by Shon Harris

February 28, 2005 — Juju Jiang was sentenced to 27 months in prison for installing key loggers on computers at various Kinko’s locations throughout Manhattan. He collected confidential information that gave him access to individuals’ bank accounts.

July 14, 2005 — Allan Eric Carlson was convicted of 79 counts of computer and identity fraud and sentenced to 48 months in jail. An unhappy baseball fan, he spoofed e-mails complaining about the poor performance of the Philadelphia Phillies from writers at area newspapers, Fox Sports, ESPN and other media.

August 12, 2005 — Scott Levine was found guilty of 120 counts of unauthorized access of a protected computer, two counts of access device fraud and one count of obstruction of justice. He and some of his coworkers at e-mail distributor Snipermail stole more than one billion records containing personal information from business partner and data management firm Acxiom.

Headline-grabbing crimes like these are helping make computer forensics one of information security’s fastest-growing markets. While forensics tools are used to help track down perpetrators in high-profiles cases, they are also being used in everyday civil and criminal cases to prepare for potential lawsuits over intellectual property theft, enforcement of non-compete clauses and regulatory compliance issues.

One of the requirements in SOX, SB 1386, GLBA and HIPAA is the ability to detect fraudulent activity, which is where forensics usually comes into the picture. Coupled with increased cybercrime, regulatory compliance is yet another business driver that is making more organizations bring forensics capabilities in-house and look to tools to help them.

But before you make your IT staff detectives, forensics requirements must be truly understood.

Defining Process

While forensics is sometimes confused with incident response, their objectives are quite different. Every company should have an incident-response team to deploy when something suspicious takes place and stop malicious activity, but a forensics team has different requirements.

Your forensics team needs technical know-how and a sound understanding of all legal requirements. The team must also know how to gather and preserve the evidence, and have the ability to present the information. Forensic investigators must be prepared to defend their activities in court because, on the witness stand, their work and reputation will be scrutinized and attacked. If they don’t properly collect and analyze the evidence and present their results well in court, their evidence can be thrown out–which could cost the company the case. Therefore, it’s important to set up an internal forensics team to perform the following tasks:

 

• CHOOSE team members from security, IT, management, legal, human resources and public relations, and assign necessary responsibilities to those roles.
• OUTLINE the forensics methodology that will be used. Include steps such as incident verification, bit-image creation, evidence collection procedures, timeline creation and review, media and operating system analysis, data recovery processes, and report generation.
• IDENTIFY critical systems and how they should be handled if breached. Some systems cannot be brought down for investigative purposes because of the negative business impact.
• DETERMINE the chain-of-custody steps for collected evidence.
• SELECT the various documentation types that will be used for gathering evidence.
• DETAIL recovery procedures by creating standardized steps for rebuilding affected systems and recovered data.
• DEFINE the team’s forensics toolkit.

A hybrid approach combining internal forensics capabilities with external consultants is often the best approach.
The internal team carries out the investigation and collects evidence, and is responsible for the crux of the case; the external team verifies that the investigation was carried out properly, ensuring the evidence is admissible in court.
While the in-house team has more intimate knowledge of the company, its systems and business needs, the outside team has seen many more types of crimes. Together, these groups can provide more effective results.
There are several tools available to forensics teams to help ensure a proper investigation. Guidance Software’s EnCase, AccessData’s Ultimate Toolkit, and Paraben’s NetAnalysis are some of the most widely used forensics tools in the industry. e-fense’s Helix is a strong open-source alternative.

Tools

Guidance Software’s EnCase

Guidance Software has long been the leader in forensics software with EnCase, the most-used forensics acquisition and analysis tool by law enforcement and the private sector.

EnCase has ample court history to support its usability, and it supports the acquisition of evidence from just about every operating system, file system and media type, including live systems. Through what Guidance calls a passive agent, it performs over-the-network acquisition of evidence from live systems to a remote analysis station. EnCase then creates well-organized, detailed reports that are understood by experts and attorneys alike.

EnCase images hard drives and partitions via a proprietary format in which equal-sized chunks of information are read from the source media and then written to the destination, along with an accompanying hash for data integrity. This serves as an integrity check–the benefit being the rapid reacquisition of data should any chunk’s hash fail the check.

For searching, EnCase employs an extremely flexible Unix grep-like facility. These searches, which take time but yield valuable results, parse evidence byte by byte and can uncover deleted files and other non-file data.
Though its enterprise edition is more expensive than the other tools listed here, EnCase Enterprise also offers additional features such as network-based acquisition.

AccessData’s Ultimate Toolkit

AccessData’s Ultimate Toolkit (UTK) incorporates a password recovery tool capable of decrypting just about any file, an enhanced registry viewer designed to illuminate evidence hidden in system-only accessible registry keys, a disk wiper and a distributed-computing en-cryption breaker.

UTK’s edge is its database-driven architecture. As evidence is imported (typically drive and partition images), it’s scanned and indexed into a case database. This allows for quick ad hoc string queries and organization of extracted files and data without the need to rescan. This same type of search performed by other products can take considerable time; UTK returns instantaneous results.

In addition, all ASCII and Uni-code strings are indexed and export-able. This ties in seamlessly with the password recovery tool as all text strings found within the evidence can be ported into a dictionary for password-cracking purposes. UTK’s password recovery tool is capable of decrypting Microsoft NTFS-EFS and Office, .zip, NTLM and PDF files–just about any type of encrypted file that could be used as evidence.

Included with UTK is Access-Data’s Forensic Toolkit (FTK), which has been around since 1998 and has gained quite a bit of popularity among law enforcement officials and the private sector. Its capability for dealing with e-mail–more and more becoming the silver bullet of evidence–is second to none.

FTK’s ability to quickly catalog e-mail on an evidence image in just about any stored format–and further extract embedded images and elements in a highly searchable fashion–makes it the premier forensic tool for such analysis. FTK is also adept at handling graphics and creating reports that display them in an easy-to-understand and organized manner.

Typical of a commercial tool, FTK can manage a case from acquisition to completion, and includes polished and flexible reporting capabilities that can be easily installed onto an auto-play CD-ROM for distribution.

e-fense’s Helix

e-fense’s Helix, created by forensics specialist Drew Fahey, is an open-source Linux LiveCD distribution designed specifically for digital forensics and based on the popular Knoppix distribution. It contains many forensics- and security-related tools designed to aid in the recovery and analysis of digital evidence from live and post-mortem (powered off) systems. As it’s Linux-based, it has the ability to analyze Linux file systems like Ext2/Ext3, and even the less common ones like ReiserFS, JFS and XFS.

What makes Helix different from other Linux LiveCDs are the measures it takes to preserve all of the drives and partitions present on a system. A common problem with other LiveCDs is that they mount swap partitions when they boot, possibly altering data. Helix will not mount any swap partitions (any auto-mounted partitions are read-only), which preserves data, MAC (Modified, Accessed, Changed/Created) times and other such file metadata. This allows Helix to acquire evidence without the use of a hardware write-block device.

Helix will also auto-play on live Windows systems, on which its self-contained binaries and executables can be used for acquisition of both volatile data, like RAM, and stored data on a variety of media.

Many of its tools, like the venerable dd (a binary data dumper used for imaging of any device or data stream), are open source, and their source code has been scrutinized by the UNIX/Linux community for many years. Helix tools can be run from the command line or in an X session on live Linux systems, and from a self-contained Cygwin environment or the native GUI on live Windows systems.

Among the tools Helix employs are its feature-packed Sleuth Kit and graphical interface Autopsy Browser. Used in tandem, these give the digital investigator a very capable graphical analysis platform similar in functionality to many commercial products.

Since Helix is a shareware tool, it’s inexpensive but lacks the technical support and fixes to bugs when needed. Also, its youth is a drawback; there is little if any court case history in which Helix has been used.

Paraben’s NetAnalysis

Paraben has an extensive suite of tools that can be used to examine e-mail, recover passwords, analyze chat logs and perform powerful Web surfing analysis.

Paraben’s NetAnalysis tool can examine AOL history files, reconstruct a cache for viewing, recover deleted Internet history files, identify Google searches, and provide a cookie and URL decoder. Its ability to capture evidence from most cell phones and PDAs is more comprehensive than similar capabilities in other tools.

Although Paraben has an extensive toolset, it has not caught on in the industry as well as the EnCase and AccessData products.

Post Mortem

After your internal forensics team has carried out an incident or crime investigation with the appropriate toolkit, it’s important to understand what went right and what went wrong so the process can be improved.

Some questions the team should address include whether additional training or tools are needed for future incidents, and whether any recovery activities introduced vulnerabilities or affected the company’s regulatory status. Based on the forensics team’s discoveries and its assessment of damages from a particular incident, a company can decide whether to take the case to court.

The team should be able to determine the technical sophistication of the criminal and the likelihood of being able to catch him. It’s also important to determine what type of individual did this type of crime. Was it a competitor or just some kids hacking for fun?

Choose your battles wisely: It would not be a good business decision to win a multimillion-dollar lawsuit against a few teenagers who have no money.

Ultimately, having a skilled computer forensics team will ensure your company is prepared for the worst. Knowing how to track digital footprints can help your business catch a thief before he escapes into cyberspace.