At a conference held recently in Mumbai, Andy Miller, Business Support Manager, Asia Pacific, spoke about the importance of being equipped in case of security breaches, and the possible ways by which enterprises can act in case of a security compromise.

"Computer evidence is fragile and can be easily modified, but there are very good forensics programs which make the process of collecting evidence easier. It is important to document the steps taken throughout the investigation no matter how minuscule the action may seem," said Miller.

Computer forensics is the process of extracting information from computer storage media and guaranteeing its accuracy and reliability. It involves deductive reasoning, investigative skills, and common sense.

Forensic software can be used to make a bit stream backup of the suspect drive, and run a hash of the suspect hard drive and backup tape to help prove reliability of evidence. It can also document the system date and time, use key search words to look for suspect data, and locate free and slack space for deleted files. Examples of forensic tools are Guidance Software's Encase Professional, Sydex Corporation's Safeback, tape drives, and CD ROM burners.

Intrusion detection systems can also detect attacks, provide alerts, collect reports from distributed environments, and analyze the information centrally. Examples are Enterasys Dragon, ISS RealSecure, and Cisco Secure IDS (Netranger).