SAN JOSE, Calif. -- Computer security experts should start watching CSI. It's one way they can learn how to employ the methodology of the popular TV drama's real-world forensics counterparts when investigating cyber break-ins -- including leaving systems alone until proper authorities arrive on the scene.
That's the advice from Jon Orbeton, senior security analyst with Check Point Software Technologies Ltd.'s Zone Labs division, who sometimes assists with digital crime scene investigations. Orbeton said catching digital intruders isn't as easy as it often looks on the small screen.
"Cybersecurity professionals usually use what I call the 'follow the bread crumb approach,' going from log to log, trying to follow the hacker," said Orbeton, who has worked with the FBI, the UK's Scotland Yard and the U.S. Secret Service. "But how can they be sure that the intruder is still not in your system?"
When an enterprise suspects a crime's been committed against its network or data stores, it's important that the feds get the first crack at solving the crime. However, there are certain things information security personnel should do to assist the real crime fighters.
"They should make sure that they do not limit it to one or two servers but look at the whole network as a crime scene," Oberton advised official investigators during a session at the recent 2006 RSA Security Conference. Similarly, just as police collect fingerprints, digital forensics experts should collect checksum data (a numerical identifier). And while CSIs look for behavior patterns, such as the use of lock picks, corporate security officers can analyze digital patterns, such as the use of stack overflows.
Likewise, an autopsy can be likened to a "digitopsy," a network area search for the equivalent of fingerprints, footprints or tire marks -- only in this case it's checksums, IP addresses and unique strings.
The profile can include information on strings with suspicious binaries, byte code for stolen data, checksums of attacker tools and even dates and times.
"You need to create a string long enough to not produce too many false positives but not so long as to not produce any hits," said Orbeton. "I've gotten results by putting the strings into Google because sometimes profile data can be posted on news groups."
Once the profile string is complete, Orbeton creates a floppy disk that will collect a MAC time snapshot of the machine, searches for the profile string, encrypts the results and sends them to a database so that the information can be catalogued and searched.
These methods have served Orbeton well in the past. Once he was called in to find an intruder during an investigation of the theft of millions of credit cards.
"We used conventional forensics, created an attacker profile, searched all the systems in the network and found three previously unknown systems that had been compromised," Oberton said. That is how his team found how the network had been penetrated, and later apprehended the perpetrator. Oberton, though, declinded to identify the identity of the thief or the organization involved.
Niall McKay is a freelance technology writer based in Oakland, Calif.