Government Subpoena Sidelines PKI Project

A court order sentences our security manager to two weeks of hard labor creating forensic images of employee hard drives.

Now that my company's wireless LAN project is under control and ready for deployment, I thought I could start my research project on public-key infrastructure (PKI). That was before the feds dropped by this week with a subpoena. But more on that in a moment.

With regard to PKI, I have a feeling that once my company sees the costs involved, it will more than likely find some way of postponing or even killing the project. Until that decision is made, however, I'm pressing on with the feasibility study and will provide some pricing options to the executive staff. As part of the study, I plan to assemble a list of areas within the company that I feel could benefit from PKI.

The obvious areas include e-mail, disk and file encryption, and virtual private network (VPN) access. To further assist me in determining other areas that would benefit, I've scheduled meetings with representatives from different departments. I need to understand all the enterprise applications being used within the company and get a feel as to how receptive key managers and employees will be to a PKI implementation.

One of the traditional problems with PKI is that most people don't really understand the technology and how it could benefit them and their companies. Most of the time, each employee has his own idea or interpretation of what PKI is and what it can offer. By meeting with key individuals from each department, I can determine whether PKI might benefit each area.

For example, in talking with a representative from the professional services group, I learned that we have a Web-based professional services automation (PSA) tool, which is currently accessed via a VPN connection from employee laptops. There is some frustration within the team, as some of our company engagements are in government facilities that don't allow us to use our laptops. They do, however, let our consultants use the government computer systems to access the Internet (go figure). PKI would allow our employees to obtain a short-term certificate that they could use to access the PSA tool.

I've spent a considerable amount of time on wireless connectivity within the company. By using PKI, I can control wireless access by issuing certificates to those individuals who should be allowed access. The certificates can be stored in a Universal Serial Bus-type device that's small enough to fit on a key chain, or the certificates can be stored on the user's laptop. Once I get a handle on which departments and applications can benefit, I can formulate a request for information and submit it to a few PKI integrators. We hope to find one company that can handle all of our requirements. A PKI implementation will require a substantial amount of money, however, so at this point, I suspect that we will back off.

Full-Court Press

Just when I felt I was gaining some momentum on the PKI project, however, I got sidetracked. My boss called me to his office to inform me that a federal investigation is under way, and our company has been asked to provide information. We're not the subject of the inquiry, but several of our employees might have information or have entered into business transactions with the company under investigation. So we got slapped with a subpoena that says we must create and forward to investigators hard-drive images of PCs belonging to dozens of our employees. Two-thirds of them are located at our corporate headquarters; the others are at many of our other locations in the U.S.

Fortunately, our responsibility is to provide only the mirror images, not any analysis of those images. To conduct a forensic analysis of that magnitude would take weeks, if not months, to accomplish. And with my current workload, I definitely don't have the resources to do that.

Although a forensic investigation sounds cool, it's actually very boring work. Searching through dozens of DVD media for a specific file isn't my idea of fun. Therefore, I'm more than happy to outsource that work whenever possible. In this case, to save time and money, we decided to outsource imaging of all remote systems and handle only the local drive images in-house. We have had success in the past with one forensics firm, so we'll use it again.

For the in-house work, we'll use Pasadena, Calif.-based Guidance Software Inc.'s EnCase Forensic software. We'll save the results to DVD media and give that to our general counsel. Although we have EnCase, the decision to use this tool wasn't ours. Rather, the investigating agency has specifically requested that the image files be created using this tool.

I've already started work on the mirror images and figure it will take about two weeks to complete. Fortunately, I have to be present only to connect the suspect drives to one of my forensics-dedicated computer systems. Once the imaging process is under way, I can go back to work. One word of advice: If you have to image a laptop, don't forget to plug in the external power adapter, because there is no Resume function if an image-processing operation is interrupted. I learned that the hard way.

What Do You Think?

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at, or join the discussion in our forum: QuickLink a1590
To find a complete archive of our Security Manager's Journals, go online to

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon