You can imagine the first indication, the phone call from the employee who misplaced their laptop or left a CD on an airplane, or the first discovery of a keystroke logger on a critical system. Those are triggers that kick off a forensic investigation. It is an arcane art that involves freezing IT assets, recovering data and extensive sleuth work.
I interviewed Dennis Portney with Security Forensics, Inc. yesterday for the IT-Harvest Threatcast. This inaugural podcast is the first time I have weaned myself from CNET’s recording studio in
Forensics is the back side of security. It is what you do when your security has failed. According to Dennis 99% of the time the forensics experts have to be called in it is because existing policies were not enforced. Downloading hacking tools, disk erasure, and the use of thumb drives to walk off with critical data are all things that can be protected against.
My take is that it would be extremely valuable for IT security practitioners to get up to speed on forensics, even walk through a dummy scenario. By doing this you can identify holes in your record keeping, policy enforcement, and emergency response methodologies. When there is a real breach you will be much better prepared for it.