What Is the Connection between Computer Security and Forensics?

Computer security and forensics are connected because they can complement each other. A computer network that implements security procedures and protocols with the awareness that the information could be tampered with, stolen or otherwise compromised can follow guidelines that will help a computer forensics investigator retrieve reliable information that could be used for legal prosecution of the intruder. In the same way, a computer forensics investigator who has a working knowledge of computer security will be able to better assess a system that is using defensive programs in an attempt to block access or hide information. Both computer security and forensics involve protecting data, access logs, hardware and other elements of a computer system or network and, when used in tandem and playing on common concepts, they can help create a system that is difficult to hack into and nearly impossible to manipulate invisibly.

Certain aspects of computer security can be used in digital forensics. Suspected computer systems that are used by inexperienced or only moderately experienced users could be employing simple, standard protective software that is built into the operating system or that is commercially available. A familiarity with these systems and how they work can reduce the amount of time it takes to gain access to a system and also help to narrow the areas of a search for information on a hard drive or other device. Knowledge of how network security systems such as firewalls and proxy servers operate can enable an investigator to draw out information, such as browsing habits or failed network connections, which otherwise might have taken a much longer time to find.

Similarly, there are techniques used in digital forensics that can help to protect data inside a computer system or network while also laying a foundation that could assist an investigator attempting to find evidence to prosecute an intruder. Administrators can save disk images of hard drives for employees instead of simply backing up information. Local hard drives can be eliminated completely, forcing computers to access a central networked drive that can be tightly controlled and made tamper-resistant, providing a clean forensic environment. Extensive log files could be kept, detailing the actions of users during the course of a day. Another tactic that could be employed is to take physical backups of the data in the system and have a verified and secure storage location so the time and dates of information can be validated if a legal proceeding is needed.

The most important connection between computer security and forensics is that, ultimately, both fields share some common goals. Both seek to secure a system in a way that preserves data, prevents and tracks unauthorized access and hidden files or actions, and stops future illegal activities on the computer system. The two fields are slowly moving closer to one another, as evidenced by the appearance of computer security and forensics training courses that combine the two disciplines.