In enterprises, the cost of computer forensics may be a limiting factor as to what can be investigated. "The supply of computer forensics experts is limited, so their time is expensive," says Chow. "It's standard practice to examine hard disks, which may hold a few hundred gigabytes, so it takes a long time to examine them. We have software tools but a lot of data needs to be examined and analysed. If there are thousands of e-mails, for example, it could take days to analyse them. You need to know exactly what you are looking for, and your search keys must be as focused as possible."
If we consider the three main drives for computer forensics activity: incident investigation, intrusion documentation and e-discovery, it is obvious that the difficulty of these tasks has an inverse relationship to the quality of management of enterprise data. If network security is more thorough, then there will be fewer security breeches to investigate. Likewise, if corporate data is stored for easy retrieval, e-discovery will require less forensics effort.
Better data management and retrieval is a profitable strategy. Unsurprisingly, compliance with regulations and legislation has raised the whole issue of how enterprises manage their data, and especially how they can guarantee to retrieve it on demand.
For many enterprises, the most relevant data for e-discovery is e-mail, and it's also the hardest to archive and retrieve well. Gartner does not recommend a standalone e-mail archiving solution, but "we do recognise that e-mail is the most voluminous and problematic content type for many enterprises," says Logan.
"Companies that are required to keep e-mail for regulatory reasons absolutely need archiving solutions," says Logan. "E-mail archiving can reduce e-mail volume, make search easier and generally aid the efficiency of searching for e-mail as part of the discovery process." Gartner recommends specific e-mail archiving vendors.
It's a sad reflection, but one driver for enterprise forensics is the increasing need to investigate employees as security risks. In 2007, employees past and present have taken over from hackers as the most likely source of an information security event, according to a worldwide study by CIO, CSO magazines and PricewaterhouseCoopers, entitled Global State of Information Security 2007 (Flaws in Asia's Maturing IT Security Approach, Ross O. Storey, CIO Asia, November 2007). In fact, Singapore respondents believe that external hackers constitute only 38 per cent of their security risk.
"Like it or not, the trend is for IT managers to monitor staff activities to find out how and when they use their computers," says Chew. "There is no privacy issue when employees are using company computers in company time. The same applies to students."
Sign up for Computerworld eNewsletters.