Leaving a trace

Very often a civil or employee investigation can turn into a criminal one.
Very often a civil or employee investigation can turn into a criminal one.
Geoff Sweeney, Tier-3
Geoff Sweeney, Tier-3


Like the PC industry itself, IT forensics is a relatively young discipline in the technology industry but, as with all matters of an IT security nature, the technology is moving along at an incredible pace.


The rapidly evolving technology behind IT forensics is actually only part of the discipline, since it forms part of the audit chain and therefore arguably pre-dates the introduction of the PC in the 1980s.


According to Andy Clark, Head of Forensics with Detica, information intelligence consultants, IT forensics is actually a highly structured form of auditing an organisation's systems.


IT forensics, he argues, is about a particular audit mindset and involves taking a highly logical and evidence-gathering approach to the auditing of a given IT resource.


"It all starts with intelligence gathering," he tells Infosecurity, adding that this particular element of the audit procedure really does pre-date the introduction of the PC.


Before the PC, he explains, the process of audit intelligence gathering was paperwork-based and, by its very nature, labour-intensive.


"The arrival of computers made the process of auditing more complex but, thanks to the development of specific applications, it also made the process of collating the data - and investigating the systems concerned - a lot easier," he says.


"We also have our ACPO (Association of Chief Police Officers) guidelines to assist in the investigation process, which, of course, helps anyone in the field of IT forensics," he adds.

IT forensics is actually a highly structured form of auditing an organisation's systems.



Although PC technology makes the lives of IT forensics professionals a little easier, he continues, it also places more than a few obstacles in their way.


An example of this, he says, is Vista Professional's hard disk encryption, which has made data encryption more mainstream, making the task of analysing what is on a users' hard disk a lot more difficult.


"That having been said, the modern IT environment now stores data on many more devices than a simple hard disk. There's usually a tape or back-up server store involved, portable devices like Blackberry handsets for email, and, of course, online storage services," he says.


"All of this means that, even though the data stored on the hard drive is collated as part of the IT forensics team's evidence gathering exercise, it only forms part of the overall picture," he adds


Keeping it simple


Many of Detica's investigations, Clark explains, involve the collation of data running into several terabytes. As a result, the indexing of that data becomes critical to the success of a case.


And, whilst Clark is a great believer in using packages such as Encase and FTK (see box outs) to make the task of the IT forensics professional a lot easier, he says that there is definite need not to be too clever on the technical front.


It's easy, he says, to use the technology and forget that in a court of law or an industrial tribunal, there is a need to make the evidential report as simple as possible so that the decision makers (the jury in the case of a court prosecution) can understand what has happened.


"This is where, even with the best forensics software in the world, you still need the expert interpretation. This aspect is critical to the success of any investigation," he says.


Having said this, Clark adds, good forensics applications software can avoid an investigation failing at the initial hurdle of evidence gathering and analysis.


"Let's take a theoretical investigation into the IT processes of a major multi-national with systems and computers in several locations in multiple countries. There will be multiple copies of the same data in many different locations, but each of those copies may differ slightly from the other because of the way data is incrementally backed up," he says.


This, notes Clark, is where the subtle difference between a forensics technician and a forensics professional comes into play.


The former, he advised, can complete the labour-intensive process of using the relevant software to collate all the terabytes of data required. But it takes the skill of the latter to decide which data to put forward, and which to summarise, as part of the overall report on an investigation.


Where it gets really interesting, he says, is where live forensics on a user's computer is required, as access time to the users' live computer environment may be limited.


Despite the need for fast-thinking analysis, Clark says that effective IT forensics is all about good teamwork. It is not, he says, as it appears in TV dramas.


Most investigations are often conducted on what appears to be a mundane basis, but investigators still need to apply the same degree of accuracy to all investigations, as you never know when a case will escalate and involve the Police and the Courts.


Because of these issues, says Clark, there is a definite need to implement evidential auditing logs at a fundamental level in the IT development process.


"This doesn't always happen in the software development process, so it's important that the audit function explains this need to everyone else in the IT department. If they can do this, they can make the task of IT forensics a lot easier," he says.


Planning ahead


Professor Peter Sommer of the London School of Economics, who specialises in IT security matters and has acted as an expert witness in a number of cases over the last few decades, agrees with Clark's analysis on the relevance of forensics in the IT security arena, but notes that there is also a need for audit professionals to understand the need for rapid thinking in a first response situation.


Many companies that employ IT forensics as a means of auditing what has happened after the event, Sommers says, can often plan ahead by including a forensics readiness program in their risk analysis procedures.


IT forensics, he says, is often viewed as a tool to be used in what he calls a low frequency, high impact investigation when, in fact, it can also be used in a higher frequency, lower impact investigation such as an employment dispute or assessing what went wrong in a given financial transaction.


IT forensics can also be used for mundane investigations, perhaps involving a dispute between a manager and an employee, he told Infosecurity. There is still, Sommer insists, the need for highly accurate collection of the evidence concerned.


"A good application that can assist in this regard is Forensic Case Notes, a package that allows audit staff to enter their contemporaneous notes in the same manner as Policeman's notebook. Once a note has been entered and closed, that record cannot be altered. The data cannot be changed," he explains.


The problem facing the IT forensics professional, he cautions, is that no investigation is ever perfect from an audit perspective, in that there will always parts of the information picture that are missing.


"Providing accurate and authentication logs, such as the investigative notes, does, however, make life a lot easier," he says.


Professor Sommer has distilled his knowledge into an Open University course (M889) on Computer Evidence and Investigations that is designed for auditors and computer security professionals to improve their qualifications and understanding of how auditing procedures - and forensic investigations - should be carried out.


Central to the topics discussed in the course, he says, is the need to produce data - of all types - that will stand up in court.


"We have a standing joke in the computer forensics industry: ‘where can one find the evidence button on a PC keyboard?'," he says, adding that, whilst there is no such button, there is still a need for the industry professional to know where the evidence is stored.


"One of the professional skills you develop when conducting IT forensic investigations is to understand the general architecture of the system(s) you are investigating and see where the audit logs and other relevant data is stored," he explains.


The evidence jigsaw


In a theoretical case that Professor Sommer discussed with Infosecurity, he spoke about a company employee who had been downloading child porn, which he had deleted from his PC directory.


"What the employee tends to overlook in these cases is the fact that the data s/he has downloaded is usually backed up in several places," he says, adding that the ISP, for example, often has a log of what is downloaded, and the server has copies of the data stored as back-ups.


According to Professor Sommer, there are also Web-logs, anti-virus logs, intrusion detection logs, etc., all of which have date/time stamps and that can be married together to form a chronology of events - even if a suspect has tried to delete stuff on his own machine.


"And, of course, the company servers often have substantial back-ups," he notes.


The process of putting the pieces of the IT jigsaw together and producing logs to back up the analysis is called inference in legal circles, and one that is central to any IT forensics investigation.


What a lot of IT professionals overlook, he continues, is the need for evidence gathering in a civil case needs to be every bit as thorough and in-depth as in a criminal investigation.


"Very often a civil or employee investigation can turn into a criminal one. As a result, the evidence gathering procedures need to be every bit as professional and watertight on every case, no matter how mundane it seems to the investigator," he says.


According to Sommer, one of the complaints he hears from colleagues being trained in IT forensics is that you are often taught how to use the tool (software application) and not the actual technique.


Against this backdrop, Professor Sommer says that vendor training - which is widely available in the industry - has its place, but it will never replace professional training.


Besides, he says, since much of the IT forensics software is developed by US vendors, their training often reflects the fact that the evidence gathering procedures apply only to US legal jurisdictions.


"They often overlook the fact that the world has many other legal jurisdictions that apply. The world is a very large place," he says.


Dual time


Geoff Sweeney, chief technology officer with behavioural analysis IT security vendor Tier-3, says his firm's Huntsman software is often cited in a number of employment disputes and other cases.


"In addition, prior to my involvement with Tier-3, I was also involved in the IT forensics industry," he says, agreeing Professor Sommer's assertion that the evidence-gathering needs to be equally accurate, regardless of whether the case is civil or criminal.


According to Sweeney, the critical factor in all the cases he has been professionally involved with, has been the time markers on the audit logs concerned and the speed with which a malicious or accidental threat can be detected.


"No matter how good the auditing package, there are always going to be problems with logging the time of a transaction or when an event took place particularly when the event is considered relative to other enterprise devices," he says.


"System clocks often run fast or slow, and this can make the forensic analysis process time consuming and therefore evidence less conclusive than it could be" he adds.


Because of this issue, he says, Tier-3's software technology maintains its audit logs but with the useful twist of having a dual time recording system.


This means that the original time of the source system is preserved and an additional reliable timestamp is added that ensures the chronology of events across the enterprise is intact.


"In one case I was involved with, an employee had been accessing the company systems via a VPN and, because he'd been using the system at the weekend and other unusual hours, it was extraordinarily difficult to pin it down to which person was acting as the administrator at what time," he says.


"But, even in these circumstances where there was account sharing taking place, as well as a number of other techniques being used to hide the audit trail, thanks to dual time recording, we were able to provide the evidence required to say - with a high degree of accuracy - that it was the employee carrying out the operations he was accused of," he adds.


The evidence, said Sweeney, was presented to the investigation team.


"Of course, he disputed it, but the evidence was accepted," he concludes.


Guidance Software's EnCase in profile
Guidance Software's EnCase is pitched at the IT security departments of major enterprises who
need to respond to security incidents, internal HR investigations and litigation requiring e-discovery.
The latest major update of the software, released last year, includes a full-text indexing engine, a
native file viewer, expanded e-mail support and enhanced client-server features.
The package features three major components: the SAFE (Secure Authentication for Encase),
Examiner and servlet.
The SAFE component handles authentication, logging and licensing, as well as acting as license
server so that investigators don't need to use a dongle to run the software.
Examiner, meanwhile, is a networked version of the EnCase Forensics package that can log into the
SAFE component, as well as access hosts running the servlet component.
For security, communications between the three components are authenticated and encrypted using
standard PKI certificates.




Access Data's Forensic ToolKit (FTK) in profile
Available in several different editions, including a mobile phone interrogation version, FTK is billed as
supporting powerful file filtering and search facilities.
In use, a set of customisable filters allow users to sift through thousands of files to find the evidence
Along with analysis, decryption and password cracking features available within a customisable user
interface, the software has a back-end database to handle large data sets.
In use, the software is said to recover passwords from over 80 applications; harness idle CPUs
across the network to decrypt files and perform robust dictionary attacks.
The package features an integrated Oracle database plus enhanced searching facility and an easy
export feature set to extract relevant artefacts without affecting the source, metadata and pathway






What’s hot on Infosecurity Magazine?