Disk forensics can be seen as a small subsection of computer forensic capabilities, which allows the analysis of all parts of a disk for gathering digital evidence to help in investigating an incident. Sandeep Godbole, the senior manager of information security for Syntel, explains that disk forensics provides the ability to gather digital evidence (from storage devices and disks) that can be presented in a court of law. These can be hard disks, CD-ROMs or external hard disks. Syntel serves many sensitive industries, including BFSI and healthcare. Hence information security assumes the utmost priority for the company.
The main reason behind acquiring disk forensic capabilities was to develop a scientific approach for investigating security incidents. "We have tried to be more proactive in developing disk forensic capabilities so as to build additional confidence among customers. They will be aware that the company is geared with the requisite tools for investigation in case of a security incident," says Godbole. Although Syntel could have opted for disk forensic capabilities as a service, it didn't want to depend on external parties, primarily for reasons of flexibility and privacy.
Syntel's process of acquiring the competence began around the end of 2008, when the company started looking for a disk forensics solution. The main criteria involved accuracy in collecting credible evidence, a simple user interface, availability of a macro tool which to help log monitoring, and ability to take a hash value of images. After evaluating some free as well as proprietary solutions, Syntel decided to go in for Guidance Software's EnCase application. This tool also helps to recover deleted content from the disk in the event of fraud or a security incident.
A disk stores a lot of data that users are not actually aware of. For instance, a disk will have the file system, boot information and other temporary storage, which will not be apparent on the application layer. Disk forensics helps the IT team to analyze all sectors of the disk for investigating an incident.
The content is recovered by a process called imaging, which creates an exact duplicate of the original evidential media. This is usually done at the sector level, making a bit-stream copy (rather than duplicating the file system) of every part of the user-accessible areas of the hard drive which can physically store data. A hardware write-block device is also used to prevent tampering and damage of a drive's content; this device fits between a computer and a hard drive.
Godbole has trained five of his team members in usage of the disk forensics tool. The core skills required to operate such tools include knowledge of the OS, file system and registry. The person must have thorough understanding of disk geometry, that is, the knowledge of different sectors of the disk. According to Godbole, the only challenge they faced in deploying the disk forensic tool was that the solution was ahead of its time. Not many organizations have developed such abilities.
After developing its disk forensic capabilities, Syntel's security team feels more confident and capable of investigating security and fraud incidents. Use of disk forensics has also helped Syntel develop new skillsets among employees, as well as increase customer confidence.