VARs Must Weigh Implications Of Data Forensics

The challenges solution providers will face in these markets include political concerns and liability issues. Political elements run the gamut from perception of participating in a "witch hunt" to becoming entrenched in departmental turf battles. Common liability concerns include accountability for misinterpreted data, unevenly applied policies and overlooked evidence.

Regardless of these challenges, forensics and intrusion management technologies are in high demand. This need is driven especially by the fact that confidential data stored on systems are potential liabilities, making both protecting and tracking data an element of ever-increasing importance to best business practices. This need drives companies to rely on specialized solution providers to perform investigative functions.

Solution providers that want to get involved in forensics can do so in a variety of ways, ranging from partnering with private investigation firms to soliciting government contracts. But before making the leap, solution providers must develop some basic tenets.

First off, solution providers will want to define their capabilities, services and platforms. Forensics can include a wide breadth of services, so care should be taken when selecting which particular elements to focus on.

Test Center engineers predict that the largest potential for solution providers exists with sniffer technology. The roots of packet sniffers are clearly linked to network diagnostics, but the technology,when employing packet capturing and recording,offers one of the best ways to identify intruders or isolate inappropriate activity. Simply put, captured packets can be reassembled to create an auditable trail of network activity. Network packets, including wireless traffic, offer the ability to track electronic conversations between computer equipment. Reassembled packets often can offer pertinent evidence to help identify wrongdoers.

The disadvantage to packet-sniffing technology is that it is only applicable to realtime investigations. To be effective, the technology must be deployed before an unauthorized incident occurs.

For historical investigative purposes, several tools are available, ranging from file recovery products to imaging products.

One of the best ways to proceed with an investigation is to image all of the data on a hard-disk drive onto a remote storage device and then examine data files at a later date on the remote storage device.

Success with this type of technology can depend on many factors. Those performing investigations must have access to the systems during off-hours and must employ a technology that leaves no trace of data capture. Usually the best way to accomplish this is by using a combination of external hardware and software, which allows a system to boot from external media and image the contents of the subject disk drive to an external device.

In some cases, an investigation dictates that a subject's activity should be observed constantly, which requires monitoring software. That software is installed on a system using stealth technology, and once installed it can capture every keystroke and displayed image and forward them to another system charged with gathering the activity. Monitoring software also can leverage Web cameras and other devices to positively identify who is using the system. The gathered data then can be played back to completely recreate a subject's session, offering a strong base of evidence.

Regardless of the technology employed, solution providers must make sure that the surveillance or investigative practices are legal and permitted. Elements ranging from a company's IT and computer use policies to local and federal laws can drive what are indeed deemed appropriate investigative practices. Once the legalities are addressed, solution providers must document all investigative practices completely and offer mechanisms to dispel any evidence-tampering accusations.

All things considered, data forensic services offer an enticing revenue opportunity, but solution providers will need to consider the implications of performing those services more than any other service they have offered in the past.