8/14/2019 Computer Forensics in the Age of Compliance

http://slidepdf.com/reader/full/computer-forensics-in-the-age-of-compliance 1/4

Computer Forensics in the Age of Compliance

Dr. Anton Chuvakin

WRITTEN: 2007

DISCLAIMER:Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with suchever-changing reality, one has to evolve with the space as well. Thus, eventhough I hope that this document will be useful for to my readers, please keep inmind that is was possibly written years ago. Also, keep in mind that some of theURL might have gone 404, please Google around.

In previous articles, I have discussed log management and incident response inthe age of compliance. Now, it is time to cover a separate topic that hasconnections to both log analysis and incident response, but is different enough to

 justify its own paper: digital forensics.

Wikipedia defined “digital forensics” as the application of the scientific method todigital media in order to establish factual information for judicial review. Itinvolves the systematic inspection of IT systems (especially data storagedevices) for evidence of a civil wrong or criminal act.

Because of its focus on “facts” and “scientific method,” computer forensicsprocesses must adhere to courtroom standards of admissible evidence, whichseverely complicates some of the otherwise simple data analysis tasks, such aslooking at logs to determine who connected to the system. Thus, forensicinvestigation of computer evidence is different from a routine review of logs andsystem data, which often produces “hunch-quality data” and not facts. For example, if you see a source IP address that resolves to “jsmith.example.com,”you might assume that John Smith is responsible here. It might be good enoughfor an informal investigation, but will certainly not be sufficient in court.

A well-known example of a computer forensic investigation is a search for childpornography, during which an investigator removes a hard drive from acomputer, loads the disk into a forensics tool, and reviews the contents to findillegal image files that a user is hiding or thought he had deleted. However, digitalforensics has a broader reach than this case, and electronic evidence can becollected from a variety of sources, such as network gear, desktops and servers,mobile devices, databases, etc. For example, review of data produced by theseIT components can show investigators of a data breach whether companyemployees have accessed confidential data, what steps they took to obtain the

8/14/2019 Computer Forensics in the Age of Compliance

http://slidepdf.com/reader/full/computer-forensics-in-the-age-of-compliance 2/4

data and what they did with it. This is where the link between log data andcomputer forensics becomes most obvious – logs become the first place to lookduring the investigation. Even though sometimes seen as difficult to analyze, logsare still easier to obtain and review than full disk contents. If logs are generated,they can help to figure out the who’s, what’s, where’s, when’s, and how’s of user 

and system activities. Of course, using logging for forensic ends assumes thatthe log data itself is immutable and its C-I-A (confidentiality, integrity andavailability) are protected; if not, who is to say that the timestamp is truthful or crucial information about the sequence of events hasn’t been altered, injected or removed?

Having control over forensics processes from data gathering to “chain of custody”protection is seen as key by many of the compliance mandates. Thus, we arebrought back to the three regulations we have discussed all along to take a lookat what they say about computer forensics. Much of the regulatory discussion of computer forensics links back to log management and incident response,

because the two concepts are inexorably linked to digital forensics.

The Federal Information Security Management Act of 2002 (FISMA)

Tying incident response to forensic analysis, NIST 800-53 Recommended Security Controls for Federal Information Systems, requires that federal organizations generateand retain immutable audit records that are sufficient to support after-the-factinvestigations of security incidents. This document also describes the need to automatemechanisms to integrate audit monitoring, analysis, and reporting into an overallprocess for investigation of and response to suspicious activities. Further establishingthe link between incident response and computer forensics, 800-53 requires theorganization to provide an incident response support resource to offer assistance,

including access to forensics services in the handling and reporting of security incidents.Additionally, network forensic analysis tools are described as a way to guaranteeintrusion detection and system monitoring capabilities. Thus, even though it is impliedthat forensics will be performed by the outside consultants, evidence data collection andpreservation activities, compatible with the forensic use of such data, are mandated.

NIST SP 800-92, Guide to Computer Security Log Management , describes the need for inalterable log generation, review, protection, and management for performing forensicanalysis. The guide describes the need of organizations to keep digital forensics inmind when setting log storage requirements and designing a log managementinfrastructure due to the potential impact of log data preservation techniques; for 

example, forensic analysis that requires queries of logs across many systems might besignificantly slowed by the chosen log storage media.

The Health Insurance Portability and Accountability Act of 1996 HIPAA

NIST SP 800-66, An Introductory Resource Guide for Implementing the HealthInsurance Portability and Accountability Act (HIPAA) Security Rule, details HIPAA-related computer forensics requirements and suggestions. Section 164.308 discussesinformation system activity review requirements, including the implementation of 

8/14/2019 Computer Forensics in the Age of Compliance

http://slidepdf.com/reader/full/computer-forensics-in-the-age-of-compliance 3/4

procedures to regularly review records of activity such as audit logs, access reports,and security incident tracking. It provides a variety of questions to consider includingwhether the audit trail can support after-the-fact forensic investigations. Additionally,like FISMA, HIPAA discusses the importance of secure auditing and logging activity sothat there are records in event of an investigation. 800-66 also mandates the

development and deployment of specific incident response measures, which arenecessary (even though often not sufficient!) to assure that the evidence data will endup being useful for extracting “factual information.”

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS, which applies to organizations that handle credit card transactions, does notdirectly address forensic requirements for evidence collection and analysis or forensicprocesses. Still, it mandates that all service providers with access to cardholder dataenable processes to provide for timely forensic investigation in the event of acompromise to any hosted merchant or service provider in Appendix A, RequirementA.1 (“Hosting providers protect cardholder data environment”). Additionally,

Requirement 10 (“Track and monitor all access to network resources and cardholder data”) describes a variety of log- and audit-related activities to ensure that trails of authorized and unauthorized user activity are clear in the case that an event must beinvestigated. Also, PCI requirement for log data protection, such as cryptographichashing, clearly have forensic use of log data in mind.

The above review of regulations shows that recent compliance mandates do keepforensics needs in mind. Specifically, they govern taking steps to preserve forensicquality of data as well as to establish incident response and forensics programs. Thekey distinction to keep in mind is that the forensics aims to establish facts and not just“good enough” conclusions from data. And as has been the case with log analysis,incident response, and intrusion detection, the goal of the forensics language in these

mandates is to ensure yet another facet of regulatory compliance and IT security.

ABOUT THE AUTHOR:

This is an updated author bio, added to the paper at the time of reposting in2009.

Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert inthe field of log management and PCI DSS compliance. He is an author of books"Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy

II", "Information Security Management Handbook" and others. Anton haspublished dozens of papers on log management, correlation, data analysis, PCIDSS, security management (see list www.info-secure.org) . His bloghttp://www.securitywarrior.org is one of the most popular in the industry.

In addition, Anton teaches classes and presents at many security conferencesacross the world; he recently addressed audiences in United States, UK,

8/14/2019 Computer Forensics in the Age of Compliance

http://slidepdf.com/reader/full/computer-forensics-in-the-age-of-compliance 4/4

Singapore, Spain, Russia and other countries. He works on emerging securitystandards and serves on the advisory boards of several security start-ups.

Currently, Anton is developing his security consulting practice, focusing onlogging and PCI DSS compliance for security vendors and Fortune 500

organizations. Dr. Anton Chuvakin was formerly a Director of PCI ComplianceSolutions at Qualys. Previously, Anton worked at LogLogic as a Chief LoggingEvangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by asecurity vendor in a strategic product management role. Anton earned his Ph.D.degree from Stony Brook University.