Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

To Catch a Thief

Forensics tools aren't only used in high-profile cases.

February 28, 2005 -- Juju Jiang was sentenced to 27 months in prison for installing key loggers on computers at various Kinko's locations throughout Manhattan. He collected confidential information that gave him access to individuals' bank accounts.

July 14, 2005 -- Allan Eric Carlson was convicted of 79 counts of computer and identity fraud and sentenced to 48 months in jail. An unhappy baseball fan, he spoofed e-mails complaining about the poor performance of the Philadelphia Phillies from writers at area newspapers, Fox Sports, ESPN and other media.

August 12, 2005 -- Scott Levine was found guilty of 120 counts of unauthorized access of a protected computer, two counts of access device fraud and one count of obstruction of justice. He and some of his coworkers at e-mail distributor Snipermail stole more than one billion records containing personal information from business partner and data management firm Acxiom.

Headline-grabbing crimes like these are helping make computer forensics one of information security's fastest-growing markets. While forensics tools are used to help track down perpetrators in high-profiles cases, they are also being used in everyday civil and criminal cases to prepare for potential lawsuits over intellectual property theft, enforcement of non-compete clauses and regulatory compliance issues.

One of the requirements in SOX, SB 1386, GLBA and HIPAA is the ability to detect fraudulent activity, which is where forensics usually comes into the picture. Coupled with increased cybercrime, regulatory compliance is yet another business driver that is making more organizations bring forensics capabilities in-house and look to tools to help them.

But before you make your IT staff detectives, forensics requirements must be truly understood.

Defining Process
While forensics is sometimes confused with incident response, their objectives are quite different. Every company should have an incident-response team to deploy when something suspicious takes place and stop malicious activity, but a forensics team has different requirements.

Click here for a timeline highlighting some of the more than 50 million account numbers that have been compromised (PDF).
Your forensics team needs technical know-how and a sound understanding of all legal requirements. The team must also know how to gather and preserve the evidence, and have the ability to present the information. Forensic investigators must be prepared to defend their activities in court because, on the witness stand, their work and reputation will be scrutinized and attacked. If they don't properly collect and analyze the evidence and present their results well in court, their evidence can be thrown out--which could cost the company the case. Therefore, it's important to set up an internal forensics team to perform the following tasks:
  • CHOOSE team members from security, IT, management, legal, human resources and public relations, and assign necessary responsibilities to those roles.
  • OUTLINE the forensics methodology that will be used. Include steps such as incident verification, bit-image creation, evidence collection procedures, timeline creation and review, media and operating system analysis, data recovery processes, and report generation.
  • IDENTIFY critical systems and how they should be handled if breached. Some systems cannot be brought down for investigative purposes because of the negative business impact.
  • DETERMINE the chain-of-custody steps for collected evidence.
  • SELECT the various documentation types that will be used for gathering evidence.
  • DETAIL recovery procedures by creating standardized steps for rebuilding affected systems and recovered data.
  • DEFINE the team's forensics toolkit.
A hybrid approach combining internal forensics capabilities with external consultants is often the best approach.

The internal team carries out the investigation and collects evidence, and is responsible for the crux of the case; the external team verifies that the investigation was carried out properly, ensuring the evidence is admissible in court.

While the in-house team has more intimate knowledge of the company, its systems and business needs, the outside team has seen many more types of crimes. Together, these groups can provide more effective results.

There are several tools available to forensics teams to help ensure a proper investigation. Guidance Software's EnCase, AccessData's Ultimate Toolkit, and Paraben's NetAnalysis are some of the most widely used forensics tools in the industry. e-fense's Helix is a strong open-source alternative.


Guidance Software's EnCase
Guidance Software has long been the leader in forensics software with EnCase, the most-used forensics acquisition and analysis tool by law enforcement and the private sector.

EnCase has ample court history to support its usability, and it supports the acquisition of evidence from just about every operating system, file system and media type, including live systems. Through what Guidance calls a passive agent, it performs over-the-network acquisition of evidence from live systems to a remote analysis station. EnCase then creates well-organized, detailed reports that are understood by experts and attorneys alike.

EnCase images hard drives and partitions via a proprietary format in which equal-sized chunks of information are read from the source media and then written to the destination, along with an accompanying hash for data integrity. This serves as an integrity check--the benefit being the rapid reacquisition of data should any chunk's hash fail the check.

For searching, EnCase employs an extremely flexible Unix grep-like facility. These searches, which take time but yield valuable results, parse evidence byte by byte and can uncover deleted files and other non-file data.

Though its enterprise edition is more expensive than the other tools listed here, EnCase Enterprise also offers additional features such as network-based acquisition.

AccessData's Ultimate Toolkit
AccessData's Ultimate Toolkit (UTK) incorporates a password recovery tool capable of decrypting just about any file, an enhanced registry viewer designed to illuminate evidence hidden in system-only accessible registry keys, a disk wiper and a distributed-computing en-cryption breaker.

UTK's edge is its database-driven architecture. As evidence is imported (typically drive and partition images), it's scanned and indexed into a case database. This allows for quick ad hoc string queries and organization of extracted files and data without the need to rescan. This same type of search performed by other products can take considerable time; UTK returns instantaneous results.

Armed with computer forensics tools, Oregon State Police detective Stephen Payne helped uncover an Internet crime ring. The culprits, a group of teen-agers and adults, sent thousands of e-mails spoofing Citibank and other financial institutions asking customers for banking and other personal information.

Several recipients responded; the thieves created fake ATM cards embedded with the victims' data, withdrew cash and bought iPods over the Internet. A company shipping the devices notified police, who tracked down some of the criminals. Payne's investigation into their computers led to more suspects.

Using Guidance Software's EnCase, Payne cracked files on six computers protected by the Windows XP Professional Encrypting File System. He uncovered chat room sessions in which the group's 15-year-old ringleader instructed the others.

"He had the computer smarts and was teaching the others, who were recording their chat room sessions, I assume only to be able to go over what they learned," Payne says. Payne used keyword-search capabilities in EnCase and AccessData's Forensic Toolkit to ferret out online delivery confirmation pages from a shipping company. EnCase also allowed him to construct a chronology of events, which helped lead to two convictions in the case.

"Without that keyword search ability, you're really not able to see the silver needle in the golden haystack," he says.

Another Oregon law enforcement official, Jeff Snyder, computer forensics examiner and manager of the Multnomah County central parole office, relies on New Technologies' Stealth Suite to thwart sex offenders' illicit online activity. One such offender reformatted his hard drive, figuring it would eliminate any trace of his illegal behavior, but Snyder found several hundred child and adult pornography images and a couple hundred e-mails to children buried inside.

Stealth Suite allows Snyder's team to make a mirror image of a drive before they examine it so as to not taint the evidence--an important step, he says.

"If you do anything that changes even one byte on that drive, then you have to explain in court how whatever procedure you used either didn't damage the evidence or change it," he says. In some cases, though, an examiner may not be able to duplicate the drive and needs to work on a live system: "You may be in an environment where it's not practical to shut down a business when you're looking at a machine."

The Stealth Suite also gives Synder's team the ability to search sector by sector on a drive or disk, which helps them dig into a computer's "slack space," where they can find a treasure trove of information.

"That's the essence of computer forensics work--to go into places where the operating system makes notes to itself that a user doesn't have any control over," he says.

--Marcia Savage
In addition, all ASCII and Uni-code strings are indexed and export-able. This ties in seamlessly with the password recovery tool as all text strings found within the evidence can be ported into a dictionary for password-cracking purposes. UTK's password recovery tool is capable of decrypting Microsoft NTFS-EFS and Office, .zip, NTLM and PDF files--just about any type of encrypted file that could be used as evidence.

Included with UTK is Access-Data's Forensic Toolkit (FTK), which has been around since 1998 and has gained quite a bit of popularity among law enforcement officials and the private sector. Its capability for dealing with e-mail--more and more becoming the silver bullet of evidence--is second to none.

FTK's ability to quickly catalog e-mail on an evidence image in just about any stored format--and further extract embedded images and elements in a highly searchable fashion--makes it the premier forensic tool for such analysis. FTK is also adept at handling graphics and creating reports that display them in an easy-to-understand and organized manner.

Typical of a commercial tool, FTK can manage a case from acquisition to completion, and includes polished and flexible reporting capabilities that can be easily installed onto an auto-play CD-ROM for distribution.

e-fense's Helix
e-fense's Helix, created by forensics specialist Drew Fahey, is an open-source Linux LiveCD distribution designed specifically for digital forensics and based on the popular Knoppix distribution. It contains many forensics- and security-related tools designed to aid in the recovery and analysis of digital evidence from live and post-mortem (powered off) systems. As it's Linux-based, it has the ability to analyze Linux file systems like Ext2/Ext3, and even the less common ones like ReiserFS, JFS and XFS.

What makes Helix different from other Linux LiveCDs are the measures it takes to preserve all of the drives and partitions present on a system. A common problem with other LiveCDs is that they mount swap partitions when they boot, possibly altering data. Helix will not mount any swap partitions (any auto-mounted partitions are read-only), which preserves data, MAC (Modified, Accessed, Changed/Created) times and other such file metadata. This allows Helix to acquire evidence without the use of a hardware write-block device.

Helix will also auto-play on live Windows systems, on which its self-contained binaries and executables can be used for acquisition of both volatile data, like RAM, and stored data on a variety of media.

Forensics is becoming an integral part of ensuring compliance with the top regulations affecting organizations: SOX, SB 1386, GLBA and HIPAA.

SOX section 404 outlines management's responsibility pertaining to financial controls and requires that any shortcomings in these controls be reported; section 802 forbids intentional destruction or modification of financial or operational records; section 301 covers how organizations must handle fraud complaints and investigations. Case law has established that forensics is an important component of investigating this type of fraud because it provides a reliable method to determine if digital records have been modified or deleted.

GLBA's Financial Privacy Rule, which addresses the collection and dissemination of non-public customer information, and its Safeguards Rule, which outlines how controls should be governed to protect this type of information, also fall under forensics' umbrella. Forensics is becoming more of an integral piece of auditing and investigating compliancy with the Safeguards Rule.

HIPAA has similar requirements pertaining to medical information, requiring thorough analysis and reporting of security incidents.

SB 1386 requires that companies doing business in California must report the unauthorized disclosure of sensitive information, which can be a driver's license number, Social Security number or financial account number.

--Shon Harris
Many of its tools, like the venerable dd (a binary data dumper used for imaging of any device or data stream), are open source, and their source code has been scrutinized by the UNIX/Linux community for many years. Helix tools can be run from the command line or in an X session on live Linux systems, and from a self-contained Cygwin environment or the native GUI on live Windows systems.

Among the tools Helix employs are its feature-packed Sleuth Kit and graphical interface Autopsy Browser. Used in tandem, these give the digital investigator a very capable graphical analysis platform similar in functionality to many commercial products.

Since Helix is a shareware tool, it's inexpensive but lacks the technical support and fixes to bugs when needed. Also, its youth is a drawback; there is little if any court case history in which Helix has been used.

Paraben's NetAnalysis
Paraben has an extensive suite of tools that can be used to examine e-mail, recover passwords, analyze chat logs and perform powerful Web surfing analysis.

Paraben's NetAnalysis tool can examine AOL history files, reconstruct a cache for viewing, recover deleted Internet history files, identify Google searches, and provide a cookie and URL decoder. Its ability to capture evidence from most cell phones and PDAs is more comprehensive than similar capabilities in other tools.

Although Paraben has an extensive toolset, it has not caught on in the industry as well as the EnCase and AccessData products.

Post Mortem
After your internal forensics team has carried out an incident or crime investigation with the appropriate toolkit, it's important to understand what went right and what went wrong so the process can be improved.

Some questions the team should address include whether additional training or tools are needed for future incidents, and whether any recovery activities introduced vulnerabilities or affected the company's regulatory status. Based on the forensics team's discoveries and its assessment of damages from a particular incident, a company can decide whether to take the case to court.

The team should be able to determine the technical sophistication of the criminal and the likelihood of being able to catch him. It's also important to determine what type of individual did this type of crime. Was it a competitor or just some kids hacking for fun?

Choose your battles wisely: It would not be a good business decision to win a multimillion-dollar lawsuit against a few teenagers who have no money.

Ultimately, having a skilled computer forensics team will ensure your company is prepared for the worst. Knowing how to track digital footprints can help your business catch a thief before he escapes into cyberspace.

Article 3 of 15

Dig Deeper on Real-time network monitoring and forensics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All