this applies to us infosec professionals.
I saw the new enCase Enterprise Edition 4.16 recently and I must say, it brought back that old feeling I get when occasionally someone steps outside of accepted paradigms and does something really right. For those of you who do not follow digital forensics, enCase is a computer forensic tool from Guidance Software (www.enCase.com). Guidance introduced the latest release that does a bit more than just look at hard disks over a network. It also looks at things such as port activity. This is stuff I really am interested in if I want to know if/how a computer has been compromised.
The term "forensic" seems to cause everything from confusion to disdain in the minions of corporate America. "We don' need no steeenkin' cops" is the usual response to mentions of investigations, forensics, etc. Well, I guess I reluctantly agree. But you still need to know what happened, why it happened, and what can be done to prevent it in the future. And, it turns out, the best way to do that is by examining the crime scene forensically. Trouble is, there are not a lot of tools that do the whole job for you.
Most incidents make their first appearances at some monitoring console (or they should, anyway, if the monitoring is complete enough). However, intrusion detection systems, anti-virus systems and the like are there to detect and report, not to preserve evidence that allows a detailed root cause analysis. That's where the forensic stuff comes in.
Once you piece together what happened on the network and what happened at the computer, you can build a forensic picture of the event, clean up completely, plug the holes and get on with life. Because there are certain procedural rules when performing this type of forensic analysis, if you decide that there really is a bad guy you want to catch and hang, you've got what you need to do that too.
Learn from the past? Of course. We look at the recent past forensically through an incident post mortem to respond to an immediate incident, and then use the past to help us shore up our defenses for the future.
Peter Stephenson is the executive director of the International Institute for Digital Forensic Studies. ([email protected])