Computer Forensics Investigations: Body of Evidence

Part art, part science, a computer forensics practice requires more planning and investment than technology vendors would have you believe.

When the body of his wife was discovered, Air Force Sgt. Joseph Snodgrass was stationed at Clark Air Base in the Philippines. Julie Snodgrass was found in the cab of a pickup truck nearby, having been stabbed more than 42 times. The only evidence connecting her husband to the crime were a couple of floppy disks on which were stored two letters: one in which Sgt. Snodgrass asked his mistress to hire three hitmen to murder his wife, and another increasing his wife's life insurance coverage to $450,000. During questioning in his office by the Air Force Office of Special Investigations (OSI), Snodgrass pulled the two 5.25-inch diskettes from his desk and used pinking shears to chop the damning evidence into 2 dozen pieces.

The agents confiscated the disks, but not before significant damage had been done. In checking with law enforcement and the diskette manufacturer, the investigators discovered that no protocol existed for reassembling disks that had been so seriously damaged. That's when an Air Force team headed by Jim Christy, currently the director of operations at the Department of Defense Cyber Crime Center in Linthicum, Md., went to work on the problem. After several failed attempts, the team managed to develop a process to line up the tracks on the disks and then tape the pieces together on a cardboard mounting hub. Spending only $131, Christy and his team were able to reconstruct the disks and retrieve 85 percent of the data.

Snodgrass was convicted of first-degree murder and was sentenced to life in prison.

Tape and cardboard may not be high-tech wizardry, but forensics isn't only about fancy tools and technologies that aid investigators in their work. It's as much about ingenuity and creativity as technology, and requires a unique array of skill: the technical savvy of a science- club geek married with the curiosity that marks a seasoned detective.

Armed with little more than cotton swabs and a handful of plastic baggies, police detectives from TV shows such as Quincy, M.E. or CSI: Crime Scene Investigation are able to reconstruct a crime, describe how it was perpetrated, and finger the person who did the deed. Investigators who specialize in computer forensics may not be as telegenic, but they accomplish the same goals as their Hollywood counterparts with the use of software and hardware. No wonder it has become a hot topic in the security community.

The truth about building and managing a forensic practice won't be found in the glossy pages of a product brochure or in a Hollywood screenplay. In any investigation, the story of what really happened is hidden in the details. Here's what we found when we asked security executives and industry experts to name the elements of a successful forensic practice and the challenges that await CSOs when they venture into this dynamic arena.Liability RedefinedComputer forensics is the use of technology to establish facts for building a case in court. Your board of directors may fervently wish never to need computer forensics, but given the evolution of legislation around security breaches, forensic capabilities are a necessity.

Legislation such as California's SB 1386mandating disclosure to customers who are California residents of any security breach in which their personal information may have been compromisedforces companies to be technologically self-aware. Companies must be able to pinpoint exactly what happened in a breach. "It's essential to build and maintain a forensic capability for the same reason that everybody keeps a Phillips head screwdriver around the house," says Mark Graff, chief cybersecurity officer at Lawrence Livermore National Laboratory. "It's the only way you can do the jobs you need to when you need to do them."

Organizations have historically worried about involving law enforcement in cases of computer crime, fearing it would inevitably lead to longer downtime and a loss of system control. The choice was typically between the long path to prosecution or the rapid restoration of business functions. While that concern is understandableit takes considerable time to capture a snapshot of the network even if you're doing it in-housea company with sound forensic capabilities can retain greater control over its systems and business operations after a breach than it could if it depended on law enforcement to do the investigative legwork. In other words, the company is simply in a better position to retain control over its business operations because it can choose to hand over a replica of the evidence gathered off the network (or a single affected computer) rather than the keys to the server room.

The decision of whether to outsource forensics or train internal staff to perform the function is less about security than it is about cost-benefit and risk-management analyses. The price tag to build a basic in-house forensic capability is high: about $30,000 for one machine and the software to conduct simple exams, according to Jimmy Doyle, former executive officer of the NYPD computer investigations and technology unit and current director of Northeast operations for Guidance Software. And that doesn't include ongoing costs such as salaries, supplies or training. Companies can expect to spend an additional $5,000 to $10,000 per year per person on training (and related travel) alone. Doyle cautions that a larger enterprise would require more than a single machine and might instead consider outsourcing.

For some, deciding to outsource their forensic capability becomes a public-relations decision. If there's dirty laundry to be aired, most would rather keep the investigation internal than risk something ending up on some front page.The Art of the DealIt can be hard to resist the temptation to investigate when something has gone awry on the network, so it's wise to have at least one person on the IS staff who understands the rudiments of forensic investigative techniques. If the IS staff members don't follow proper procedures, they may plow right through the evidence, ultimately making it impossible to accurately reconstruct the event.

The technological component of an investigation usually gets the most attention, but don't kid yourself: Computer forensics is equal parts art and science. "And it will always be that way, no matter what technology you use, because it's still a human at the keyboard [committing the crime]," says Doyle. "You have to get the data, the 1s and 0s, but you also have to look at the motivation. That will point you in the direction where you should look for evidence."

For the most part, the artistry of forensics lies in the skills of the team that you assemble. Graff looks for three different skill sets in his forensic investigators. The first is technical skill, an understanding of how data is stored and retrieved, and a knowledge of the tools that are used. The second is sound training in the legal requirements of evidence-gathering and presentationthe procedures that investigators need to observe to preserve the chain of evidence and remain within the parameters of the law. Finally, he wants his team to have a good understanding of how people use, and misuse, computers.

Add to all that the ability to look beyond the information that technology presents on the surface. "You have to see a computer in a different way than how people usually look at it," says Graff. "As human beings, we generally don't see what is literally in front of us, the pixels on the screen. We make use of the models provided for us by computer designers, the windows, cursors and icons. But forensic investigators need to see beyond those constructs to what's actually there."

Forensic investigators must also be prepared to defend their work on the witness stand. In fact, you can divide the world into two groups of people, says Eric Friedberg, executive vice president and general counsel for Stroz Friedberg: those who have been through a lengthy cross-examination by a high-powered criminal defense attorney and those who haven't. Investigators with that experience "always approach their work with a level of care and double-checking because they never again want to go through the experience of having their head ripped off in front of 12 people and a judge," says Friedberg.

Often, forensic testimony is dismissed on a technicality, like an assumption the investigator made or the way he described something to the jury. Individuals with a law- enforcement background are used to being second-guessed. They come from an environment where their work has always been carefully scrutinized, and the chain of custody aggressively dissected. As a result, they learn to handle investigations with future cross-examination in mind.

Of course, having the nerve to endure the probing questioning of a defense attorney is useless if the investigator lacks the technical knowledge for proper execution of the investigation, so Friedberg notes that cross-pollination is often the best way to ensure the right mix of skills. "It's hard to put the geek into the cop and the cop into the geek, so we try to hire both kinds of people and have them work closely together," he says.

That approach has been successful at PayPal, where Vice President of Risk Management Ken Miller heads up a fraud unit that comprises 20 percent of the PayPal workforce. "We started out hoping to find that right blend of background, but it didn't exist. It was up to us to create it," he says. In fact, in a midsize corporation where a forensic unit is liable to be a very small group with two or three trained individuals at most, cross-pollination can be invaluable.

A forensic team can also benefit from acquiring some of the softer skills that IT staff members traditionally have lacked. An investigator needs to be able to communicate well in order to distill for a jury of forensic neophytes the complexities of various technologies. And often investigators have to coax information about the inner workings of a product out of hardware and software manufacturers reluctant to provide assistance.

Forensic investigators must also dig information out of a broad array of devicesfrom PDAs to video game consolesthat have been turned into inexpensive Linux computers. All of that requires a certain amount of creativity and inquisitiveness to invent processes where none previously existed.

Finally, forensic investigators need the tenacity to stick with an investigation even when the answers are slow in coming. "All the people we've fired in forensics have had the same mantra," says Friedberg. "'There's nothing there.'"

Along with the right skills and temperament, the addition of certifications and training will enhance the investigative skills of your staff and stand them in good stead in court. Unfortunately, no single certification is accepted across the industry as the standard for a forensic investigator. Many of the current offerings aren't broad enough to verify a solid understanding of the basic rules of forensic practice. Training also tends to be product-oriented and focuses far too much on tracking down hackers in a corporate climate where CSOs are rightly more concerned about the dangers posed by insiders that have been granted access to valuable corporate resources. Despite these current limitations on certification and training, product-oriented and niche certifications can help establish an investigator's credentials (see "Forensic Certifications," this page).

"Who do you want on the stand representing your company?" asks Mike Higgins, a professor in the graduate information security management program at the George Washington University and the managing director of the technology risk management practice at Tekmark Global Solutions. "Do you want the 19-year-old systems administrator or the 35-year-old CISSP with 27 other letters after his name?"

Aside from certifications, investigators can also get training in the softer skills necessary for a forensic investigator. Several people within Graff's forensic unit have undergone expert witness training. Industry organizations such as the High Technology Crime Investigation Association (www. htcia .org) offer such courses.Fish or Cut BaitThe decision to sink corporate resources into an investigation or simply fix the problem and move on involves risk management. But it's one in which the security organization should play a critical role. A cursory forensic investigation will determine how much damage has occurred and what an investigation is likely to yield. A quick assessment of the technical sophistication of a person who has hacked the corporate network should tell you if he can be caught and if it's worth catching him. For what good is it to get a multimillion-dollar judgment in court against a couple of kids who hacked into your network and made a mess when you'll never see any money out of it? When you weigh that against the cost of tracking these individuals down, it's a losing proposition. While it might make management feel good to catch hackers, it won't mean much if they miss their quarterly numbers.

It's not always easy to keep such decisions focused on the needs of the business. "As a society, we're fairly testosterone-laden," notes Higgins. "Our first response is often, 'Let's get the bastard! We want to prosecute!' But it's the job of the security people to help get the focus back on the business." CSOs should be the voice of reason in communicating with line of business executives about when a forensic investigation should be pursued and when it doesn't make sense.

The forensic team and its policies and procedures should be tightly woven into the fabric of the corporate contingency planning process. Corporate counsel, human resources, the CIO and CSO, line of business executives and trained forensic professionals (whether internal or external) should all work together to develop a plan that can be executed when a situation arises. The process should include some exercises that consider the different kinds of security breaches that forensics could be called upon to investigate and a discussion of the parameters of those investigations so that everyone has the same expectations from the team. Ongoing communication among these constituencies is also important because information resides within different pockets in the corporate structure, not just on the network. In many situations there's a traditional investigation going on at the same time as a forensic investigation and that information has to be pulled together to get a complete picture of what happened. If an employee is accused of IP theft, information about his rocky relationship with the company may also be found in his HR files and within his business unit.

It's also critical to build a good relationship between your forensic team and any law- enforcement groups with whom it may have to work. At PayPal, Miller and his fraud team have worked to establish good contacts with local police departments around the country and federal agencies. The result: Both sides have a better understanding of the other's needs and are extremely responsive. "Sometimes they come to us requesting information; we're always quick to help out and often we go to them," Miller says. "There's respect there." When Forensics FailsOne of the most difficult aspects of forensics is that much of it is counterintuitive. Graff recalls an incident at a previous company where an employee was suspected of IP theft. He was concerned that if the employee in question was confronted, then he might unleash some sort of malware on the network. One morning Graff came in at 8 a.m. and members of his staff quite proudly revealed that they had surreptitiously recovered the suspect's computer and were in the process of booting it up on the network to take a looka perilous move that endangered the network and could have destroyed the evidentiary chain. "If you want to know what a person was using a computer for, the last thing you want to do is boot it up," says Graff.

Forensic work requires a unique train of thought because, while you want to prove what happened, you can't risk making even the smallest change to the evidence. Otherwise, the company could be vulnerable to the charge of evidence tampering.

That problem also occurs when IT staffers who don't understand chain of custody and basic forensic procedures decide to investigate for themselves. Keith Jones, computer forensics manager at Foundstone, notes a situation his team often sees when they go into a company where a system administrator or other IS staffer has neglected to apply a patch and a hacker got in. Rather than admit to his boss up front that he is at fault, the staffer will go in to investigate and, without thinking, overwrite all information pertaining to the breach and inadvertently change the date stamps.

Evidence can also deteriorate when companies wait too long to look into it. "When an incident occurs, it basically creates a computer document," says Jones. "That document is not deleted from the hard drive but, as time goes on, what with people surfing and regular network activity, the chances of that document being overwritten is greater and greater." Logging facilities have a finite amount of space, and as new activity takes place the old stuff dwindles off.

Although there are no industrywide forensic standards at present, companies that don't establish their own internal standards may find their methods called into question. At the Department of Defense Computer Forensics Laboratory, or DCFL (see "Searching for the Truth," Page 43), forensic examiners were originally allowed to customize their own workstations with the tools and systems they preferred to use.

"If you allow examiners to go down the road of customization: How do you know if they don't have the exact same tools and setup, that what examiner A finds in his investigation will be the same as what examiner B would find?" asks Lt. Col. Ken Zatyko, director and special agent with the DCFL. In the absence of set standards, many companies choose to standardize their forensic units using the tools and procedures used by law enforcement.

Another mistake that companies fall prey to is picking the wrong forensic partner. At a recent security conference, Doyle noted that it was difficult to find a booth on the trade-show floor that didn't have the word forensics plastered on it. But when vendors tout a tool as being "forensically sound," you'll want to make sure that they're giving you more than marketing spin. In order for a tool to be considered forensically sound, it has to withstand the scrutiny of the Daubert standards of acceptability in the federal rules of evidence. These standards require testing the product, conducting peer review, determining error rates and having the product generally accepted within the scientific community. You should also be sure that vendors of any forensic product are willing to go to court with you to testify to these factors and establish the soundness of their product.

While no standards currently exist to inform a forensic practice, several organizations have issued guidelines that may be the rough drafts of future standards. The Information Systems Audit and Control Association and The National Institute of Standards and Technology have both put out guidelines that are relevant to forensic examination.

The final challenge facing CSOs and their forensic teams is the proliferation of technology in the corporate sphere that stores information and evidenceeverything from printers to PDAs and laptops. Maintaining a knowledge of the inner workings of these various tools and accessories is going to be an educational challenge and a significant training expense for years to come.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies