Computer Scene Investigation: Digital Forensics in the

Gartner IT Security Summit 2005 Jay Heiser

6–8 June 2005Marriott Wardman Park HotelWashington, District of Columbia

Computer Scene Investigation: DigitalForensics in the Workplace

These materials can be reproduced only with Gartner's written approval. Such approvals must be requested via e-mail — [email protected].

Computer Scene Investigation: Digital Forensics in the Workplace

Page 1Jay HeiserA6, SEC11, 6/05, AE

© 2005 Gartner, Inc. and/or its affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission isforbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as tothe accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in theinformation contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials toachieve its intended results. The opinions expressed herein are subject to change without notice.

Client Issues

What level of investigative preparation should bein place now?What are the latest computer forensic tools andtechniques?When should forensic investigations be carriedout by company staff and when should aspecialist be brought in?

“Computer forensics” refers to the systematic investigationof historic activity on workstations and servers. It is typicallyperformed when inappropriate and especially when illegalactivity is suspected.

Networked computers are the space in which business communications and transactions are carried out. That factalone ensures that criminals will be actively looking for ways to exploit the unique characteristics of corporate andgovernment enterprises. Three characteristics are particularly useful from the point of view of a criminal:1. Its easy to hide your tracks when attacking through an enterprise.2. Remote attacks are especially easy. Even if the perpetrator can be found, a successful prosecution is unlikely3. Crime can be automated, greatly increasing efficiency.Crime happens virtually everywhere there is something to steal. Computer crimes are becoming increasinglyappealing, and they are difficult to investigate. These dynamics are driving a growing level of computer forensicinvestigation.




Choose Investigative Goals Wisely

Service restore

Root cause analysis

Source identification

Criminal prosecution

E-document discovery (civil suit)

Growing emphasis on proactive investigation

When an incident occurs, the victim has a choice in the level of investigative effort. They may choose just torestore service, or they may choose to actually determine what happened or who was responsible. A formalforensic investigation can be understood as a sophisticated form of incident response exercise.Different forms of incident need to be investigated to different degrees. As soon as an incident has started, thepotential exists for useful evidence of about the incident to disappear. It is very difficult to make good decisionsabout the level of rigor that should be used for incident data collection, which is why a carefully made escalationplan is crucial. Organizations that have such a plan, and follow it, are best positioned to make a good decisionabout investigative rigor, and to make that decision early enough to be useful.One of the complexities about forensic investigation is that it is never possible to increase the quality of evidenceonce it has been collected. Information that has been carefully collected using well-accepted forensic evidencehandling practices is not only acceptable in a court of law, it is also useful for internal investigations. The oppositeis not true.No organization has the resources, or the need, to respond to every incident with the highest level of forensic rigor.Choose carefully.




Keep IncidentInternal

PursueProsecution

RebuildSystems,

Get Back inProduction

Set UpVirtualCrimeScene

Level of Investigation Effort Decision Matrix

Detailed investigations can take time and resources that an enterprise cannot afford; yet, prosecution will beimpossible without meticulous investigation. Involving outside authorities takes additional time, and increases thepotential for negative publicity.The solution pursued must take into account the overall goal, the mission of the team, the consequences for theenterprise and potential external interactions. Options need to be clearly communicated in the response plan so thatcorrect actions can be taken immediately. The additional time loss or continued security exposure of gettingmanagement consensus may only increase the damage of the incident.Enterprises must have a complete set of standing orders in place. Such contingency plans can be established for avariety of incident situations and pre-approved by management. When an incident occurs, the CIRT can operateunder these guidelines and take immediate action to defend the enterprise.Such standing orders are a form of policy sometimes referred to as an escalation plan or a response plan. Oftentaking the form of a flow chart, such a plan provides clear directions on who to call in what circumstances.

Strategic Imperative: Specific responsibilities must be assigned in advance so that specificpeople know exactly what to do during an incident.




Acquire, Authenticate, Analyze:Forensic Investigative Process

TriggerTriggerEventEvent

Copy

Secure

Verify

Prese

rve

Maintain Chain of Custody

Recover

Search

Correlate

Analyz

eDocument

Summarize

Repor

t

Find

Seize

Collec

t

Investigations follow a specific sequence. This ensures the best possible results, and it provides transparency,improving the usefulness of the evidence within the legal context.Collection: Once a decision has been made to conduct an investigation, appropriate evidence must be found andstored for use later.Preservation: When possible, multiple copies of the data are made simultaneously, so the original electronicmedia does not need to be accessed again. Each copy is verified against the original through the use of acryptographically secure hash sum. The original evidence is safely locked away and all further work is conductedon the copy.Analysis: Before actually looking for specific examples of activity, a thorough investigator first recovers as muchas much information as can be found in unused areas of the disk. This slack space frequently contains usefulevidence, including copies of data that the criminal deliberately tried to hide.Disparate bits of evidence are correlated to provide a picture of the suspect’s activities. Time frame or timelineanalysis provides a chronological sequence of events.




Who found it?How was it

securedin transit?

Where was itlocked up?

Where did theevidence

come from?

Who has touchedthe evidence?

What did theydo to it or with it?

Human signature isalways required

Maintaining a Chain of Custody

The O.J. Simpson trial was a dramatic example of how a skilful defense team can destroy the usefulness offorensic evidence in court. In short, the prosecution was unable to convince the jury that the Los Angeles PoliceDepartment had not falsified evidence. The criminal justice field has developed processes to protect evidence,such that it can be utilized by both sides in a case, while being protected from manipulation. The maintenance ofa well-documented chain of custody is a form of transparency that is equally applicable to both physical anddigital evidence.If legal action will be taken, a proper, documented chain of evidence is absolutely critical for successfulprosecution. If the chain is broken, the case is destroyed. A successful chain of evidence legally documents thehistory of each piece of evidence, from initial discovery throughout the rest of its life. Documentation includesthe state of the evidence at each stage, any modifications made to it, any actions performed to or with it, andevery person that comes in contact with it. Standard documents should be used, with signatures and dates/timesfor every entry. This is a legal document admissible in court, and it should be considered part of the chain.Evidence includes both data and hardware. A database object moved from system to system needs to bedocumented just like the hard drive removed from a server.

Tactical Guideline: Start a criminal investigation only if you are prepared to properlymaintain the chain of custody.




Digital Evidence Has Unique Characteristics

Compared to physical evidence– Much easier to change/manipulate– “Perfect” digital copies can be

made without harming original– Integrity can be proven

Usually in the form of “the image”– Convenient and defensible “clone”

of storage device– Different information (clues) found

at different levels of abstractionPA

RTITI

ONFI

LE

RECORD

The reality portrayed on television shows such as “CSI” is more than a little misleading, but they do make itobvious that the collection and interpretation of physical evidence causes irreversible alterations to that evidence.Most laboratory tests alter or destroy evidence, as does fingerprint lifting. Such alterations are perfectly acceptablein court if they are well-documented.In contrast, digital evidence, at least on storage devices, can be collected without making any measurable effect onthe original. However, the collected evidence is highly susceptible to manipulation, which must be protectedagainst using cryptographic mechanisms.Although computer managers are usually aware of the layered nature of network protocols, it isn’t always soapparent that computer systems are also composed of nested layers. A hard drive is much like a RussianMatryoshka doll. Each layer has further layers inside of it that are invisible to each other: Hard drives containpartitions, which contain file systems, which contain files, which contain data structures such as records, whichcontain fields.Within the network and the computer, lower layers contain the most data, and higher levels are used to interpretinformation. As a general rule, evidential data should be collected at the lowest possible layer and interpretedwithin the appropriate layers.




Evidence Acquisition Methods

Dead: Higher assurance of evidence integrity– Direct connection to storage device– Controlled boot, access storage through:

• USB or FireWire port• Crossover network cable• Remotely across LAN/WAN

Power Off ?Power Off ?

Live: Access volatile data– Direct physical access– Remote over network

Evidence can be acquired in from either a “dead” system, meaning that the operating system isn’t actually booted,or from a live system, meaning that the operating system has been booted. A live system is not “quiescent,”meaning that processes are constantly writing to the hard drive. Five years ago, standard practice was to alwaysshut down a target before collecting its data. Pulling the power on a computer not only ensures that theinvestigator’s activities won’t be recorded on the hard drive, but it prevents destruction of evidence by any sort ofmalware bomb that an intruder might have installed.The forensic community has learned that shutdowns are quite destructive, destroying all sorts of “volatile”information on criminal activity in process. Live investigations are often used when investigating hackingincidents, and they are now being used for the remote investigation of systems across a network. Suchinvestigations would be impossible if the system were not active.Experienced investigators prefer to capture data by pulling the hard drive out of the target and connecting to itdirectly, but this is not always practical. A “controlled boot” uses a CD to boot the system into a controlledoperating environment that can safely allow investigation or acquisition of file system contents through a USB orFireWire port or across a network.

Tactical Guidelines: Remember: 1. It is impossible to collect evidence from a live systemwithout making changes to that system. 2. It is possible to copy the data from a deadsystem and leave no detectible changes.




Where to Acquire Evidence

Computers– Workstations and laptops– Servers

Storage and Personal Devices– CDs, memory sticks– PDAs, mobile phones, MP3 players

Network– Device logs: authentication, access, proxy– Security devices: IDS/IPS logs

Evidence can be located anywhere in the enterprise or on the Internet!

Certainly there are many places where a criminal can leave some sort of useful evidence behind. In the digitalcontext, the evidence is limited to that which is stored (this includes volatile system and network information thatis captured by an investigative tool and deliberately stored by the investigator).Five years ago, it was understood that not only were the contents of a computer’s hard drive part of theinvestigation, but that floppy drives and CDs needed to be collected as well. Today, floppies are a quaintanachronism.Increasingly, information is being moved between computers using the Internet or portable memory devices.Criminals who anticipate that they will be the target of an investigation will often deliberately hide incriminatingmaterial either on a Web server or on a memory device.Most cybercriminals are not that careful, and they typically leave some sort of evidence behind. Mobile phonesprovide evidence on the calls that a criminal has made, and Tivo devices can provide psychological profilers withuseful information on a subject’s television viewing habits.Any activity that takes place over a network is visible on that network during the time it takes place. Data related tothe network activity disappears unless it is deliberately or routinely captured.




What Types of Evidence Can Be Found?

Using normal OS utilities and applications– File content– E-mail content

Using forensic tools– Deleted and hidden files– Fragments of work in process– Clear text of encrypted passwords and files– Activity trails

• File creation, access and deletion time• Internet browsing: URL, time, content

The standard operating system utilities, especially the ones provided with Unix/Linux, can provide a great dealof information about what a suspect has been doing on his or her computer.Purpose-built forensic tools are especially useful in two different areas: 1) Finding hidden or deleted data thatisn’t available through the normal operating system functions. 2) Turning data into information, making senseout of the unconnected bits of material found in a hard drive.Remember that operating systems do not actually “delete” a file — they just remove the reference to the filefrom an index. The original file data is still sitting on the storage device until it is written over by somethingelse. Virtual memory swap space contains all sorts of work-in-progress fragments, some of which end up onunallocated parts of the disk. Data files themselves, especially .doc, can contain historical fragments that aren’taccessible through the application. The term “slack space” is often applied to this potentially recoverable anduseful information.Everything that a user does on a computer leaves some sort of trail. Every file creation, access and deletionaffects the file system. Web browsing creates huge amounts of cached data that can be researched to providedetails of a subject’s Internet activity.




Hardware Tool Functions

Specialized Interfaces– Write-protect– Multi-I/O– PDA and phone reading

Portable Imaging DevicesForensic Workstations– “Ruggedized” portable or desktop– Multiple media interfaces and software– Maintain case files and evidence copies

Vendors claiming 3+Gig/minute write speeds

An active investigator is confronted with a wide range of different devices, not all of which have the sameinterface. A variety of bridging devices are necessary so that an investigator can connect to the target device andcreate image files on a storage device. Both in the field and lab, data transfer speed makes a big difference in beingable to start an important investigation as quickly as possible. Field equipment needs to be sufficiently rugged sothat it doesn’t fail when it is most needed.When dealing with the collected images, analysts need a workstation that has large amounts of storage, and theprocessing capability of quickly indexing and searching through it.Evidence integrity can best be supported by imaging hard drives using a ‘write-blocker’. This is an interface thatfits between the target device and the hard drive or workstation that will create the initial copy of the image. Theinterface is made such that it is impossible to write onto the storage device that is being copied. Use of suchequipment provides a high-level of assurance that the investigator did not tamper with the evidence.

Tactical Guideline: For practical and legal reasons, serious forensic work requires specializedhardware.




Hardware Vendors

ICS: data acquisitiondevices and forensicworkstations

Paraben: PDA and cellphone adaptor kits

Logicube: handhelddisk duplicators

Tableau: Interfacebridges (write blockers)

Wiebetech: varietyof media interfaces

Forensicpc.com:Portable and desktopforensic workstations

www.paraben.comwww.wiebetech.com/products/ComboDock.phpwww.tableau.com/products.htmlwww.logicube.com/www.icsforensic.com/www.forensicpc.com/




Software Tool Functions

Acquisition: Data imaging– Bootable CD for controlled field environment

Case ManagementMount and read-only access to images– Data Recovery– Search and Report

• Text strings• File types, date, time, size, etc.

Activity reconstructionRemote investigation of computers– Software agents allow surreptitious

remote investigation across network• Keyword and file attribute search• File and image copy across network

Specialized software is available to support all stages in the investigative life cycle. Complete suites of software,including case management functions, are available from Guidance Software (enCase), Access Data (ForensicToolKit), Technology Pathways (ProDiscover), Paraben and ASR Data (SMART). Point products that providespecialized recovery and/or search functions are available from New Technologies Inc., GetData, ZyLab, dtSearch,and BlackBag Technologies.Remote investigation is still relatively immature, but it is appealing for several reasons. First, if there is no need totravel, investigations are less expensive and can be done more often. Second, the huge amount of storagerepresented by the sum total of the disk drives on every PC represents an impossible collection task. The increasingpotential for awareness on part of investigative targets and their taking active steps to hide their activitiescomplicates the use of remote forensic agents. The potential for manipulation has made it desirable to use asecurity protocol between the client agent and the forensic workstation. Be aware that such agents may triggerspyware or intrusion prevention software. Increasingly, remote forensic agents need to be carefully tested andintegrated into the standard build such that they do not interfere with other security software.

Strategic Planning Assumption: By 2006, remotely collected evidence will be routinely acceptedin North American and European courtrooms (0.9 probability).




Growing Forensic Challenges

Technology becoming more complex– Distributed storage– Huge storage– Portable and inexpensive storage

Use of noncorporate hardwareCriminals becoming more skilful– ‘Rootkits’: subversion of operating environment– Hiding Internet activity thru encryption and proxies– Hiding data through steganography– Protecting data through crypto and removable storage– “Trojan” defense

The more complex technology becomes, the harder it is to deal with in an investigation. The classic forensictechnique of taking complete images of hard drives is becoming increasingly less practical. There isn’t enoughtime to collect it all, there isn’t enough place to put it, and most of the data is not useful. Multidevice storage, fromRAID to SAN, is either impractical or impossible to capture at the device level. Finally, it often is impossible toshut down or isolate corporate systems to conduct an investigation (try to envision shutting down the mainframe).All of this is encouraging different forms of data collection.Criminals are increasingly aware of the potential that their activities will be investigated. Techniques to evadecapture and jail are discussed in underground Internet chat rooms.Live investigations are decidedly more convenient, and they are the only way to capture ”incident in progress” datafrom within the operating system’s data structures. Unfortunately, the potential for inaccurate results is growing. Ifthe data acquisition process is dependent on the target systems’ operating environment, then the data can becorrupted if the operating environment has been compromised.




Should You Do This Alone?

Outsourcing vs. In-housing– Investigators need constant experience– They need hardware, software, supplies

Forensic Service Providers– Individual Consultants– Boutique firms– Big 4– Everybody else– Specialties: criminal vs. civil cases

Firms with in-house capability still need help

A recent Big 4 job posting for a "senior" forensic analyst requested at least two years of experience. Hopefully theyplan to put this new person under a more-experienced analyst. It takes years of experience to become skilfulenough to reliably solve cases and to provide evidence that can withstand the opposing expert witnesses in a courtcase.As a rule of thumb, firms that do not already have some sort of investigative staff (usually an ex-policemanworking in corporate security) should not consider establishing a full-time forensic capability. Outsourcing is thebest solution for firms that do not have the means or the activity to support in-house specialists.However, many organizations that don’t expect their own people to actually end up presenting in court are stillimproving their investigative capabilities in multiple ways:• Greater sophistication in their incident response• They conduct “pre-investigations” to determine if the likelihood of criminal activity is high enough to justifybringing in a full-timer (from HQ or consultant)• They are collecting forensically useful evidence ahead of time, so that it is available for unanticipatedinvestigation.

Strategic Imperative: Choose an incident response/forensic provider before your next incident,not after it.




Implementing Your Response Capability

1. Create Plan

2. Position It in theOrganizationalStructure

3. Fund It

Plan4. Recruit Team5. Acquire Tools6. Train Team7. Develop

Internal/ExtReporting Policy

8. IT and Users MustKnow Who/When to Call

Do

9.Test Drivesand Simulations

Check10. Go Live!

Act

Incident response is a process, and organizations that want to implement and improve such a process should befamiliar with the CERT/CC and FIRST.CERT/Coordination Center at the Software Engineering Institute of Carnegie Mellon University (www.cert.org)provides the definitive document on incident response, “Handbook for Computer Security Incident ResponseTeams” (www.cert.org/archive/pdf/csirt-handbook.pdf).Organizations that setup up their own CIRT should consider joining the Forum of Incident Response and SecurityTeams (FIRST). It is a nonprofit volunteer group that attempts to foster cooperation and coordination in incidentprevention across diverse global sectors (www.first.org). Its annual conference offers anyone involved in incidentresponse a view of emerging issues from those in the CIRT trenches.

Client Issue: How should a computer incident response team (CIRT) be structured?




Keeping Legal

Remember at all times:– Maintain chain of custody– Comply with all local regulations– Involve law enforcement

You are not a lawyer– Do not make investigation

decision in a legal vacuum– Investigators must be familiar

with legal principles and relevant laws

The legal issues associated with investigations can be very complex, and multinationals must remember that everycountry has different regulations and different expectations.While nonlawyers should not be making the ultimate decision on legal issues, it is necessary for investigators to befamiliar with the regulations that affect their activities.




What to Do Now

Create detailed policies– Incident response process (escalation plan)– Standards of evidence for different incident types– Data retention (anticipate future investigations)

• Image workstations of leaving execs, traders, brokers• Activity logging, especially IAM and accesses to sensitive data• Mail and IM archiving

Determine necessary capabilities– Retain outside service, hire talent, train existing staff– Build your digital forensics lab

Implement incrementally as you gain experience

There is no better way to fill up a room with executives than to tell them that there has been a criminal act on acorporate computer and nobody knows what to do about it.Once an incident has occurred, either an intrusion or an apparent criminal case, it is too late to create plans and toimplement a response effort. This is a complete waste of time and a horribly frustrating exercise for theinformation security and IT staff. Do not allow this to happen to you. Create a detailed incident response policyright now.

Strategic Planning Assumption: By 2007, 50 percent of regulated organizations that do notupgrade their response capability will be “forced” to do so by external auditors (0.8probability).

This is the end of this presentation. Click anywhere to continue.

These materials can be reproduced only with Gartner’s written approval. Such approvals must be requested viae-mail — [email protected].

Documents

Computer Scene Investigation: Digital Forensics in the