 
|
Six top computer forensics experts testify to their craftA bloggers banquet, collated by Sarah HilleyForensics is one of the top three areas in demand for training by information security professionals, according to the latest (ISC)2 Global Information Security Workforce Study, carried out by IDC. But what do expert digital forensics professionals do? And what do they think about latest developments in the field? Here we provide a round up, based on material blogged to a research project carried out by Sarah Hilley at Dublin City University. We have a line up of six leaders in the field:Paul Henry, vice president of strategic accounts at Secure Computing NT Evidence, senior investigator at a major software company Phillip Sealey Director, Forensic and Dispute Services at Deloitte and Touche Dario Forte, Founder and CEO at DFLabs Brian Karney, Chief Strategy Officer at Guidance Software Geoff Sweeney, CTO, at Tier 3.
The claim by the FBI that the recovered stolen hard disk containing up to 26.5 million verterans and military personnel is simply false and misleading. The first step in any forensic investigation is to make a bit-by-bit duplicate of the hard disk to prevent the possibility of the evidence from being altered or tampered with. Firstly; why has the FBI foolishly assumed that the bad guys in this case would not have followed this same procedure that they do - make a bit by bit duplicate and then only work on the duplicate so there would be no trace on the original hard drive of their activities. Lastly; the freely downloadable anti-forensics tools available on today's Internet allow easy and undetectable alteration of a files timestamps - hence; rendering file systems as no longer being an accurate and or reliable log of activity. Time stomp is a utility available within the Metasploit Anti-forensics Toolkit that allows a user to alter file's time stamps at will. Timestomp uses windows system calls instead of the traditional approach of using SetFileTime(). Timestomp allows the user to overwrite the last written time (M), last accessed time (A), created time (C), MFT entry modified time (E) or all 4 values (MACE). Most commercially available forensic tools do not provide any methodology to determine if the time stamps were altered. Further, to the embarrassment of most commercial forensic tools, Timestomp includes a "-b" option that when run against a file or group of files can cause the forensic tool to return to return a blank time stamp in it's file history display. Another interesting feature of Timestomp is its "-r"
option also referred to as the Craig option that will recursively
alter the timestamps within a given directory. Anti-forensic tools are easy as pie for script kiddies Gone are the days of anti-forensic tools being too difficult to use for a script kiddie. While anti-forensics tools like Burneye, the Defiler's Toolkit and perhaps the Metasploit Anti-forensics Project are interesting from a historical perspective, they pale in comparison to the ease of use in today's most popular "evidence elimination" software. Sold under the guise of privacy protection, today's evidence elimination tools effectively can eliminate any trace what-so-ever of illegal or malicious activity on a users PC literally with the click of a mouse. Early implementations did a fair job of scrubbing a hard drive to securely erase deleted files. However, traces of evidence could still be found in file slack, swap files and in the Master File Table (MFT). The current generation of these anti-forensics tools like Evidence Eliminator and CyberScrub can be configured with a few mouse clicks to effectively render it impossible to find any trace of malicious activity on a users PC. Everything is clean; recycle bin, swap file, MFT, email stores and data on encrypted drives is erased and overwritten with random data in multiple passes that render the erasure non recoverable and in many cases the randomness of the overwrite makes it impossible to determine that in fact the program was ever used on the PC.
Here I sit, surrounded by powerful computer systems. It seems nothing works this morning, however. No A/C at night, the computers have overheated. The worst yet is the laptop I use for email. Let’s reboot everything and turn up the A/C. The dirty little secret of forensics is how much time is spent just trying to get everything, or at least the necessary things, to work. How many other jobs lose as much productivity because things mysteriously don’t work? (“Sorry, the mop doesn’t work, so I can’t clean the floor.” I can’t make you breakfast—because the stove doesn’t work this morning.”) The inexplicable breakdown is typical: Set up a search on a few
terms across a couple of hard drive images and let it run. The progress
bar says it will finish in 14 hours. What is the likelihood that
by tomorrow my search will have frozen somewhere along the way to
having almost been done? I wouldn’t bet against it. Respect for others All the computers are spinning on their cases. There are few things a forensics grunt appreciates more than everything working as it should: It gives you some time to reflect and there is no shortage of things to think about regarding digital forensics, particularly if you have a philosophical bent. For me, one of those areas is ethics. Attorneys have codes of ethics, and purportedly, so do accounts. Digital investigators ought to also. What qualities make for an ethical digital investigator? I am sure everyone would agree that a primary quality has to be scrupulous honesty. Other qualities might be more debatable. I would prefer to work with, and train, investigators who are a bit uncomfortable about going through someone else’s email, for example. Respect for others is paramount, especially for the corporate investigator who has access to other people’s computers and data. An investigator who has no qualms at all about going through someone else’s email, chat logs, or files is not someone I would trust. Regardless of who owns the data or computer, there is still an element of invasion of privacy, and an investigator should never to forget that. Methodology I frequently think about methodology. My focus is on the Microsoft platforms, and despite the wide spread use of Windows and Office, it seems there is a paucity of good forensic methodology concerning them. Worse, despite the slew of recent books and articles, there is quite a weakness over all with respect to methodology, outside of litigation support. How does one investigate a computer intrusion? How about guidelines for investigating theft of source code? There is no shortage of work to be done. Many writers I have read specify that to be good at digital forensics, you have to be very detail oriented. This is true. There are, however, many people one might describe as detailed, but who nonetheless just don’t “get it” with respect to forensics. An eye for detail is good, but to be good enough to stand on your own—to figure out your methodology—you have to be able to put the details together and know how they should interact. Moreover, it isn’t enough to be proficient with your tools. You have to understand how the bytes should look and work. An intruder appears to have compromised a server. Where to begin? ...
A law firm calls to discuss an investigation they are dealing with. They need to review material for a client as part of an accounting fraud. Spend a couple of hours with them talking through their requirements and strategy. We have narrowed the initial focus to half a dozen individuals so co-ordinate with the local IT staff to take images of their hard disks and commence the restoration of network information from the key dates. One of the images has to be taken in the US and one in Germany, so contact our local computer forensic teams to do the work. Confirm with the German team the process and paperwork we must put in place to ensure that we are not overstepping the German data protection laws. Don't disrupt the business The team are starting to image hard drives for the key members of staff. Part of the on-site team is reviewing material on the client’s network servers. We use network forensics to look at the servers whilst they are live but without disrupting the business. The law firm provides key words to identify material and we use these to sift the server data. Once files containing the key words have been highlighted, we extract them into a secured format. We have identified several deleted files on a server that could be useful to the investigation team. This is advantage over using just backup tapes in that they would not include deleted material. In amongst the server information is the user profile data. From this we have identified the last files worked on by the users. By looking at the locations of the last files worked on we can confirm that we have identified the correct servers and locations within them. By using network forensics to search the live servers for key material, it greatly reduces the amount of data that needs to be reviewed by the team. Our forensic investigators visit the client to interview staff and start collation of paperwork. This information will be used to further refine key word searches and provide new avenues for electronic review. Collected 500 Gb The computer image from Germany has arrived and processing of the information has started. Email de-duplication continues apace and have managed to cut down the amount of material for review to 20% of the original. Some of the email files collected contain computer viruses so we advise the law firm of this. Work has begun on identifying any encrypted material taken from the network and bypassing the passwords where possible. Collation of the responsive material has begun with a view to importing it into our document management system. The law firm can then review the responsive material from their offices using our hosted document database. We have collected over 500Gb of data so far and the sifting and de-duplication processes have greatly reduced the number of computer files that the law firm will have to review. In time critical cases, this is crucial in meeting the deadlines.
Scotland Yard has begun a comprehensive Whitehall trawl for deleted emails held on government computers as part of its investigation into the "cash for peerages" scandal, the Guardian has learned. According to the press, the Metropolitan police in charge of the investigation is hoping the search will help to establish if there is an electronic paper trail linking the offer of loans to honours. Scotland Yard has discreetly bought specialist software for the task. The program, which has already been used for a major corruption inquiry in the US, scans computer hard drives and will flag exchanges between civil servants across Whitehall, including Downing Street, that have been deleted. So the question is: and what the software is? But Encase enterprise,
of course. And it seems also that it is working pretty well? Now
I know what some of you readers is thinking: Why don¹t you
use it also for the Italian Meanwhile I think that we are facing a new era of forensic and digital investigation. Somebody could call it "forensics on demand" I would like to call it "extended digital investigation". Tools such as Encase Enterprise, prodiscover and so on,are very powerful and can be very useful in these cases, but the question is: how ready are the investigation community for the model? We had a workshop in my country a couple of weeks ago about this. People were very impressed by the power of these tools. Most of them declared that they are planning a budget for this, others no, because of (potential) privacy problems but actually I think that it is just a matter of culture, and if this kind of tools can help in finding the truth especially for catching out governments, then why not?
The increase in joe public's computer literacy means the dirt is
harder to find As a result of all the hype surrounding viruses, Trojans and eBay-related attacks, people are getting wiser.More and more non-technical users are very keen to know what information is stored on their computer hard drives. People are starting to be more cautious about what they do on computers. In some cases, this has made it much harder to find the necessary evidence to confirm or deny whether a person has done something wrong. Not just bobbies The types of people using computer forensics tools are not There is a growing trend within the security industry, whereby computer investigations play a much larger part in dealing with routine information security-related threats. It used to be that computer forensics was only used during incident response, when something disastrous had happened. It's clear that many IT security professionals are now using computer forensics to address security compromises such as rootkits and Trojans. Corporations are doing it for themselves When it comes to computer forensics, many things have changed yet a number of things have stayed the same over the last few years. The most interesting thing that has changed is how computer investigations are increasingly being applied to solve business problems and reduce risk in ways that were never thought of years ago. In reality, corporations are applying the same law enforcement-grade
forensics solutions to help address a range of challenges such as
corporate espionage, intellectual property theft, fraud and various
regulatory requirements.
Clock synchronisation in an enterprise environment can be challenging to implement with the existence of many different operating environments ranging from workstations, through to mainframe systems and even control systems. Whilst several industry standard solutions exist to manage clock synchronisation issues invariably some systems will slip through the net. Previously this has not been a major issue for organisations however with the arrival of corporate governance legislation it is now mandatory to record and audit business systems. One of the key objectives is to ensure that a chronology of events can be established with some level of assurance and demonstrability otherwise a useable forensic audit trail cannot be established which may directly undermine your governance implementation. Audit trail management An essential component of any evidence management system is the ability to preserve and prevent modification as well as unauthorised access to the evidence itself. There are several strategies that exist with regard to evidence management which range from WORM drives (Write once read many) through to secure enterprise storage systems which utilise digital signature checks which can alert an administrator if the file contents has changed. There is however a common threat that runs through most evidence management systems and that is how you guarantee the files you have stored, regardless of whether it has been digitally signed or stored on a WORM drive, have not been modified by a hacker before they've been collected? This issue raises the concept of real time forensics where by organisations must be in a position to immediately create, capture, transfer and analyse audit information as soon as its created to minimise the risk of modification.
|
|
