Archive for October, 2008

Forensics In-House or Out-Sourced?

Wednesday, October 1st, 2008

I often get asked the following questions:

“How important is it for organizations today to have some level of computer forensics capabilities to conduct digital investigations in house?  Is it better to leave it to the professionals and just call them in the event of an incident?  Are companies (aside from the very large corporations which might have their own in-house computer forensics lab) training IT staff to perform computer forensics related tasks such as electronic discovery?”

In my experience, it depends on the volume of incidents you expect to investigate each year.  You need to have a significant number of them to justify bringing the skills and infrastructure in house.  Some considerations are:

  • Whether your staff can scale to handle a couple week long investigations themselves and drop everything else they are doing
  • The cost to train staff, and keep their skills current when no incidents are occurring
  • The cost to travel to remote sites versus using a local third-party
  • The cost of specialized equipment without which investigations may be less efficient
  • The benefits of using an established third-party who is experienced testifying and has strong law enforcement and other industry relationships

Many large financials deal with almost daily fraud cases, so having this capability in house makes sense.  As a former forensic service provider (could you tell?), we talked about offering free first responder training to our customers to ensure the first few hours of an incident are handled correctly so that our investigation isn’t compromised, and to minimize false positives.

These days I don’t think it has become essential to have fully trained forensic staff in every case, but I do think it is critical to have incident responders who have undergone some level of digital forensics training.  Your incident handlers and coordinators need to be aware of the logistics of an investigation and should be conscious of how their decisions could affect future investigative steps.

My current employer out-sources our forensic services to a third-party provider who has a team of experts around the world and around the clock.  There is no way we could effectively scale to this service level ourselves.  However, I still play an important role as an incident coordinator in vetting the incidents before the outside team is called in.  It would be easy to exhaust our retainer on little incidents, so we really have to be diligent about tracking down the everyday issues ourselves.  Having a formal approach to qualifying incidents based on an established risk criteria is essential to making this relationship work.

I found the following resources to be interesting comments on this topic:

http://all.net/journal/newsletter/2008-02.pdf
http://www.cio.co.uk/concern/security/features/index.cfm?articleid=625&pn=1