Manager Offers Primer On Computer Forensics

Vince's company is loath to prosecute attackers, but gathering computer evidence is still part of the job

Mention the word forensics, and I imagine rubber gloves and Dana Scully conducting autopsies in The X-Files. Thankfully, when applied to computers in general, forensics is less smelly and less likely to involve extraterrestrial life.

An increasing number of criminal investigations these days include evidence extracted from computers. However, because of the impermanence of digital data and the ease with which evidence can be manufactured, evidence has to be obtained with great care.

1pixclear.gif
GLOSSARY
Computer forensics:
The investigation of computer crime, including the collection, analysis and presentation in court of electronic evidence.


Black-bag job:
Slang for the surreptitious entry into an office to obtain files or materials.

LINKS
This Web page, "Federal Guidelines for Searching and Seizing Computers," includes the U.S. government's policy for collecting computer evidence. Designed for federal agencies, it's also a useful resource to learn the correct procedures to follow when gathering evidence.


Guidance Software's Web site includes information on its EnCase digital forensic software, hardware and training services.


This paper by Dorothy A. Lunn, at the Web site of Bethesda, Md.-based SANS Institute, offers an excellent introduction to computer forensics, including references to an array of products, training resources and additional reading.

We have many thousands of computers in our company that are potential targets for criminal activity. Hackers may try to gain access to confidential data over the Internet. Insiders may try to modify expense claims after they've been approved.
Most of our efforts are spent trying to stop this from succeeding, but sometimes attacks slip past our defenses. Also, computers can be used as tools of crime, as when staffers download pornography from the Web or send our customer lists to their new employer by e-mail just before they quit.
Gathering the Evidence
When our computers become the targets of a crime, we must gain access to the systems to verify that a crime has been committed. Once we know it isn't a false alarm, we collect digital evidence to determine the scope of the crime. An accurate record of what has happened allows us to recover, repair and learn from the past. And if we collect evidence carefully, we can use it in court. If we handle the data without following the correct procedures, however, there's nothing we can ever do to produce admissible evidence.
Practically speaking, we're unlikely to present such evidence in court. Like most financial services organizations, we prefer not to drag our security problems through the justice system. But when we start investigating, we can't be sure that we won't uncover something that requires prosecution or that we could use to defend ourselves from a liability suit.
Courts require the highest standards of computer evidence. Increasingly, the tribunals used to resolve disputes between staff and company, such as wrongful dismissal cases, require the same level of evidence.
When a member of our staff uses one of our computers to commit a crime, digital forensics are the only way we can prove wrongdoing.
Our main forensic tool is EnCase software from Guidance Software Inc. in Pasadena, Calif. It allows us to boot up off of a floppy disk and copy a hard disk byte by byte. The methodology it uses is admissible in court. Guidance Software also offers several tools for searching and extracting evidence.
In today's world of very large local disk drives, network storage, personal digital assistants and mobile devices, trying to find data can seem like hunting for a needle in a haystack. User behavior helps narrow this down. Most users seem to feel that their local drives are safer than the network. They seem to believe that we have enough time and resources to check only the network drives for questionable material.
This belief makes our investigations simpler. A simple local disk search usually uncovers all the evidence we need. And since local drives are less busy than network drives, deleted files are less likely to have been overwritten.
Cheap and available encryption may be a brief hindrance for the feds, but for us, it draws an impenetrable veil across the data, unless our users have chosen easy-to-crack WinZip compression or Microsoft Office encryption. Luckily, our policy prohibits staff from using encryption without providing a key, so disciplinary charges can be brought without us having to break the code.
I'll bet a good many readers are jumping up and down about free speech and the right to privacy. I assure you that our staffers can afford home systems with Internet access, and that's the place for them to exercise those rights. We explain clearly to all staff that they should have no expectation of privacy when using work systems.
Wrongfully Accused
While forensics evidence can implicate users, it can also clear them from suspicion. Recently, a disgruntled worker was suspected of hacking our internal systems. Management called us in to provide the digital evidence to sack him with no danger of a wrongful dismissal suit.
We carried out a 3 a.m. black-bag job on his machine, carefully taking digital photos of his desk and machine so that we could restore everything without alerting suspicion. We quickly took his machine to our lab. Within a few hours, we had dismantled the machine, taking care not to disturb the dust on the outside. We added a second disk to hold the evidence and booted the machine from the EnCase floppy disk. We carefully made an exact copy of the disk, returned the machine and retired to the lab to examine the results.
When we return from such a mission, we always check all the tools we used, like surgeons in an operation, to make sure we haven't left anything in the patient. This time, we couldn't find the boot floppy. A swift return to the alleged crime scene recovered the offending disk. How foolish would we have looked when the suspect booted his machine the next morning, only to be greeted by a "Welcome to EnCase forensic solutions" screen? Fortunately, attention to detail averted that disaster.
Sometimes, even we jackbooted privacy invaders can actually help someone clear his name. With careful analysis, we were able to show that this particular user's machine and the use of software on it were legitimate. We went through it so closely that we could see the pornographic images downloaded three users back. Our forensic evidence was enough to overturn the circumstantial evidence against him.
Some readers may disagree with our methods, but the results speak for themselves. I welcome your comments in the Security Manager's Journal forum.
This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com or head to the Security Manager's Journal forum.

Special Report

Security Risk and Reward

Stories in this report:

Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon