Comp Forensics

8/6/2019 Comp Forensics

1/12

TM

Copyright 2001 Veritect, Inc. All rights reserved.

Computer Forensics / June 2001

Toll Free 866-VERITECT (866-837-4832)

[email protected] / www.veritect.com

What Lawyers and Managers ShouldKnow About Computer Forensics

10790 Parkridge Blvd / Suite 300Reston / VA 20191

TM


2/12

TM




[email protected] / www.veritect.com2

ometimes surprises are ugly. Frank Smith, an information

security manager, stumbled on a large encrypted file on his

companys network server. It didnt belong there. He suspected

it came from an employee who was either running a business out

of company computers or storing proprietary information for illicitpurposes. Frank identified the employeea senior manager in

the marketing departmentbut he could not detect what the

manager was doing.

The file was too difficult to decrypt, and if there was nothing

serious in it, confronting the employee could be awkward. On the

other hand, if the file concealed proprietary data, the company

would need to act. Frank called in-house counsel. The senior

managers boss reported to the counsel that his employee was

involved in high-level operations including launching a product

that could make or break a division. Alarmed, the counsel called aforensic examiner. The company needed to know what the man-

ager was hiding without giving him a chance to destroy evidence.

The examiner advised the company to conduct a forensics exami-

nation of the managers laptop hard drive. Frank scheduled

routine maintenance on the laptop to avoid raising the managers

suspicions then let the examiner covertly make an exact copy of

the hard drive. The examiner retrieved and recorded hundreds of

active and deleted files on the mirror copy of the hard drive,

using Federal Rules of Evidence (FRE) as a guide. He uncovered

deleted e-mails from a competitor which contained terms of a job

offer and discussions of the product. Among fragments of other

deleted e-mails, he pieced together confidential specifications

and code related to the new product. The examiner also found

sections of the companys proprietary customer list.

With enough evidence to sue, the corporation confronted the

manager, who had just announced his intention to depart. The

firm subsequently gained a settlement barring the competitor

from using the stolen information and the senior manager from

working for the competitor for five years.

This, in brief, is what computer forensics is about. Forensics

investigators examine computer hardware and software, using

legal procedures to obtain evidence that proves or disproves

allegations. It is not complex science, but gathering viable

evidence is difficult, and getting results quickly requires trained

specialists who know computers, the rules of evidence gathering

and how to work with law enforcement authorities.

S


3/12

TM




[email protected] / www.veritect.com

There are compelling reasons for using computer forensics but

before lawyers and managers do, they should know what foren-

sics is and when and how to employ it. Risk management and

self-defense are leading reasons for using computer forensics.

Any organization that does not have a way to detect and stop

malicious behavior may be victimized with no legal recourse.Computer forensics safeguards legal options. Preserving evidence

according to Federal Rules of Evidence gives a company or indi-

vidual choices that otherwise would not exist. When an intruder

attacks or steals from an organization or individual, the ability or

threat to get law enforcement involved may be the only way to

stop intrusion or recover assets. Gathering computer evidence is

also useful for confirming or dispelling concerns about whether an

illegal incident has occurred, and to document computer and

network vulnerabilities after an incident.

Computer forensics examiners should be called in when a threat

to a companys business and reputation is serious. Today, threats

almost always involve a computer or network because they

contain a companys proprietary information and business

processes. Like Willie Sutton, the bank robber who went to the

bank because thats where the money is, those who wish to

damage or steal from a business go to computers and networks

because thats where strategic assets are located. Computers

store client/customer lists, proprietary technology and processes,

confidential financial data, personnel records and medical data,

contracts and agreements, payroll records, accounting data and

much more. A simple and virtually undetectable fraud that posts

a few odd cents to a phony account can reap a perpetrator

thousands of dollars out of the millions that flow through

accounts payable. A malicious change to an individuals personnel

records could cost that person a job and a career. Divulging a

companys financial records could damage it on Wall Street, in the

marketplace and before shareholders. Corporate spies might steal

trade secrets. Posting libelous information on the Internet about

a company or individual can so damage a reputation that business

cannot continue. Employees of a company might be stealing from

it by working for themselves and using company resources. Or,

they can be using work time to surf inappropriate or prohibited

web-sites or play games.

Companies employ computer forensics when there is serious

risk resulting from compromised information, a potential loss of

Computer Forensics

When to UseForensics

3


4/12

TM





When Not to UseForensics

Legal Evidence

competitive capability, a threat of lawsuits or potential damage

to reputation and brand. Some companies regularly use forensic

investigations to check employee computers, with the idea that

employees who know they are being watched are less tempted to

stray. For example, one corporation randomly selects a percent-

age of employee computers each month and conducts forensicsexaminations of their hard drives. Investigations have turned up

pornography, private businesses, unauthorized use of proprietary

data and other infractions.

When the cost of a forensic investigation exceeds potential gain,

there is little reason to use it. However, that is a judgment call.

Managers and lawyers can and have used forensics for purposes

beyond serious threats. Some companies use legal evidence

gathering to drive home points with employees and external

intruders, even though the cost of the investigation often

exceeds recovery. Usually, a warning is enough to stop an

inappropriate action, such as excessive net-surfing so that a

full-scale investigation is not needed. Computer forensics also

may not be needed when computers had only a minor role in an

incident or threat, but this role may not always be clear. The

relationship between the computer and an event under inquiry

is critical, and until a forensics examination has been done, one

cannot always know whether a computer was a significant part

of an event, or not.

A computer forensics examiner starts and completes assignments

with a court trial in mind. This means an examiner should always

gather and preserve evidence according to Federal Rules of

Evidence. The examiner has three basic tasksfinding, preserving

and preparing evidence.

Preserving computer evidence comes first, even before evidence

is found, because data can be destroyed so easily. The 1s and 0s

that make up data can be hidden in numerous places and vanish

instantly with a push of a button. As a result, forensics examiners

assume every computer has been rigged to destroy evidence,

and they proceed with utmost care in handling computers and

storage media.

Finding and isolating evidence which proves or disproves an

allegation is just as difficult as preserving it because with com-

puters there can be too much evidence. Investigators can plow


5/12

TM





What YouShould Know

through thousands of active files and fragments of deleted files

to find just one that makes a case. Computer forensics has been

described as looking for one needle in a mountain of needles.

Preparing evidence requires patient thoroughness and documen-

tation of everything one does so that it can withstand strong

judicial scrutiny. This is where lesser-trained specialists can and

have failed. For example, a hacking incident at a Web music store

was thrown out of court because examiners who prepared the

case failed to follow rules of evidence that properly document

where evidence comes from and that it has not been altered.

Prior experience in computer forensics examinations.

Specialized training in computer operating systems.

Specialized training in evidence handling and investigation

techniques, including information recovery tools.

Documentation of processes used in forensic examinations.

Personal integrity: Investigators must withstand scrutiny on

both technical ability and personal integrity.

Investigative ability: Investigators need logical thinking, the

ability to uncover and understand cause and effect, and

possess an open mind.

Demonstrated knowledge of the Federal Rules of Evidence.

Experience testifying as an expert witness.

A laboratory stocked with tools for evidence recovery.

Quick reaction time to handle incidents before evidence

is destroyed and to report evidence before perpetrators

disappear. This also is a compelling reason to keep an

examiner on retainer.

Lawyers and managers involved in events where computer foren-

sics might come into play should follow a simple rule their mothers

taught them when they were little and entering a store: Dont

touch anything.

Preserving computer evidence requires pre-incident planning and

training of employees in incident discovery procedures. System

administrators sometimes think they are helping a forensics

examiner when they are actually destroying evidence. There

should be minimal disturbance of the computer, peripherals and

area surrounding the machine. If a computer is turned on, leave

What to look for in a computer

forensics examiner

Illustration 1


6/12

TM





it on, and if turned off, leave it off. Moreover, NEVER run programs

on a computer in question. For example, running Windows to

examine files destroys evidence in the swap file. Finally, NEVER

let a suspect help open or turn on a machine.

Sometimes, forensics examiners will interview a suspect in a

friendly way about the procedures for turning a machine on and

off, all the while taking close notes. Instead of following the

suspects directions, the investigators will crash the computer by

pulling out the power cord, in order to avoid any traps set by the

suspect, and preserving all evidence. The notes may then reveal

the traps and can be used later in a case against the suspect.

At other times, examiners will perform an orderly shutdown of a

machine and lock its original media so it cannot be changed. On

the other hand, if a machine uses a Unix operating system,

crashing it will destroy evidence, so examiners will investigate

it in place, as they find it.

Among the tasks that lawyers and managers should expect a

computer forensics examiner to perform are:

Documenting all equipment and software under investigation,

including hard disk drives by make and model, the operating

system and version, the file catalog and any actions

the examiner takes to remove and examine equipment

and software.

Gathering and documenting additional data sources such

as backup tapes, firewall logs and intrusion detection logs.

Securing any items that may be evidence such as

notepads, papers, books, photos and other materials in

a suspects office.

Starting and building a chain of custody that proves both

physical and electronic evidence has been preserved in its

original state. This requires logging each individual and/or

organization that handles evidence, where and when it was

handled, and maintaining records of custody, including

shipping numbers.

Identifying the systems relationship to the event and

developing then refining an approach to finding evidence.

Finding and documenting evidence.


7/12

TM





Lawyers and managers should have an appreciation for the

technical challenges of gathering computer evidence because it

goes beyond normal data recovery. Unfortunately, there are no

certified procedures for safe evidence gathering nor is there a

single approach for every type of case. To date, skilled forensic

examiners have used methodologies that produce hard evidenceand have survived court tests. To do this, examiners work on

trusted systems to which only they have access, in secure

laboratories where they check for viruses in suspect machines

and isolate data to avoid contamination.

Examiners will, for example, photograph equipment in place before

removing it, and label wires and sockets so that the computers

and peripherals can be reassembled exactly in a laboratory. They

transport computers, peripherals and media carefully to avoid

heat damage or jostling. They never touch original computer hard

disks and floppies. They make exact bit-by-bit copies, and they

store the copies on a medium that cannot be altered, such as a

CD-ROM. When suspects attempt to destroy media, such as

cutting up a floppy disk, investigators reassemble the pieces to

read the data from it. Nor do examiners trust a computers inter-

nal clock or activity logs. The internal clock might be wrong, a

suspect might have tampered with logs, and the mere act of

turning on the computer might change a log irrevocably. Before

the logs disappear, investigators are trained to capture the time

a document was created, the last time it was opened and the

last time it was changed. They then calibrate or recalibrateevidence based on a time standard and/or work around log tam-

pering, if possible.

Investigators always assume the worst. It is a rule in computer

forensics that only the physical level of the magnetic material,

where the 1s and 0s of data are recorded, is real, and everything

else is untrustworthy. A suspect might have corrupted all of the

software operating systems, applications and communications in a

computer or the software itself might erase evidence while

operating, so forensic examiners avoid these.

Examiners search at the bit level of 1s and 0s across a wide

range of areas inside a computer, including e-mail, temporary

files in the Windows operating system and in databases, swap

files that hold data temporarily, logical file structures, slack and

free space on the hard drive, software settings, script files that

perform preset activities, Web browser data caches, bookmarks,

TechnicalChallenges


8/12

TM





history and session logs that record patterns of usage. They

then correlate evidence to activities and sources.

Investigators have many tricks of the trade that help them

get around the clever perpetrator. For example, they often do not

attempt to decode encrypted files. Rather, they look for evidence

in a computer that will tell them what is in the encrypted file.

Frequently, the bulk of this evidence has been erased but

unencrypted traces remain to make a case. For data concealed

within other files, such as buried inside the 1s and 0s of a pic-

ture, an investigator can detect that the data is there, even

though it is inaccessible. Nearly identical files can be

compared to expose minute differences.

When forensic examiners find computer evidence, they must

present it in a logically compelling and persuasive manner thata jury will understand and an opposing counsel cannot rebut.

This requires step-by-step reconstructions of actions with

documented dates and times, charts, and graphs. These exhibits

explain what was done and how. The result is testimony that

explains simply and clearly what a suspect did or did not do. Case

presentation requires experience, and, to date, such experience

has been gained through courtroom appearances. This is why

lawyers and managers should retain computer forensics examiners

who have a record of successful expert testimony on computer

evidence. An experienced examiner knows the questions thatopposing attorneys will ask and the ways to provide answers that

withstand challenges. A skilled litigator can defeat an inexperi-

enced examiner for failing to collect evidence in a proper manner

and failing to show that evidence supports allegations. Not long

ago most attorneys knew little about computers and how they

operated, but today they do and they are increasingly skilled at

challenging examiners methods.

With the growth of computers and networks comes growth of

crime committed through or with computers and networks.

Computer forensics is an extension of forensics examinations

used on other physical evidence. It is a fast-growing field be-

cause computers and networks have moved to the heart of

business and societal operations. However, it is not a service

that most corporations will or should establish internally. Because

investigations are so specialized, few organizations have the

Making a Case

A Growing Service


9/12

TM





human or technical resources to gather and compile evidence

that withstands court challenges. Large multinational corporations

have or may develop the capability, but most organizations will

purchase computer forensics as needed or keep a computer

forensics firm on retainer. The important point for managers and

lawyers to remember is that computer evidence is fragile and thebest way to handle an incident is to isolate the suspect machine

until examiners take over.

Typical computer

forensics cases

Illustration 2 Case 1: Denial of Service

A financial institution suffered multiple losses of service from

its primary mainframes over an extended period.

Forensic activity

Forensics analysis ruled out external access to the mainframes

while nontraditional computer log analysis pointed to one dis-

gruntled employee. A forensic examination of the employees

personal computer confirmed his illegal actions.

What the employee did

The employee had exploited poor system controls and limited

network auditing to sabotage the mainframes.

Case 2: Network Intrusion of Educational, Military,

Government and Commercial Organizations

An intruder penetrated systems in several organizations

in the southeastern U.S.

Forensic activity

Examiners undertook six weeks of technical and nontechnical

tracing to identify three primary suspects in information tech-

nology jobs who had compromised an Internet Service Provider.

What the individuals did

The individuals had exploited poor passwords to break

into systems.


10/12

TM





Case 4: Corporate Espionage

A large organization loses a CEO to a competitor, in violation

of the CEOs anti-compete agreement.

Forensic activity

Examiners analyzed the former CEOs laptop, revealing deleted

information regarding the courting and hiring negotiations andjob offer, including e-mails which detailed current sales activity

at the competing company. However these incriminating

documents had been deleted and overwritten. The examiners

developed a new process and tool to allow them to recover

the original encoded information which demonstrated beyond

doubt that the CEO was being hired to target current custom-

ers of his former employer. The information gathered was

instrumental in securing a settlement valued between 15

to 20 million dollars.

What the CEO did

The CEO had used e-mail to pass along critical information

to a competitor, and then attempted to hide evidence of

his actions.

Case 3: Pornography on Company System

During a forensics examination of problem systems, examinersdiscovered two systems that contained numerous sexually

explicit images.

Forensic activity

Examiners searched the computers cache files, slack and

free space to verify that the users were engaged in active

browsing for the images.

What the employees did

Both employees had exploited the companys nearly

unrestricted access to the Internet.

Continued

Illustration 2


11/12

TM





Case 5: Outside Attack on a Small Network

A small firm suspected its computer network had beeninfiltrated by competitors.

Forensic activity

Examiners performed an initial screening of the computers

involved and determined that while a thorough forensic

examination could possibly yield information as to the method

used to attack the network, it was highly unlikely to identify

an actual attacker. The company instead received assistance

in the engineering of a more secure and scalable network

infrastructure, resulting in increased capabilities, information

protection, and a significantly reduced operating cost.

What the attacker did

The attacker exploited vulnerabilities in the companys network

to extract critical information.

Case 6: Confidential material posted on

an industry rumor site

An international manufacturing firm discovered that someone

was posting confidential company information on an industry

bulletin board and, in addition, making slanderous comments

about company executives.

Forensic activity

Examiners covertly obtained image copies of the hard drives

of 11 personal computers while posing as information technol-

ogy consultants. Their analysis of the first five hard drives

identified the individual who was posting information to the

site. In addition, the examiners discovered several otherviolations of company policy.

What the employee did

What the employee did: The employee had exploited the fact

that the companys network had no monitoring of outbound

connections, as well as numerous unprotected modems.

Continued

Illustration 2


12/12

TM


Comp te Fo ensics / J ne 2001


703 788 9800

Suspected Internal Abuse: If you suspect an inside job,

but dont have sufficient evidence to confront the suspect,

investigate before tipping off the employee.

Emergency Inside Situation: If you experience an inside

job where you judge immediate action must be taken against

an individual:

1.Contact organizational decision-makers.

2.Secure the area while the employee is away from the desk.

3.Minimize disturbance of the area. If possible, leave the

computer undisturbed for the professional investigators.

If the computer is turned on, leave it on and if it is turned

off, leave it off.

4. NEVER run programs on a computer in question.

5. NEVER let the owner/user of the computer help you open

or turn on the computer.

6. Gather and document additional data sources such as

backup tapes, firewall logs and intrusion detection logs.

7. Secure other items that may be evidence such as

notepads, books and office items.

8.Start a chain of custody documentation: Log each piece

of evidence and the individual and/or organization that

handles the evidence. Include where, when and who

discovered evidence; who has handled and/or examined

the evidence and a record of evidence custody, including

shipping numbers, times and dates.

Emergency External Attack: If you experience an external

attack:

Option 1: Maintain a low profile and call in the experts.

If you have time to assess the risk, keep quiet and contact

forensics professionals. Forensics investigators can help you

assess the situation and lay traps. This approach can help

catch perpetrators in the act, seize evidence before it is

altered or destroyed and better understand how intruders are

gaining access.

Option 2: If immediate action must be taken.1.Contact organizational decision makers.

2.If the computer is turned on, leave it on and if it is

turned off, leave it off.

3.NEVER run programs on a computer in question.

Gather and document additional data sources such as backup

tapes, firewall logs and intrusion detection logs.

12

Computer Intrusion

Emergency Response Checklist

Illustration 3

Comp Forensics

Documents

Transcript of Comp Forensics