On Building a Corporate Computer Investigation Team

13 12 2011

by Christian Roylo


Large law enforcement agencies have incorporated computer investigation teams for decades; however in the corporate world, businesses often times rely on untrained IT staff or third party service providers to carry out computer investigative tasks such as computer forensics, eDiscovery, and incident response.  With the increase of computer attacks and the compliance requirements mandated by regulations, there is a benefit for companies to build an in house computer investigative team.

In this article, I would like to share some pointers for anyone who is in the process of building a corporate computer investigative team.  This will be based on my past experiences as a former Federal Agent investigating computer crimes, running a computer investigations team for a large tier-one bank, and working or CERT consulting Federal Law Enforcement.  Although this article focuses on building teams for large Fortune-100 sized companies, many of these principles can be applied towards smaller companies as well.

Depending on the organization structure of the corporation, a computer investigative team could have very focused capability (computer forensics only) or could have a wide range of capabilities covering different information security, investigation, eDiscovery, and response disciplines.   For the purpose of this article, I am using the term “computer investigation team” in a general sense to cover any of these sub disciplines.

To Succeed, You Need Power and Position

Your ability to influence people is critical for the success of your team.  As important as it is to influence people through building relationships and trust, you will oftentimes need to rely on your power and position. Business executives traditionally see computer investigations (and information security in general) as a burden and are likely to place it at a lower priority since it is not a revenue generator.  IT staff members will likely see your team as a nuisance.  Line managers may see your team as a hindrance to the productivity of their teams.

In order to be the most effective, a leader of a computer investigation team should be positioned around a Director level in the organizational chart and should have strong support by someone at the C-level position.  At this level you will be at a better position to influence money, manpower, and policy decisions made by executives, as well as dealing with the non-executives, such as IT staff and line managers.

The intention of this point is not to offend anyone by stating the obvious “power and position equals influence”, but to highlight how critical this is especially due to the nature of the type of work you will be doing, and how different it is from the traditional operational models of other business areas.     The work will be dynamic and responsive.  You will be asking for unplanned and last minute deliverables that require immediate attention from people who may be unfamiliar with or you and your team.     Here is where “pulling rank” is most effective.

Make Quality Friends, and Do it Quickly

The Legal Counsel and Human Resources departments should be the easiest friends to make, and should become your “best friends for life”.  If you aren’t being used much by either department, then it’s time to start building a relationship with them.   Your team will need them both, and it is your task to make them realize how much they will need your team.

Your team will benefit as Legal Counsel will provide you the internal authority to carry out many of your tasks, and will help ensure that you are not breaking any regulations or laws in the process of doing so.  This will not only help carry out your mission as this gives you the muscle when dealing with non compliant business teams, but it also removes the investigative team from making legal decision risks that they may not be qualified to make.  (In other words: C.Y.A.)

It’s important to understand that Legal Counsel is likely paying a lot of money for third parties providing services such as Forensics and eDiscovery.  One study shows that the average $25 billion company spends an average of $10 million a year on eDiscovery services and in some cases as much as $60 million a year, where most of the costs are for unnecessary “bad” eDiscovery services. [1]

These are services that your team should be able to provide to the company and show a cost savings.  Furthermore, I have always argued that an internal team will work harder and better as they have a vested interest in the company and will reduce the risk of “bad” services.  However, this brings up a very important rule: in order to gain the trust of Legal Counsel, your team must be honest, impartial, and not be influenced by unethical motivations.

One thing to keep in mind is that Legal Counsel may have already established a close relationship with a third party service and may be reluctant to switch to your team.  This is okay.  A strategy you could take is to convince Legal Counsel that for certain tasks, third party services have a place (such as tasks that require less investigative strategy and analysis and more resource intensive work such as large data collections or backup tape restores).

Human resources will benefit from your team because you will be able to provide them with concrete evidence for them to use in misconduct investigations.  For example, instead of just relying on a staff member’s word that he saw a fellow office mate is stealing company confidential data, recovering the actual emails of the data being sent to a competitor will be stronger evidence for termination.  This evidence may also be more likely to stand up in court if the staff member decided to sue for wrongful termination or convince the staff member that it may not be even worth taking to court.

Another group you will have a regular relationship with is the IT department; however prepare for a love/hate relationship with them.  You will need IT more than you may realize it, and yet they will give you the most headaches.  Your team will never have the collective knowledge or capability that the IT department will have.  You will have to rely on them on very crucial tasks such as data collection, deploying security applications, and perhaps even approval for large hardware or infrastructure purchases.

It is important to put the IT department into perspective.  They likely don’t view your team as beneficial to their job.  In fact, they may likely see your team as a hindrance.  The IT teams are likely understaffed and overworked and your team’s requests to reallocate their resources in order to carry out data collections are taking them away from their work.  Furthermore, in your team’s day to day investigations, IT system problems will likely be discovered.  When these problems are related to poor security or non-compliance, it does little to help senior management’s view of the IT department’s competency.

One strategy in building a good relationship with the IT department is letting senior management know how much of a critical part they play in the missions of the investigative and information security teams.  Letters of commendations and recommendations for awards can go a long way.  One can imagine how IT staff members perceive the security of their jobs when considering the trend of IT outsourcing and the current state of economic woes.

Follow High Standards by Incorporating Established Policies, Procedures, and Guidelines

While working in the private sector, I have had debates with colleagues from other information security teams who could not understand why our team followed such stringent chain of custody practices.  A few times, I have heard “This incident will never go to court”.  My counter argument was “How do you know?” Which I followed up with “If it does not get to court, what about a civil or regulator hearing, or an internal tribunal?” I finally end with “It’s good practice to always do it the right way, in order to eliminate mistakes, regardless if it ends up in court, hearing, or tribunal.”

In my career, I have seen a share of mistakes that could have easily been prevented if proper policies, procedures and guidelines had been established.  A few of these I made while taking part a criminal investigation where I reanalyzed data collected by a corporate incident response team.    I wonder if those incident responders thought the same way, “This will never go to court”.

I am a firm believer that being in the private sector should not be an excuse for poor practices.  Not only should you be prepared for the “what ifs” and “worse case scenarios”, it just makes sense to follow set policies, procedures and guidelines for the sake of efficiency and organization.

Two of the industry accepted guidelines, which are very good starting points are the Scientific Working Group of Digital Evidence’s “Best Practices for Computer Forensics” [2] and the Association of Chief of Police Officer’s “Good Practice Guide for Computer based Electronic Evidence” [3].

It is important to note is some guidelines may not up to date with the fast changing pace of computer crime trends.  For example, some don’t cover dealing with encrypted hard drives, or non-persistent artifacts stored in memory, oftentimes recommending shutting computers down without checking for the existence of encryption, or taking a memory capture.  This could be detrimental for a forensic response on the computers of a highly skilled digital criminal, or an investigation of a compromised system.

Have a Holistic Understanding of the Architecture and the Relevant Contacts

Another important task you and your team should be focused on is identifying all the different IT areas and domains and who the points of contacts are.   It will save you grief if you do this before an incident or investigation, and not during one.

A large organization that has been through acquisitions, mergers, and divisions will likely have a large, complex hodgepodge infrastructure managed by different and oftentimes segregated groups unaware of each other’s existence.   Couple this with overseas offices, legacy systems, and partial IT roll-outs and you have a potential nightmare for a computer investigative team.

In order to collect the data required to conduct an investigation, I routinely had to coordinate with three to four different groups, and sometimes as many as six to seven.  Separate groups were responsible for administering the different elements: web gateway infrastructure, domain and active directory, Exchange servers, Legacy Lotus Notes backups, data leakage monitoring, antivirus alerts, full disk encryption, and data backup archives, not to mention separate groups for managing overseas networks and subsidiary divisions.

I kept a list of about 15 of “regular go-to contacts” that I worked on establishing and maintaining a good working relationship with.  I made sure these contacts understood our team’s mission and requirements as well as the ramifications for failing to deliver.  Having this list saved me time, and allowed our group to quickly respond and collect data, resulting in getting mitigation and recommendation reports in the hands of executives quickly.  An unintended benefit of having good contacts was that I would regularly hear from one group about IT issues that another group was experiencing, but did not want to share with our group.  Some of these issues would have affected the integrity of the data we collected had we not know about it.

At the end of the day, it’s about the bottom line.

One of the biggest hurdles I had to leap over after moving from federal law enforcement to the corporate world was that I no longer worked for the general public, but instead I worked for the shareholders.  This meant that the expectations set for my team and I were different.

As a leader of a computer forensic investigations team, your main goal is not to “catch the bad guy” or to “see justice is done” but it is to protect the financial interests of the company.  If you can show this, then you have succeeded.  However, I am not suggesting that one should lose feelings of moral obligations towards society as a whole—that is actually a good thing to have.  Your challenge will be finding a way to satisfy your moral obligations while contributing to your company’s bottom line.


[1] “Bad eDiscovery Costs 60 Million Per Year”, http://www.lawdable.com/2011/05/articles/e-discovery/bad-ediscovery-costs-60-million-per-year/

[2] “SWGDE Best Practices for Computer Forensics v 2.1”, http://www.swgde.org/documents/current-documents/2006-07-19 SWGDE%20Best%20Practices%20for%20Computer%20Forensics%20v2.1.pdf

[3] “Association of Chief of Police Officer’s “Good Practice Guide for Computer based Electronic Evidence”, http://www.dataclinic.co.uk/ACPO%20Guide%20v3.0.pdf




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: