Messaging News - October 2008 - (Page 28)

EMAIL FORENSICS it. Contoural states that email often provides the most valuable insight into mindset surrounding actions and decisions. Further, litigators and regulators are well aware of the importance of email, often making it the first and most significant target of discovery efforts. Email Forensics Email is also the main platform for a variety of business related crime, including proprietary information theft, data leakage, harassment, and intellectual property violations. Few organizations, however, employ their own forensic investigators. When it comes to training existing IT staff to handle email dangerous because early in the case, if you self-collect, the perception of a user may be different than the perception of a lawyer on what he needs collected.” Mike Fowler, CISSP, EnCE, senior director of training, partner development for Guidance Software adds that proper tools and training are extremely important, but that understanding the methodology behind forensic investigations is even more important. “I’d go toe to toe with anyone that thought they could purchase a bargain forensic toolkit and do a decent job of it. It’s just not comprehensive enough.” Then again, he points out, what is and I can train him in the technical issues. Taking an IT professional and giving him the investigative mindset is not something that can be covered in a four- to five-day class.” Garza says that the most common “gotcha” happens when organizations try to handle email forensics in house, which, he feels, is done to save money. “Normally, IT people are very technically savvy, but they’ll make different decisions than their inside house counsel or outside attorney will make in regards to how evidence is identified, preserved or collected. In house technical people just don’t have the training “I have always said, Give me a [police] investigator and I can train him in the technical issues. Taking an IT professional and giving him the investigative mindset is not something that can be covered in a four- to five-day class.”—Mike Fowler, Guidance Software investigations, limited funding, personnel, and perceived need dictates whether or not they will attend forensics training. With the wide availability of eDiscovery and email archiving solutions, organizations are better equipped to handle its internal investigations but better equipped does not necessarily mean better prepared. “Companies are definitely more aware of eDiscovery requirements because there’s been so much discussion, press, and large sanctions [imposed by the courts] for not doing it well. But awareness doesn’t necessarily translate to doing it better,” says Peter Garza, who worked on both the Enron and Arthur Andersen cases and is an independent expert forensics investigator and former special agent with the Naval Criminal Investigative Service (NCIS). “Companies still have practices like collecting the data themselves and having users decide what is relevant. That’s enough? There are many determinants to deciding on appropriate investigative tools: How secure do you want to be? What exactly are you looking for? Do you need to monitor crucial business functions? Is leaked information a cause of concern? Are laptops properly investigated for signs of abuse when an employee has left or been terminated? These are questions Fowler believes beg consideration. “The threat to corporate security isn’t waiting around outside in the parking lot day after day,” he says. “Sometimes, yes. But more frequently it’s internal.” Fowler adds that IT professionals present challenges and says that although they have years of knowledge dealing with computers and networked systems, frequently the methods of protecting evidence and utilizing best practices for gathering evidence have not been part of their training. “I have always said, Give me a [police] investigator and experience,” says Garza. “But for very large corporations that are serial litigants, it makes sense to have internal resources because they’re in better control of their data. However, I think from time to time they still need somebody that doesn’t have a horse in the race to review procedures with them, validate what they’re doing, and how they’re making decisions on preserving data or interpreting the data.” I Spy With My Little Eye Fowler contends that it is important for organizations to understand what email forensics is and is not capable of doing. “Computer forensics do not follow you home in your car. Enterprise forensics is installed on a base server with a specified number of licenses issued to monitor a specified number of systems on the network. The Sys Admin does not monitor all systems on the entire network all day long. It isn’t really possible and it would 28 MESSAGING NEWS OCTOBER 2008

Table of Contents Feed for the Digital Edition of Messaging News - October 2008

Messaging News - October 2008 Contents Editor’s Note Short Takes Targeting the Technology-Wise Customer The Insider Threat: The New Era of Disaster Recovery Making Collaboration Tools Pro-Knowledge Sharing Botnets Go Marching On Dissecting Email Forensics Next in Messaging News “On Message” with Ben Gross The World is Not the Center of the Universe, and Filters Don’t Stop Email Spam Making the Case Learn More

Messaging News - October 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.