Comp Forensics
-
Upload
cameron-kracke -
Category
Documents
-
view
226 -
download
0
Transcript of Comp Forensics
-
8/6/2019 Comp Forensics
1/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com
What Lawyers and Managers ShouldKnow About Computer Forensics
10790 Parkridge Blvd / Suite 300Reston / VA 20191
TM
-
8/6/2019 Comp Forensics
2/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com2
ometimes surprises are ugly. Frank Smith, an information
security manager, stumbled on a large encrypted file on his
companys network server. It didnt belong there. He suspected
it came from an employee who was either running a business out
of company computers or storing proprietary information for illicitpurposes. Frank identified the employeea senior manager in
the marketing departmentbut he could not detect what the
manager was doing.
The file was too difficult to decrypt, and if there was nothing
serious in it, confronting the employee could be awkward. On the
other hand, if the file concealed proprietary data, the company
would need to act. Frank called in-house counsel. The senior
managers boss reported to the counsel that his employee was
involved in high-level operations including launching a product
that could make or break a division. Alarmed, the counsel called aforensic examiner. The company needed to know what the man-
ager was hiding without giving him a chance to destroy evidence.
The examiner advised the company to conduct a forensics exami-
nation of the managers laptop hard drive. Frank scheduled
routine maintenance on the laptop to avoid raising the managers
suspicions then let the examiner covertly make an exact copy of
the hard drive. The examiner retrieved and recorded hundreds of
active and deleted files on the mirror copy of the hard drive,
using Federal Rules of Evidence (FRE) as a guide. He uncovered
deleted e-mails from a competitor which contained terms of a job
offer and discussions of the product. Among fragments of other
deleted e-mails, he pieced together confidential specifications
and code related to the new product. The examiner also found
sections of the companys proprietary customer list.
With enough evidence to sue, the corporation confronted the
manager, who had just announced his intention to depart. The
firm subsequently gained a settlement barring the competitor
from using the stolen information and the senior manager from
working for the competitor for five years.
This, in brief, is what computer forensics is about. Forensics
investigators examine computer hardware and software, using
legal procedures to obtain evidence that proves or disproves
allegations. It is not complex science, but gathering viable
evidence is difficult, and getting results quickly requires trained
specialists who know computers, the rules of evidence gathering
and how to work with law enforcement authorities.
S
-
8/6/2019 Comp Forensics
3/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com
There are compelling reasons for using computer forensics but
before lawyers and managers do, they should know what foren-
sics is and when and how to employ it. Risk management and
self-defense are leading reasons for using computer forensics.
Any organization that does not have a way to detect and stop
malicious behavior may be victimized with no legal recourse.Computer forensics safeguards legal options. Preserving evidence
according to Federal Rules of Evidence gives a company or indi-
vidual choices that otherwise would not exist. When an intruder
attacks or steals from an organization or individual, the ability or
threat to get law enforcement involved may be the only way to
stop intrusion or recover assets. Gathering computer evidence is
also useful for confirming or dispelling concerns about whether an
illegal incident has occurred, and to document computer and
network vulnerabilities after an incident.
Computer forensics examiners should be called in when a threat
to a companys business and reputation is serious. Today, threats
almost always involve a computer or network because they
contain a companys proprietary information and business
processes. Like Willie Sutton, the bank robber who went to the
bank because thats where the money is, those who wish to
damage or steal from a business go to computers and networks
because thats where strategic assets are located. Computers
store client/customer lists, proprietary technology and processes,
confidential financial data, personnel records and medical data,
contracts and agreements, payroll records, accounting data and
much more. A simple and virtually undetectable fraud that posts
a few odd cents to a phony account can reap a perpetrator
thousands of dollars out of the millions that flow through
accounts payable. A malicious change to an individuals personnel
records could cost that person a job and a career. Divulging a
companys financial records could damage it on Wall Street, in the
marketplace and before shareholders. Corporate spies might steal
trade secrets. Posting libelous information on the Internet about
a company or individual can so damage a reputation that business
cannot continue. Employees of a company might be stealing from
it by working for themselves and using company resources. Or,
they can be using work time to surf inappropriate or prohibited
web-sites or play games.
Companies employ computer forensics when there is serious
risk resulting from compromised information, a potential loss of
Computer Forensics
When to UseForensics
3
-
8/6/2019 Comp Forensics
4/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com4
When Not to UseForensics
Legal Evidence
competitive capability, a threat of lawsuits or potential damage
to reputation and brand. Some companies regularly use forensic
investigations to check employee computers, with the idea that
employees who know they are being watched are less tempted to
stray. For example, one corporation randomly selects a percent-
age of employee computers each month and conducts forensicsexaminations of their hard drives. Investigations have turned up
pornography, private businesses, unauthorized use of proprietary
data and other infractions.
When the cost of a forensic investigation exceeds potential gain,
there is little reason to use it. However, that is a judgment call.
Managers and lawyers can and have used forensics for purposes
beyond serious threats. Some companies use legal evidence
gathering to drive home points with employees and external
intruders, even though the cost of the investigation often
exceeds recovery. Usually, a warning is enough to stop an
inappropriate action, such as excessive net-surfing so that a
full-scale investigation is not needed. Computer forensics also
may not be needed when computers had only a minor role in an
incident or threat, but this role may not always be clear. The
relationship between the computer and an event under inquiry
is critical, and until a forensics examination has been done, one
cannot always know whether a computer was a significant part
of an event, or not.
A computer forensics examiner starts and completes assignments
with a court trial in mind. This means an examiner should always
gather and preserve evidence according to Federal Rules of
Evidence. The examiner has three basic tasksfinding, preserving
and preparing evidence.
Preserving computer evidence comes first, even before evidence
is found, because data can be destroyed so easily. The 1s and 0s
that make up data can be hidden in numerous places and vanish
instantly with a push of a button. As a result, forensics examiners
assume every computer has been rigged to destroy evidence,
and they proceed with utmost care in handling computers and
storage media.
Finding and isolating evidence which proves or disproves an
allegation is just as difficult as preserving it because with com-
puters there can be too much evidence. Investigators can plow
-
8/6/2019 Comp Forensics
5/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com5
What YouShould Know
through thousands of active files and fragments of deleted files
to find just one that makes a case. Computer forensics has been
described as looking for one needle in a mountain of needles.
Preparing evidence requires patient thoroughness and documen-
tation of everything one does so that it can withstand strong
judicial scrutiny. This is where lesser-trained specialists can and
have failed. For example, a hacking incident at a Web music store
was thrown out of court because examiners who prepared the
case failed to follow rules of evidence that properly document
where evidence comes from and that it has not been altered.
Prior experience in computer forensics examinations.
Specialized training in computer operating systems.
Specialized training in evidence handling and investigation
techniques, including information recovery tools.
Documentation of processes used in forensic examinations.
Personal integrity: Investigators must withstand scrutiny on
both technical ability and personal integrity.
Investigative ability: Investigators need logical thinking, the
ability to uncover and understand cause and effect, and
possess an open mind.
Demonstrated knowledge of the Federal Rules of Evidence.
Experience testifying as an expert witness.
A laboratory stocked with tools for evidence recovery.
Quick reaction time to handle incidents before evidence
is destroyed and to report evidence before perpetrators
disappear. This also is a compelling reason to keep an
examiner on retainer.
Lawyers and managers involved in events where computer foren-
sics might come into play should follow a simple rule their mothers
taught them when they were little and entering a store: Dont
touch anything.
Preserving computer evidence requires pre-incident planning and
training of employees in incident discovery procedures. System
administrators sometimes think they are helping a forensics
examiner when they are actually destroying evidence. There
should be minimal disturbance of the computer, peripherals and
area surrounding the machine. If a computer is turned on, leave
What to look for in a computer
forensics examiner
Illustration 1
-
8/6/2019 Comp Forensics
6/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com6
it on, and if turned off, leave it off. Moreover, NEVER run programs
on a computer in question. For example, running Windows to
examine files destroys evidence in the swap file. Finally, NEVER
let a suspect help open or turn on a machine.
Sometimes, forensics examiners will interview a suspect in a
friendly way about the procedures for turning a machine on and
off, all the while taking close notes. Instead of following the
suspects directions, the investigators will crash the computer by
pulling out the power cord, in order to avoid any traps set by the
suspect, and preserving all evidence. The notes may then reveal
the traps and can be used later in a case against the suspect.
At other times, examiners will perform an orderly shutdown of a
machine and lock its original media so it cannot be changed. On
the other hand, if a machine uses a Unix operating system,
crashing it will destroy evidence, so examiners will investigate
it in place, as they find it.
Among the tasks that lawyers and managers should expect a
computer forensics examiner to perform are:
Documenting all equipment and software under investigation,
including hard disk drives by make and model, the operating
system and version, the file catalog and any actions
the examiner takes to remove and examine equipment
and software.
Gathering and documenting additional data sources such
as backup tapes, firewall logs and intrusion detection logs.
Securing any items that may be evidence such as
notepads, papers, books, photos and other materials in
a suspects office.
Starting and building a chain of custody that proves both
physical and electronic evidence has been preserved in its
original state. This requires logging each individual and/or
organization that handles evidence, where and when it was
handled, and maintaining records of custody, including
shipping numbers.
Identifying the systems relationship to the event and
developing then refining an approach to finding evidence.
Finding and documenting evidence.
-
8/6/2019 Comp Forensics
7/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com7
Lawyers and managers should have an appreciation for the
technical challenges of gathering computer evidence because it
goes beyond normal data recovery. Unfortunately, there are no
certified procedures for safe evidence gathering nor is there a
single approach for every type of case. To date, skilled forensic
examiners have used methodologies that produce hard evidenceand have survived court tests. To do this, examiners work on
trusted systems to which only they have access, in secure
laboratories where they check for viruses in suspect machines
and isolate data to avoid contamination.
Examiners will, for example, photograph equipment in place before
removing it, and label wires and sockets so that the computers
and peripherals can be reassembled exactly in a laboratory. They
transport computers, peripherals and media carefully to avoid
heat damage or jostling. They never touch original computer hard
disks and floppies. They make exact bit-by-bit copies, and they
store the copies on a medium that cannot be altered, such as a
CD-ROM. When suspects attempt to destroy media, such as
cutting up a floppy disk, investigators reassemble the pieces to
read the data from it. Nor do examiners trust a computers inter-
nal clock or activity logs. The internal clock might be wrong, a
suspect might have tampered with logs, and the mere act of
turning on the computer might change a log irrevocably. Before
the logs disappear, investigators are trained to capture the time
a document was created, the last time it was opened and the
last time it was changed. They then calibrate or recalibrateevidence based on a time standard and/or work around log tam-
pering, if possible.
Investigators always assume the worst. It is a rule in computer
forensics that only the physical level of the magnetic material,
where the 1s and 0s of data are recorded, is real, and everything
else is untrustworthy. A suspect might have corrupted all of the
software operating systems, applications and communications in a
computer or the software itself might erase evidence while
operating, so forensic examiners avoid these.
Examiners search at the bit level of 1s and 0s across a wide
range of areas inside a computer, including e-mail, temporary
files in the Windows operating system and in databases, swap
files that hold data temporarily, logical file structures, slack and
free space on the hard drive, software settings, script files that
perform preset activities, Web browser data caches, bookmarks,
TechnicalChallenges
-
8/6/2019 Comp Forensics
8/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com8
history and session logs that record patterns of usage. They
then correlate evidence to activities and sources.
Investigators have many tricks of the trade that help them
get around the clever perpetrator. For example, they often do not
attempt to decode encrypted files. Rather, they look for evidence
in a computer that will tell them what is in the encrypted file.
Frequently, the bulk of this evidence has been erased but
unencrypted traces remain to make a case. For data concealed
within other files, such as buried inside the 1s and 0s of a pic-
ture, an investigator can detect that the data is there, even
though it is inaccessible. Nearly identical files can be
compared to expose minute differences.
When forensic examiners find computer evidence, they must
present it in a logically compelling and persuasive manner thata jury will understand and an opposing counsel cannot rebut.
This requires step-by-step reconstructions of actions with
documented dates and times, charts, and graphs. These exhibits
explain what was done and how. The result is testimony that
explains simply and clearly what a suspect did or did not do. Case
presentation requires experience, and, to date, such experience
has been gained through courtroom appearances. This is why
lawyers and managers should retain computer forensics examiners
who have a record of successful expert testimony on computer
evidence. An experienced examiner knows the questions thatopposing attorneys will ask and the ways to provide answers that
withstand challenges. A skilled litigator can defeat an inexperi-
enced examiner for failing to collect evidence in a proper manner
and failing to show that evidence supports allegations. Not long
ago most attorneys knew little about computers and how they
operated, but today they do and they are increasingly skilled at
challenging examiners methods.
With the growth of computers and networks comes growth of
crime committed through or with computers and networks.
Computer forensics is an extension of forensics examinations
used on other physical evidence. It is a fast-growing field be-
cause computers and networks have moved to the heart of
business and societal operations. However, it is not a service
that most corporations will or should establish internally. Because
investigations are so specialized, few organizations have the
Making a Case
A Growing Service
-
8/6/2019 Comp Forensics
9/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com9
human or technical resources to gather and compile evidence
that withstands court challenges. Large multinational corporations
have or may develop the capability, but most organizations will
purchase computer forensics as needed or keep a computer
forensics firm on retainer. The important point for managers and
lawyers to remember is that computer evidence is fragile and thebest way to handle an incident is to isolate the suspect machine
until examiners take over.
Typical computer
forensics cases
Illustration 2 Case 1: Denial of Service
A financial institution suffered multiple losses of service from
its primary mainframes over an extended period.
Forensic activity
Forensics analysis ruled out external access to the mainframes
while nontraditional computer log analysis pointed to one dis-
gruntled employee. A forensic examination of the employees
personal computer confirmed his illegal actions.
What the employee did
The employee had exploited poor system controls and limited
network auditing to sabotage the mainframes.
Case 2: Network Intrusion of Educational, Military,
Government and Commercial Organizations
An intruder penetrated systems in several organizations
in the southeastern U.S.
Forensic activity
Examiners undertook six weeks of technical and nontechnical
tracing to identify three primary suspects in information tech-
nology jobs who had compromised an Internet Service Provider.
What the individuals did
The individuals had exploited poor passwords to break
into systems.
-
8/6/2019 Comp Forensics
10/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com10
Case 4: Corporate Espionage
A large organization loses a CEO to a competitor, in violation
of the CEOs anti-compete agreement.
Forensic activity
Examiners analyzed the former CEOs laptop, revealing deleted
information regarding the courting and hiring negotiations andjob offer, including e-mails which detailed current sales activity
at the competing company. However these incriminating
documents had been deleted and overwritten. The examiners
developed a new process and tool to allow them to recover
the original encoded information which demonstrated beyond
doubt that the CEO was being hired to target current custom-
ers of his former employer. The information gathered was
instrumental in securing a settlement valued between 15
to 20 million dollars.
What the CEO did
The CEO had used e-mail to pass along critical information
to a competitor, and then attempted to hide evidence of
his actions.
Case 3: Pornography on Company System
During a forensics examination of problem systems, examinersdiscovered two systems that contained numerous sexually
explicit images.
Forensic activity
Examiners searched the computers cache files, slack and
free space to verify that the users were engaged in active
browsing for the images.
What the employees did
Both employees had exploited the companys nearly
unrestricted access to the Internet.
Continued
Illustration 2
-
8/6/2019 Comp Forensics
11/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Computer Forensics / June 2001
Toll Free 866-VERITECT (866-837-4832)
[email protected] / www.veritect.com11
Case 5: Outside Attack on a Small Network
A small firm suspected its computer network had beeninfiltrated by competitors.
Forensic activity
Examiners performed an initial screening of the computers
involved and determined that while a thorough forensic
examination could possibly yield information as to the method
used to attack the network, it was highly unlikely to identify
an actual attacker. The company instead received assistance
in the engineering of a more secure and scalable network
infrastructure, resulting in increased capabilities, information
protection, and a significantly reduced operating cost.
What the attacker did
The attacker exploited vulnerabilities in the companys network
to extract critical information.
Case 6: Confidential material posted on
an industry rumor site
An international manufacturing firm discovered that someone
was posting confidential company information on an industry
bulletin board and, in addition, making slanderous comments
about company executives.
Forensic activity
Examiners covertly obtained image copies of the hard drives
of 11 personal computers while posing as information technol-
ogy consultants. Their analysis of the first five hard drives
identified the individual who was posting information to the
site. In addition, the examiners discovered several otherviolations of company policy.
What the employee did
What the employee did: The employee had exploited the fact
that the companys network had no monitoring of outbound
connections, as well as numerous unprotected modems.
Continued
Illustration 2
-
8/6/2019 Comp Forensics
12/12
TM
Copyright 2001 Veritect, Inc. All rights reserved.
Comp te Fo ensics / J ne 2001
Toll Free 866-VERITECT (866-837-4832)
703 788 9800
Suspected Internal Abuse: If you suspect an inside job,
but dont have sufficient evidence to confront the suspect,
investigate before tipping off the employee.
Emergency Inside Situation: If you experience an inside
job where you judge immediate action must be taken against
an individual:
1.Contact organizational decision-makers.
2.Secure the area while the employee is away from the desk.
3.Minimize disturbance of the area. If possible, leave the
computer undisturbed for the professional investigators.
If the computer is turned on, leave it on and if it is turned
off, leave it off.
4. NEVER run programs on a computer in question.
5. NEVER let the owner/user of the computer help you open
or turn on the computer.
6. Gather and document additional data sources such as
backup tapes, firewall logs and intrusion detection logs.
7. Secure other items that may be evidence such as
notepads, books and office items.
8.Start a chain of custody documentation: Log each piece
of evidence and the individual and/or organization that
handles the evidence. Include where, when and who
discovered evidence; who has handled and/or examined
the evidence and a record of evidence custody, including
shipping numbers, times and dates.
Emergency External Attack: If you experience an external
attack:
Option 1: Maintain a low profile and call in the experts.
If you have time to assess the risk, keep quiet and contact
forensics professionals. Forensics investigators can help you
assess the situation and lay traps. This approach can help
catch perpetrators in the act, seize evidence before it is
altered or destroyed and better understand how intruders are
gaining access.
Option 2: If immediate action must be taken.1.Contact organizational decision makers.
2.If the computer is turned on, leave it on and if it is
turned off, leave it off.
3.NEVER run programs on a computer in question.
Gather and document additional data sources such as backup
tapes, firewall logs and intrusion detection logs.
12
Computer Intrusion
Emergency Response Checklist
Illustration 3