Bruce Nikkel, head of the IT investigation and forensics department at UBS, said areas such as the military and law enforcement have been using forensics for some time, but he urged big business to get up to speed and understand the challenges.
Nikkel's advice, offered at a Gartner security summit in London this week, coincides with a strong warning from the analyst house about the growing threat from within organizations.
"We are going to see a dramatic increase in the number of information security breaches where insider collaboration or involvement was a major factor, whether intentional or accidental," said Tom Scholtz, research vice president at Gartner.
Scholtz said preventing security breaches may in part come down to keeping the "bad guys" from getting through a company's security perimeter. But he noted that bad guys also might use social engineering techniques to dupe insiders into betraying information or breaching security.
Earlier this year the FBI reported that 44 percent of all computer-related crimes are carried out by people within organizations.
One of the most common mistakes made by companies in the wake of an incident is to get affected systems up and running again without giving thought to doing forensic work on the systems, said Nikkel. In layman's terms that's the equivalent of cleaning up a crime scene before evidence has been taken.
Nikkel said it's very easy to destroy digital evidence, especially on live systems. "All the information may be stored in memory, so even if you power down that machine you may lose that information," he added.
Similarly, any number of activities, such as plugging in a suspect USB key or rebooting a PC, can destroy the time line of events and should be left for experienced investigators to uncover.
Other challenges faced in establishing forensics best practices include understanding the scale of the task. It isn't just collecting evidence but also preserving it, analyzing it and being able to present it in a format that is admissible in court, if necessary. That means a thorough understanding of regional regulatory requirements as well as local data protection laws.
Nikkel said showing the board of directors how forensics can save a company money can help shore up the board's support for forensics work.
Password recovery, data recovery and data retention policies are all issues that could be addressed by a forensics team and, potentially, deliver a return on investment.
Similarly, human resources and legal departments could benefit from working with forensics teams if digital evidence needs to be gathered and analyzed. The same is true for companies trying to comply with tightening regulations.
"Preventing even one high-cost court case could justify the costs of that forensics team," Nikkel said.
Will Sturgeon of Silicon.com reported from London.
