Historic Justification for Forensics

Forensics is not a new science nor is it a new discipline within the information security continuum.  Though it is not new we are experiencing an exciting renaissance related to this science that is long overdue.   Forensics as a science has its roots in Rome (like so many amazing things including the author of this blog).  The word forensic is a derivative of the Latin adjective forensis which means “of or before the forum”.  The forum was a small rectangular shaped opening surrounded by government buildings in the heart of the city of Rome.  In Rome, if a person or the state was to bring charges against another related to criminal or civil violations each party would be required to prepare their case and present it before a group of their peers (Roman citizens) assembled in the forum.    The plaintiff and defendant would provide statements and plead their respective cases.  The party with the most compelling (complete) argument and delivery would determine the case.   Today we see the word forensic associated with a legal form of evidence (and evidence handling) and as a taxonomy for public presentation.   It was crucial in building a case in Rome and remains crucial in building cases – civil or criminal today.  We in the information security space promote its application in order establish root cause analysis when conducting incident response in order to gain greater degrees of visibility.  Often this occurs after an event of interest takes place however, many information security professionals (myself included) advocate a much more aggressive, bold application of the theory, technique and technologies which comprise this discipline.

A New Era in Application and Use

Back in June of 2000 the fine folks at Raytheon, Inc. formed a subsidiary organization called SilentRunner or Raytheon’s SilentRunner.  SilentRunner was a first of its kind network discovery and analysis tool which provided those who leveraged it a voluminous amount of intelligence about the organizations in which it is deployed.   It focused on identifying security risks, network vulnerabilities while alerting management to the potential loss of data.  After the launch of SilentRunner several other comparable technologies emerged throughout the years brought to the market by organizations such as Niksun, Solara Networks, NetWitness and ironically AccessData who after establishing an extremely strong reputation in host based forensic analysis alongside competitors at Guidance Software, purchased SilentRunner from Computer Associates and revitalized the brand giving AccessData a compelling host and network based forensic solution.  Fast forward to 2011 and today we have a plethora of options at our disposal, some more sophisticated than others, but all which strive to narrow the gaps between host and network based visibility.  The hope and promise presented by these solutions suggests that through their implementation an enterprise environment can and will gain a greater degree of insight into their environment and the actions which take place within regardless of whether or not they are known, unknown, authorized or unauthorized.   The bottom line is that a robust tapestry is woven that unequivocally depicts the activity associated with a given enterprise environment thus producing a corpus of forensically sound data which can be used in pursuing internal or external investigations.   Every enterprise regardless of size, business sector or vertical should take the time to evaluate (if they have not done so already), one if not all of these solutions for fit and completeness.  This is imperative as the volume of data which warrants scrutiny is increasing at exponential clips while the use and presence of unique protocols and transmission techniques is not.   Too often are enterprises ignoring surges in HTTP web traffic at their own peril due to a lack of understanding, knowledge or visibility.  Were it a formalized element in all security programs the ROI/ROSI of forensics could easily be demonstrated.  Though results may vary along with needs and desires voiced by the potential buyer the net effect should be the same:

·         A highly calibrated, inclusive depiction of the enterprise in question which provides actionable detail and thus enables operations and decision makers alike in making time sensitive decisions

For more information on the subject of network forensics and visibility check out the following sites:

·         Incident Response and Forensics Expert Harlan Carvey’s blog

·         Tao Security Richard Bejtlich’s blog

·         Network Forensics by Netwitness's blog