Computer Forensics(4804 total words in this text) (1299 Reads)  As cybercrime increases, so does the use of digital evidence in courts worldwide. Illena Armstrong looks at the challenges of securing that evidence
During a five-day stretch in December, government leaders from the Group of Eight industrialized nations met to discuss ironing out any perceived wrinkles in a draft treaty aimed at catching cybercriminals. Created by the Council of Europe’s 43 member nations, the treaty would help police agencies in participating countries investigate and prosecute attackers carrying out their crimes across national borders.
To be sure, the tentatively named Draft Convention on Cybercrime has received its share of criticisms, with concerns ranging from invasion of privacy issues to infringing on companies’ abilities to test their own security systems. Even with these outcries, officials from investigative bodies all over the world maintain that the prevalence of Internet crime demands a global counterattack. In order to fight online miscreants infiltrating networks hither and yon, better coordinated investigations and agreed upon minimum standards must come to pass among the countries where these criminals leave trails of evidence.
“The ease of perpetrating a cybercrime, the relative anonymity afforded the offender, and the difficulty in pursuing and tracking down the offender, all contribute to the rise in the frequency of these types of crimes,” say Dave Schultz and Jeff Lendino, both associate legal counsels for Ontrack Data International, Inc. “In addition, the borderless aspect of this type of crime necessarily involves dealing with jurisdictional issues, often international, and can make enforcement or pursuit problematic.”
The proposed cybercrime treaty is currently being reviewed by experts within the Council of Europe, who are expected to finalize the document by mid-year. After this, the full committee of ministers must approve it, subsequently passing it along to E8 nations and Council of Europe member countries for their final signatures.
With many hurdles to overcome, the treaty may very well be adopted some time this year in such countries as the U.S., Canada, South Africa, Japan or various European nations. With or without it, however, organizations of all sizes are trying desperately to contend with the Internet attacks that prompted such a document’s drafting in the first place. Not only are they wondering how they can stop themselves from becoming cybercrime victims, but they are also wrestling with questions of what they need to do after they’ve been hit.
It Will Happen to You
Numerous companies may be battening down their hatches with this or that security tool, yet more than a few still experience payloads from viruses, breaches from script kiddies and data theft from internal employees. On the face of it, a cybercrime treaty that eases the investigative processes for police agencies around the world may be a move in the right direction, but for countless victims, just understanding what action they can take to determine how an assault on their networks happened at all is of more urgent concern.
Once the crime occurs, analyzing the evidence, closing any holes that have been opened and perhaps even moving forward with civil or criminal litigation is a complex process – one that demands more than just a once-over by an IT administrator. Calling in the big guns to help with a computer forensics investigation is crucial given that “organizations seldom have the technical capabilities to do technical investigations,” says Dave Morrow, leader of incident response and forensics for Fiderus.
When it comes to computer crime there are no happily-ever-after scenarios. Once a company opens up their network, they are bared to all. Security breaches are the cause of $1.6 trillion in damage worldwide, says Morrow. And no one can forget statistics from the CSI/FBI 2000 study, which showed that 70 percent of companies reported breaches.
With these facts in mind, it’s smarter to hope for the best, but plan for the worst, adds Morrow. Organizations should expect to be victims.
“One of the members of the New Scotland Yard Computer Crime Unit recently observed that every technological advance which offers businesses the opportunity to make money also offers criminals the chance to take it off them. I think he’s right,” says Richard Overill, senior lecturer with the department of computer science at King’s College in London and a member of the Information Assurance Advisory Council (IAAC) in the U.K. “All the computer crime surveys from the U.K. and U.S. suggest that although most medium [and] large organizations are now doing something (firewalls, intrusion detection, public key infrastructures, information security management policies, etc.), most do not have defense in depth and most have not got their personnel management sorted out with regard to infosecurity.”
Quite frequently, company executives will not see the n
ed for deploying security mechanisms and implementing sound policies and incident response plans until they have already become victims. Of course this is a huge problem, especially since most criminals are quick to take advantage of vulnerabilities not abated with proper security measures and procedures, says Nigel Jones of the Kent County Constabulary Computer Crime Unit in England and secretary of the Association of Chief Police Officers (ACPO) Computer Crime Working Group.
“The great rush to be first with e-everything means that security is often seen as an add-on extra luxury that cannot be afforded in the race. It should be said though that this is nothing new. You only have to go back to the introduction of the motorcar – the criminals used it first and the police were always playing catch-up. It is no different now,” he says.
Slowly, the corporate world is beginning to comprehend that computers are just another medium for criminals to put to use for their own ends, says Julie Lucas, director of information assurance with GlobalNetwork Technology Services (GNTS). “According to the 1999 CSI/FBI survey, the average bank robbery yields $2,500, where the average computer crime nets $500,000,” she explains. “Computers and the Internet are making targets much more accessible today than ever before, with lower risks associated.”
Given the financial losses and negative reactions from customers and investors that could result from an internal or external breach, organizations need to be doing more in the way of awareness and prevention, say many experts. Corporate polices should cover computer security and incident response/ disaster recovery plans.
“One of the most significant security problems is a company’s policies, procedures and enforcement mechanism,” says Larry Kanter, partner in PricewaterhouseCoopers financial advisory services practice (FAS) and leader of the FAS e-business initiative. “Many companies have spent millions of dollars on sophisticated physical security for their facilities and millions more on firewalls and other technical solutions while paying only scant attention to policies, procedures and enforcement.”
For instance, privacy issues are bamboozling corporations that also want to protect against the all-too-likely internal thefts of trade secrets, he says. Monitoring employees too intensely may lead to poor relations and bad press, some managers reason.
Still, these privacy issues can be overcome if the company makes it clear that information shared via corporate email and those tidbits stored on equipment in the office is the property of the employer, says John Patzakis, general counsel for Guidance Software, Inc. These policies are reinforced by employees signing statements acknowledging their understanding of these rules.
“Most importantly, this serves as a deterrent to employees, if they know they’ll get caught,” he adds.
End-user policies such as these and awareness training can be half the battle, agrees GNTS’ Lucas. “The policies need to be supported and enforced by management in order to be fully effective. End-user training to address policies can greatly reinforce the written guidance,” she says. “Having end-user agreements signed by employees can also prove very valuable in enforcement of internal policies when they are violated.
… If you spend the money up front, you can repel an attack or respond to it quicker.”
Nobody Panic
Plans prevent panic. If a company’s network is hit with a distributed denial-of-service attack at 3 a.m., collection, preservation and analysis of evidence, in addition to quick remediation efforts, can happen immediately if employees know what they have to do.
“Very often companies put in place fairly sophisticated security measures, but what they assume is that [these] are all that are needed,” says the ACPO’s Jones. “Many companies fail to have a response procedure in place when something goes wrong, leading to loss of confidence in their business when an attack becomes public knowledge. An adequate incident response policy and procedures are absolutely essential for any organization.”
Just as they should have a policy defining the appropriate use of computer equipment or appropriate disposal of magnetic media, organizations should have a plan to react to cybercrime situations, says David Horvath, vice president of CTX Corporation in Maryland.
“Remember, the first to discover a problem is likely to be your company’s lowest paid system administrator on the night shift. If this person cannot get guidance – preferably prior guidance, he or she might decide to call the police or worse, the media,” he says. “The plan should include who to call, who not to call, what to do with the machines, priorities – [for example,] is keeping the data center up a higher priority than preserving evidence? You decide as much as possible what the trade-offs are, based on your understanding of your vulnerabilities or consultation with experts in the field.”
Fiderus’ Morrow reminds his clients to “remember the six ‘Ps’: Proper prior planning prevents poor performance.” A few key items, like a notification list and procedures highlighting what should be done to a network when a problem occurs, should make it into any incident response plan, he further explains.
Ontrack’s Schultz and Lendino say that the employee policy on overall computer security, which may include the company’s position on misuse of systems and prohibited activities, is only strengthened by a response plan for IT. In developing an incident response roadmap, they suggest that companies plan:
How to secure or preserve evidence, whether making an image copy or locking up the original until the computer forensic specialists arrive.
How or where to search for evidence, be it on the local drive, back-up system, home computers or laptops.
A list of topics to consider when preparing a thorough report.
A list of outside agencies and resources to consult or report to given a particular situation (for instance, if child pornography is discovered on workplace computers,
contact information for a company’s internal legal staff would come in handy).
A recommended list of software to be used internally for investigations.
A recommended list of experts with whom to consult.
Since evidence from an incident cannot be regained if lost, Morrow maintains that seeking professional assistance from computer forensics specialists is best. While it may seem a natural response to call in IT staff to react to an incident, they are often not trained in evidence handling and can inadvertently cause additional problems for specialists who are later called in. IT employees trying to help with an investigation can actually change evidence and, therefore, its integrity and its validity in court proceedings, adds Peter Yapp, manager of consulting for Vogon’s IS security and investigation department.
Training, says Ontrack’s Schultz and Lendino, is priority one. “Whether it involves basic training, [such as] the types of situations that could befall the company or a detailed response plan, members of the corporate staff need to have a working knowledge of these issues so they can respond appropriately.”
Above and beyond training IT staff to know when an incident requires calling in professional cavalry, implementing awareness programs for end-users, and establishing detailed security and response plans, corporations should also ensure that their incident response strategy addresses more than just the technical aspects of computer evidence recovery. Properly handling all aspects of an incident includes the involvement of the public relations department, corporate attorneys, human resources (if employees are involved), upper management and the IT department, says Morrow.
“An incident in this economy is a business problem,” he warns. ‘We have to change our mindset on incident response.”
Hot on the Trail
Plans are in place. Staff educated. Security tools properly configured and managed. Problems seem non-existent. Then comes the hit.
While most industry players agree that it is paramount companies call in the investigators to really delve into the evidence, staff will still need to take care of some initial tasks, says John Tan, research scientist with @Stake. As soon as the incident is discovered, staff should begin documenting the chain of evidence. Note who has done what, when. This takes the form of a simple log that helps in maintaining the integrity of the evidence.
They may have to decide if it’s best to leave the particular piece of equipment running or unplug it from the network. If the system being attacked is not critical, for example, it may be a good idea just to freeze it until help arrives.
When the victim corporation and its staff have done their part in initially responding to the cyberattack, the time comes for the computer forensic investigators to flex their muscles. In order to amass and correlate the evidence properly, these specialists must know all about the do’s and don’ts of computer investigations, says Guidance’s Bill Tulloss, director of sales and marketing.
“Preservation of the evidence is the first key rule,” he states. In failing to follow this pillar of computer forensics, the entire investigation and knowledge of how the attack was initiated may be lost for good.
“The issues that require the most attention from a corporate perspective are ensuring that their investigations deal appropriately with security, and collecting evidence in a manner that will yield admissible evidence at trial,” Ontrack’s Schultz and Lendino say. “For example, it is not unusual to hear that an investigator, upon being asked to investigate a cybercrime, immediately boots up the suspect computer and begins poking around for evidence. This simple act can destroy potentially key files, alter data and time stamps, access histories and perhaps have a detrimental effect on the overall investigation if timing is an issue. We have seen investigations that have been compromised precisely for this reason. Education topics for internal staff should include, at a minimum:
Making a forensically-sound image of the computers at issue, so that the original can be preserved as best evidence.
Doing all the forensic analysis from a copy.
Maintaining a chain of custody on the computer/media at issue with detailed notes as to processes employed.”
Vogon’s Yapp says law enforcement agencies in the U.K. follow principles set forth in the ACPO’s Good Practice Guide for Computer-based Evidence. These include:
No action taken by law enforcement should change evidence to be relied upon in court.
In exceptional circumstances when investigators must access data on a device, they must be competent and give relevant reasons why they had to take this step.
An audit trail of all processes should be created and preserved.
The ACPO’s Jones explains that these and other commonsense procedures were set out in the guide when it was found that 43 police agencies in England and Wales were using a wide range of steps to sift through computer evidence.
“There has been significant interest in the guide from a number of countries and at the last count it had been circulated to over 50 different jurisdictions,” he says. “These international principles have since been taken forward to the G8 countries’ hi-tech subgroups … As a result, they have been recommended for adoption by the G8 countries, with a further recommendation for outreach to non-G8 countries.”
Ontrack’s Schultz and Lendino say that law enforcement bodies in many parts of the world are becoming better educated on conducting these investigations and are using many off-the-shelf investigative tools, or retaining private computer forensic investigators to make sure the clues they collect remain pristine.
Who to Call
When thinking of turning to computer forensic specialists, companies may find it difficult to differentiate accurate claims from plain noise. With mounting computer crime incidents taking place every day, scores of companies claiming to specialize in computer forensics investigations are popping up.
“There now is a discernable computer forensics profession, whereas a few years again it didn’t exist,” says Ken Withers, research associate with the Federal Judicial Center in New England. “Now there is a coherent body of professionals that can be identified. That said, this is still somewhat of an amorphous body in that there is no certification or specialized accreditation. This means this is still a situation of ‘buyers beware.’”
He warns that corporations must do their research before contracting with a computer forensic specialist based solely on empty promises and not-so-accurate claims. Review the company web site, take a hard look at resumes, note their qualifications and get recommendations from other people who have used the company in the past.
In What Lawyers and Managers Should Know About Computer Forensics, Veritect, Inc., a Veridian company based in Virginia, notes several attributes that potential clients should look for in a computer forensics examiner, including:
Prior experience in computer forensics examinations.
Specialized training in computer operating systems.
Specialized training in evidence handling and investigation techniques, including information recovery tools.
Documentation of processes used in forensic examinations.
A laboratory stocked with tools for evidence recovery.
Personal integrity: investigators must withstand scrutiny on both technical ability and personal integrity.
Tell It to the Judge
Another suggestion Veritect makes is to hire an investigator who has experience testifying as an expert witness. Specialists with this experience and other expertise previously noted will start and complete investigations with a civil or criminal trial in mind, the document states.
Plodding through a difficult computer-based investigation this way is important since many officials working in court systems everywhere still require a lot more education about computer forensic evidence.
“Training for corporate, legal and law enforcement regarding the advances made in the field is necessary, as is the need for more advanced software tools to aid in the more rapid detection and investigation of these incidents,” maintain Schultz and Lendino.
“Educating the judiciary is crucial in these types of cases. Collecting and preserving the evidence is essential and proper education is what makes or breaks these cases. Lawyers should defer to the experts to help build their case, as well as help them educate all parties involved.”
Although training courses are being offered by a number of computer forensic software providers, such as Vogon and Guidance Software, and a host of professional organizations, more educational courses will need to become available, says Withers of the Federal Judicial Center.
For now, most countries are in the early stages of viewing this kind of evidence in the courtroom. And even as many companies are making moves to engage in civil and criminal prosecution more frequently, such instances are not happening as often as many in the industry would hope. Because fear of bad publicity wins out in many cases, companies don’t often opt to seek out retribution in a courtroom.
While much of a successful prosecution lies in the knowledge of those hearing the evidence, a greater part is affected by the reliability of the evidence.
“The real challenges and developments arise in the area of network and especially Internet crime, where logs and audit trails on many computers in many locations in many time zones have to be correlated in order to perform the kind of trace that will result in forensic evidence with the qualities that would enable it to withstand sustained hostile cross-examination in a court of law,” explains the IAAC’s Overill.
Before the Council of Europe’s cybercrime treaty was ever brought to the fore, informal investigative arrangements among friendly nations were in play. More than this type of cooperation is needed, though, say many experts.
“We need to continue the campaign to ensure that forensic standards are compatible across borders. It is no good me asking a country to provide computer-based evidence if the procedures they use are unacceptable to my court, and vice versa,” says the ACPO’s Jones. “The global nature of this type of criminality requires a response from law enforcement that cuts across international borders while ensuring that sovereignty of countries is respected.”
Compounded with strides to increase cooperation among nations, private industry is trying to educate itself about information security. Awareness of security, privacy and investigative issues is on the rise, but so are the computer crime acts.
“We are in the early stages of a great technical leap to a global communication network which will touch all aspects of human interaction, including criminal interaction,” says CTX’s Horvath. “Safeguards against technology crimes must continue to evolve on a pace with new technology, for the criminal element will continue to use superior knowledge to take advantage of the naive.”
Desperately Seeking Savvy Investigators
by Dave Schultz and Jeff Lendino
When organizations need the help of professionals thoroughly practiced in the computer forensics discipline to properly recover, analyze and preserve evidence, they have a couple of options from which to choose.
Conducting the investigation internally and turning over the results to an outside expert.
This is usually done by making copies of the drives/media at issue using commercially available software.
The caveat regarding the above option is that, if corporate security will be asked to conduct these investigations as a routine part of their duties, the corporation must keep in mind that this individual will be asked to report and testify on a regular basis. With frequent testimony by an insider, opposing counsel at trial will almost certainly raise questions regarding loyalty to the corporation and the thoroughness of a ‘non-neutral’ investigation.
Also, investigators must know their technological limitations. For example, an investigator may not be fluent in working with back-up tapes, or only certain versions.
Asking the outside expert to conduct the entire investigation.
This is probably the best option considering all the specialized knowledge required, as well as the need to provide credible, non-biased testimony regarding the manner in which the investigation was conducted.
Dave Schultz and Jeff Lendino are associate legal counsels with Ontrack Data International, Inc., an international provider of data availability software and service solutions.
Don’t Break the Chain
by Illena Armstrong
Chief among the principles followed by computer forensic investigators is that addressing the chain of evidence. The accepted blueprint in this field dictates that evidence maintains its integrity when others, whether officials in a courtroom or executives in a company, know who did what to the evidence when.
Fiderus’ Dave Morrow says protocol that is adhered to while analyzing the evidence keeps it safe at the same time. In addition to maintaining a strict chain of custody, investigators should never mishandle evidence, never work on the original evidence, never trust the subject’s operating system and document everything. Additionally, storage of the evidence should be secured and access to it restricted. Following these basic industry practices should not at all be difficult for certified examiners, he adds.
Still other basics cannot be neglected, adds Chris Wysopal, director of research and development for @Stake. In delicate incident response situations, specialists should also:
Freeze and image the hard drive before anything else is done, remembering that freezing a system is best done when its workings are not critical to business needs.
Get the intruders out of the network or close the holes so they cannot breach the system through the same vulnerability in the future. This can be achieved by collecting and correlating information from system, web and other log files.
Determine how bad the breach really is and decide what information should be divulged to the public. This is where legal counsel from an experienced and knowledgeable person can help.
He further explains that often when companies decide to involve law enforcement they believe they will not need their own privately contracted investigators. This is a mistake, he warns. It is important that even in these situations companies have their own image of the compromised hard drive in case they wish to pursue civil litigation or seek remediation from insurance providers.
Guarding the Core
Corporate security policies are typically always wanting. Yet there are still a slew of other areas with regard to policies, procedures and enforcement that organizations continually neglect.
“All large organizations should have person[s] who are responsible for data protection in a completely different way than exists today,” says Larry Kanter, partner in PricewaterhouseCoopers’ Financial Advisory Services (FAS) practice and leader of the FAS e-business initiative. “For example, leaving aside the computer crime issue, as key employees resign their positions, companies should prepare an image copy of that person’s hard drive and preserve whatever useful information there is on the computer. Prior to the wide use of computers, if a key employee resigned, someone in the organization would go through that person’s paper files. In many cases there was valuable work that could be passed on to the departing employee’s successor.”
He maintains that more often than not, when a resigning employee hands over their laptop or PC, the IT department simply wipes it clean and hands it over to another employee.
Other experts contend that having computer forensic tools on hand after proper training can also be helpful for prevention efforts. An imaged hard drive of a departing employee who may have been sharing proprietary information with the competitor before leaving can be critical to civil litigation efforts.
Professor Jesper Johansson of Boston University’s School of Management advises that companies should also undertake a few more simple steps to guard their data:
Remove hard drives that contain sensitive data from decommissioned computers by either wiping them clean or destroying them altogether.
Don’t lose sight of employees’ desktop modems – these are regularly used to gain access to company networks.
Don’t be satisfied with a firewall and controlled-access ports. Just as hackers routinely test the strength of a corporate security system, so should the company itself.
Test new software patches, ensuring that all vulnerable systems are updated with them as soon as they are proven stable.
Along with these precautions, netForensic’s Ben Campbell, vice president of business development, and Kevin Hanrahan, chief technology officer, suggest that active monitoring and auditing of systems aids in controlling incidents of computer crime.
“The analogy of corporate networks to candy – hard on the outside, soft and chewy on the inside – remains accurate for many, although [this is] changing slowly in the larger companies,” says Hanrahan. “The steps that are being taken, such as internal firewalls between departmental segments and both network and host-based intrusion detection systems on critical LANs and servers, [are] often ineffective due to the failure of these companies to adequately monitor these systems and determine if suspicious activity is taking place.”
Predicting Days to Come
Together with a rising wave of computer crime, issues and concerns related to privacy will only become more important in coming months, says Fiderus’ Dave Morrow, leader of incident response and computer forensics. Along with this, he foresees that:
There will be an increasing use of the Internet to commit everyday crimes.
New forms of cybercrime will continue
to occur.
Identity theft and fraud will increase.
Cyberextortion will become a mainstay.
Manipulation of corporate data to
meet various ends will become more sophisticated.
Acts of ‘hactivism’ will rise.
The security industry in general, and the computer forensics and incident response arenas specifically, will have to begin dealing with new technologies, such as wireless. The wireless world will bring new challenges to computer forensic investigations.
More legislation and standards related to computer forensics, comparable to other forms of criminal investigation, will come into force.
Information security insurance will become more widely available.
With all this, however, the problem of keeping up with technology and the criminals will maintain a steadfast position in the world of computer security. He adds, “It’ll always be a catch-up ball game.”
Testing the Tools
This month, private computer investigators and professionals from law enforcement agencies around the globe will arrive in Myrtle Beach, South Carolina, to discuss advances in computer forensics. During the Training Company’s Techno-Security Conference, a number of these experts will gather for the Forensic Roundtable being sponsored by SC Magazine.
James Holley from Fiderus, Lee Tydlaska from Computer Conversions, Lee Curtis of Kroll, Mitre’s Bruce Simmons, the FBI’s Mary Horvath and Ken Haynes from the Fairfax County Police Department will come together to compile a list of requirements that investigators need in computer forensic tools. From this Roundtable, participants hope to come away with a refined list of requirements and a standard methodology for testing these tools against the needs cited from those in the field. Keys to impending product tests will be to ensure that they are platform-independent and that they can be replicated.
Armed with this information, products from a host of tool vendors in the field will be tested and rated. Results will be shared at the Regional Computer Forensics Group Conference in August. But before they go public there, SC Magazine will exclusively publish findings from the product tests on SC Online.
Sure to be a valuable guide to help computer forensic specialists and the corporate world alike find the most valuable investigative tools around, the outcome of these tests will be a source to refer to again and again. Stay tuned! </div> | 
