Investigations: Merge Ahead

In the enterprise setting, there's no such thing as a digital investigation. Or a physical one. Searching for clues and resolutions requires a blend of disciplines governed by a flexible forensic mind-set.

And in this dual "blended" world, says William Pelgrin, director of the New York state office of cyber security and critical infrastructure coordination, one thing is clear: The era of the blended investigation is not without its advantages. For in reality, he points out, infosec investigators have long had to bear in mind that there might be a physical dimension to the investigation at hand—and likewise physical investigators. "Trying to look at things one-dimensionally tended to introduce artificial constraints," he argues. "It was always a smart move to ask if there was a physical component to a cyberattack, and vice versa. Yes, there are pure cyber incidents, and there are purely physical incidents—but it's wrong to assume that's what they are without exploring the possibility that they might not be. You have to look at things from different angles to get the complete picture."

And the importance of this recognition, he stresses, isn't just that more bad guys get caught. Instead, it's that with the need to be multidimensional out in the open, investigations can appropriately "tool up" from the start.

"In today's world of investigations, you can't do—or be—everything, so you bring in the skills and competencies that you need, as and when you need them," explains Pelgrin.

But which precise skills and competencies? During the first few minutes of an investigation is where it's most critical to get things right, and it's here that appropriate training is often required, says David Brown, managing consultant for security advisory services at Skokie, Ill.-based consultants Forsythe Solutions Group.

"The first few minutes of the initial reaction tend to set the stage for the rest of the investigation, and it's during those first few minutes that it's vital that the physical guys understand the requirements of the IT team, and vice versa," he emphasizes. "There's a balance to be drawn between incident mitigation and preservation of evidence—and that balance often depends on the organization in question—but each team needs to know which actions will help the other team, and which will hinder them."

On a related point, understanding each other's preferred modus operandi is also useful, adds Adrian Davis, a London-based senior research consultant at the Information Security Forum, a not-for-profit international association of some 300 leading international organizations. "Physical security people tend to approach investigations in a particular way, and that might seem strange to IT people," warns Davis. "It's important they understand each other's approaches, so that they reinforce, rather than conflict [with], the other party's investigative work."