Computer Crime Research Center


Forensics: Under investigation

Date: April 14, 2008
By: Derek Parkinson

... Whether you've been hacked or suspect an employee of wrongdoing, knowing how to preserve evidence is crucial. Derek Parkinson reports.

The closest thing the world of computer forensics has to the Ten Commandments is the guidance set down in the Association of Chief Police Officers' Good Practice Guide for Computer-Based Electronic Evidence. These guidelines, built around four main principles, are used as the basis for all criminal computer investigations. They are quite broad in scope, making recommendations regarding the correct handling of forensic data.

First, no action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Second, in circumstances where a person finds it necessary to access original data held on a computer or storage media, that individual must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Third, an audit trail or other record of all processes applied to computer-based electronic evidence is essential. An independent third party should be able to examine those processes and achieve the same result.

Finally, there should be someone in charge of the investigation with overall responsibility for ensuring that the law and these principles are adhered to.

"Principle one is solved by using software tools to make forensic image copies of the hard disk and other digital evidence," says Dr Sam Type, co-founder of computer forensics company Geek Ltd. "There are products designed for the purpose, such as FTK Imager, Encase and Helix utilities. Other system utilities, such as Linux DD will perform the same task," she explains. "It is important to capture the digital signature of the copied data so that it can be checked over time, and after processing, to confirm that you're still working on an exact copy of the original. MD5 hash-sums are commonly used."

In practice, well-thought-out procedures for handling forensic data are every bit as important as the tools needed to copy and analyse it, suggests Andy Harbison, a senior manager in Deloitte's IT forensics and litigation support team. "In my experience, a lot of people obsess about the technology, but mess up on the procedure," he says. "In a court case, there are generally two ways a barrister can go in questioning an expert witness on computer forensics: their expertise and the integrity of the procedure. The evidence can be destroyed before a case even gets to court," he adds.

Another compelling reason for having procedures in place is the need to avoid acting hastily when an incident occurs. "Taking an image of a disk is something IT staff can do on their own. But I've heard horror stories of people copying the wrong way round, and wiping out all the data," says Harbison.

Organisations need to be prepared for an incident where forensic analysis of computer data is nescessary, warns Geoff Donson, group security manager at TelecityGroup. Donson draws on more than 27 years of experience in the police, including the Serious Organised Crime Agency, the National Hi-Tech Crime Unit and the Metropolitan Police Computer Crime Unit. "You should have appropriately trained people because you have to be ready in advance. They need a basic awareness of computer forensics and what it can achieve," he says.

The enemy within
It is important for employers to recognise that forensic data may be needed as part of an investigation into the activities of people inside an organisation, as well as outside. "Hacking is just one of the threats a company's computer system may be exposed to," says Type. "Most large corporations will have systems administration staff tasked with ensuring it doesn't occur, but the majority of companies are more at risk from employee behaviour," she suggests.

"As best practice, a corporate should generate a set of computer response procedures and documents outlining the threats they might be vulnerable to and the actions they would take in each situation, similar to a risk assessment. This will help ensure that the best possible evidence is collected, that the evidence will be admissible should the situation require legal action, and that the company will be protected from any loss of revenue that may result from evidence not being produced," Type adds.

As well as helping internal staff to protect forensically valuable data from contamination, such a policy will set down guidance on when to bring in external professionals. "The documents can form part of a crisis-response strategy," Type continues. "They must consider the need to gather data from all computerised equipment within the organisation, from servers to PDAs.

"Companies often aren't aware that their policies are failing to protect them from the biggest threat - their employees. Businesses may disable DVD or CD writers in staff PCs, but then allow employees to plug in their iPods - which are basically portable hard-drives."

As the amount of and ways in which we can store data continue to grow, so do the means to find and analyse information. Recent advances in computer forensics are led by the need to extract information from data sources more effectively, and to keep pace with innovations in technology.

Tools for collecting network data are a good example. The network administration products found in most organisations produce data from all TCP/IP layers. Firewalls, intrusion detection systems, routers, packet sniffers and protocol analysers can all be of value to a forensic investigation, but this is usually not their primary purpose, so each is likely to provide only a partial view of what investigators need.

Purpose-built network forensic products combine the functions of IT security management systems with those of specific tools such as packet sniffers and protocol analysers. While they may be useful for capturing data, they are best used by experienced forensic experts who know how to analyse the results.

The massive increase in the availability of devices that can store, process and transmit data - such as mobile phones, PDAs, MP3 players and USB devices - delivers opportunities and challenges for digital forensics. A wireless-enabled device may store location data, and so provide powerful evidence of the whereabouts of a person at a particular time. Mobile phones and PDAs have forensic value precisely because they are personal communication devices and therefore may contain revealing information.

From a technical point of view, these devices are forensically important because they typically store personal data as flash-EEPROM (electrically erasable programmable read-only memory), which is relatively stable. Unless the user is an expert, they are unlikely to be aware of how much data is actually stored in this form, and will almost certainly not have direct access to all of it. However, there are difficulties in accessing such data without contaminating it, primarily because a phone will begin searching for, and exchanging, data with any nearby masts, transmitters or satellites as soon as it is switched on.

The first commercially available forensic tool for mobile phones and PDAs was released in 2004. The.XRY product from iCardForensics provided access to names and numbers in address books; SMS messages sent, received and archived; pictures; calendar information, sound files; call logs and multimedia messages.

In 2006, Forensic Telecommunication Services launched FTS Hex services, which are used primarily by police forces. The company claims to be able to extract similar information from phones even if the handset has been damaged by fire or water or the SIM card is missing, damaged or locked. In 2007, Guidance Software unveiled Neutrino, a suite of mobile phone tools that integrate with its Encase products. Other developers are expected to follow, bringing mobile phone analysis into the forensic mainstream.

Flash memory devices such as USB sticks are a growing source of concern to IT security professionals. Their growing capacity allows sophisticated software to be stored on them, raising the possibility that applications could be run on a computer without having to be installed. Such developments also mean that conventional techniques for creating an image of the data held on passive memory devices may no longer be an option.

Leaving aside the various considerations about technology, there is also the problem of getting access to such devices in a way that is both unobtrusive and lawful. All these issues mean that portable and mobile devices will give headaches to IT security professionals for some time to come.

A volatile combination
Access to data held in volatile memory is another area of innovation worth watching. If evidence from a PC is stored in password-protected containers, when it has been transmitted across a network or when encrypted applications have been used, data in volatile memory could be crucial to the investigator, providing evidence that might otherwise be unavailable. Such data will be lost if the machine is shut down.

But in order to capture volatile data, the machine will have to be accessed, which risks violating principle one of ACPO's guidance. Specialist tools must be used, and it is essential that they are applied only by trained personnel, who should be able to explain and justify the processes they have used, thus complying with principle two. This is a new area for the forensics industry and a limited set of tools are available (see box page 28).

It seems technological advancement is both helping and hindering digital forensics, but one thing is for certain: with cyber crime and insider threats on the rise, more and more organisations will need to make use of it.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo