Editorial Features | News / Analysis

InfraGard eyes cyber crime and the forensic debate

Last week, a group of high-powered corporate lawyers, security geeks and FBI agents met to ponder how to secure sensitive corporate data. It was part of an on-going series of conferences mounted by InfraGard, the national collaboration between the FBI and the private sector. Presentations examined protection of intellectual property, the use of forensics in determining and controlling network intrusions and data theft, and an overview of emerging issues in e-discovery. Cyber forensics is the technique of examining how an event occurred; like detectives, computer forensic experts search for cyber fingerprints to reconstruct how an intrusion may have taken place, and how much data could have been altered or stolen. Dry stuff, on the surface. But the once-sedate meeting was enlivened when a clever lawyer began asking thorny questions which revealed the weaknesses of both proprietary rights – often a key issue in data theft cases -- and criminal prosecutions in the cyber world. The issue came to a head during a presentation on intellectual property investigations by Michael McGowan, director of digital forensics for the corporate investigators, Stroz Friedberg, LLC. of Washington, New York and Minneapolis.

The lawyer, who declined to be quoted by name, asked McGowan how the results of a forensic investigation could be introduced as evidence in court.

McGowan, and his associate, Eoghan Casey (director of training at Stroz), suggested that the main purpose of forensic investigations was to point out the probable cause of a data breach, not to serve as unimpeachable evidence in court. Thus the strength of forensics to reconstruct an event is offset by its seeming lack of exactness. A forensic investigation might point to the probable chain of events behind a data breach, without naming an exactculprit or a specific volume of information altered or stolen.

"Well," the lawyer asked, "at what point could I use forensics to take legal action?"

Casey suggested four levels of conclusions, based on a forensic investigation: very unlikely, somewhat likely, probable, and very probable. In a cyber data breach investigation, if a particular corporate employee is found to be "very probably" the cause of the breach, he or she would face dismissal.

"But that is not going to court," the lawyer observed.

"Forensics isn’t evidentiary," replied Casey. "It is about probable cause."

Casey pointed out that computer forensics is most helpful in reconstructing a cyber crime (forensics experts in this field can often spot a digital "trail" left by hackers), to determine whether the scale of a data breach mandates informing government authorities or the general public.

It can also help programmers develop firewalls and other protections to prevent future breaches.

"It is a game of digital cat and mouse," said Casey. "The growth of malware is amazing; customized attacks take advantage of customized defenses."

And no court, he might have added, has successfully stopped that.

• Print
• E-mail
• Add your comment
• trackback url: http://www.gsnmagazine.com/cms/trackback/699-1