Forensics tools and techniques can help drive so-called “e-discovery” investigations, Dennis (Jaime) Seibert, a lead forensics investigator in the information security incidence response team at Fifth Third Bank, a regional financial institution in Cincinnati, Ohio, told RSA attendees on Wednesday.
E-discovery investigations can look into the alleged wrong-doings of a terminated employee and/or provide electronic records for use in corporate litigation, Seibert noted in his presentation, titled “Electronic Discovery and Forensics in the Corporate Environment.” Forensics tools and techniques, he noted, are increasingly being used to provide relevant evidence related to e-discovery projects, such as those that investigate fraud or employee misuse of corporate IT resources, Seibert noted.
Seibert told SCMagazineUS.com that the typical e-discovery project would entail a narrow search for specific information, including a company name or phrase, such as “loan document.” The goal of such a search, he said, is to uncover “only data relevant to the case."
The idea is to search data and provide only files with proven relevance, Seibert said. He added that such investigations should search not only for the relevant files themselves, but metadata – time stamps, when the file was created or modified, and the like – as well. The metadata provides critical audit-style information that is highly useful in investigations, he explained.
Too often, IT investigators incorrectly rely on Windows' “copy” function to create backup files for use in investigations, according to Seibert. That command, however, doesn't replicate metadata. Instead, he recommends using Windows' “backup” utility, which preserves metadata.
One critical issue in e-discovery is “understanding what data to retain,” he said. “The idea is to keep as little as legally possible – delete what you don't need. The problem is we tend to store more data than necessary."
The caveat here, of course, is that regulatory mandates, such as the Sarbanes-Oxley Act and others, may require enterprises to store certain types of electronic communications for specified timeframes.
Seibert said that computer forensics investigators very often become the technology liaison for corporate legal counsel, serving “as a source of knowledge for them, so that if they're challenged in court [about a technical issue] they can answer intelligently."
He noted that forensics investigators and corporate legal departments have a common ground "because we deal with law enforcement and understand evidence preservation.”
For more coverage of the RSA Conference, visit our special RSA Conference 2008 microsite. It contains news and announcements from the show floor, as well as podcasts, video and opinion columns from keynote speakers and industry luminaries, like RSA Conference's Sandra Tom La Pedis and Tim Mather, Symantec's John Thompson and Kevin Haley, IBM's Val Rahmani, and SC Magazine's CSO of the Year Dan Lohrmann, CISO of the State of Michigan.