Computer Forensics Investigations: Body of Evidence

Part art, part science, a computer forensics practice requires more planning and investment than technology vendors would have you believe.

When the body of his wife was discovered, Air Force Sgt. Joseph Snodgrass was stationed at Clark Air Base in the Philippines. Julie Snodgrass was found in the cab of a pickup truck nearby, having been stabbed more than 42 times. The only evidence connecting her husband to the crime were a couple of floppy disks on which were stored two letters: one in which Sgt. Snodgrass asked his mistress to hire three hitmen to murder his wife, and another increasing his wife's life insurance coverage to $450,000. During questioning in his office by the Air Force Office of Special Investigations (OSI), Snodgrass pulled the two 5.25-inch diskettes from his desk and used pinking shears to chop the damning evidence into 2 dozen pieces.

The agents confiscated the disks, but not before significant damage had been done. In checking with law enforcement and the diskette manufacturer, the investigators discovered that no protocol existed for reassembling disks that had been so seriously damaged. That's when an Air Force team headed by Jim Christy, currently the director of operations at the Department of Defense Cyber Crime Center in Linthicum, Md., went to work on the problem. After several failed attempts, the team managed to develop a process to line up the tracks on the disks and then tape the pieces together on a cardboard mounting hub. Spending only $131, Christy and his team were able to reconstruct the disks and retrieve 85 percent of the data.

Snodgrass was convicted of first-degree murder and was sentenced to life in prison.

Tape and cardboard may not be high-tech wizardry, but forensics isn't only about fancy tools and technologies that aid investigators in their work. It's as much about ingenuity and creativity as technology, and requires a unique array of skill: the technical savvy of a science- club geek married with the curiosity that marks a seasoned detective.

Armed with little more than cotton swabs and a handful of plastic baggies, police detectives from TV shows such as Quincy, M.E. or CSI: Crime Scene Investigation are able to reconstruct a crime, describe how it was perpetrated, and finger the person who did the deed. Investigators who specialize in computer forensics may not be as telegenic, but they accomplish the same goals as their Hollywood counterparts with the use of software and hardware. No wonder it has become a hot topic in the security community.

The truth about building and managing a forensic practice won't be found in the glossy pages of a product brochure or in a Hollywood screenplay. In any investigation, the story of what really happened is hidden in the details. Here's what we found when we asked security executives and industry experts to name the elements of a successful forensic practice and the challenges that await CSOs when they venture into this dynamic arena.Liability RedefinedComputer forensics is the use of technology to establish facts for building a case in court. Your board of directors may fervently wish never to need computer forensics, but given the evolution of legislation around security breaches, forensic capabilities are a necessity.

Legislation such as California's SB 1386mandating disclosure to customers who are California residents of any security breach in which their personal information may have been compromisedforces companies to be technologically self-aware. Companies must be able to pinpoint exactly what happened in a breach. "It's essential to build and maintain a forensic capability for the same reason that everybody keeps a Phillips head screwdriver around the house," says Mark Graff, chief cybersecurity officer at Lawrence Livermore National Laboratory. "It's the only way you can do the jobs you need to when you need to do them."

Organizations have historically worried about involving law enforcement in cases of computer crime, fearing it would inevitably lead to longer downtime and a loss of system control. The choice was typically between the long path to prosecution or the rapid restoration of business functions. While that concern is understandableit takes considerable time to capture a snapshot of the network even if you're doing it in-housea company with sound forensic capabilities can retain greater control over its systems and business operations after a breach than it could if it depended on law enforcement to do the investigative legwork. In other words, the company is simply in a better position to retain control over its business operations because it can choose to hand over a replica of the evidence gathered off the network (or a single affected computer) rather than the keys to the server room.

The decision of whether to outsource forensics or train internal staff to perform the function is less about security than it is about cost-benefit and risk-management analyses. The price tag to build a basic in-house forensic capability is high: about $30,000 for one machine and the software to conduct simple exams, according to Jimmy Doyle, former executive officer of the NYPD computer investigations and technology unit and current director of Northeast operations for Guidance Software. And that doesn't include ongoing costs such as salaries, supplies or training. Companies can expect to spend an additional $5,000 to $10,000 per year per person on training (and related travel) alone. Doyle cautions that a larger enterprise would require more than a single machine and might instead consider outsourcing.

For some, deciding to outsource their forensic capability becomes a public-relations decision. If there's dirty laundry to be aired, most would rather keep the investigation internal than risk something ending up on some front page.The Art of the DealIt can be hard to resist the temptation to investigate when something has gone awry on the network, so it's wise to have at least one person on the IS staff who understands the rudiments of forensic investigative techniques. If the IS staff members don't follow proper procedures, they may plow right through the evidence, ultimately making it impossible to accurately reconstruct the event.

The technological component of an investigation usually gets the most attention, but don't kid yourself: Computer forensics is equal parts art and science. "And it will always be that way, no matter what technology you use, because it's still a human at the keyboard [committing the crime]," says Doyle. "You have to get the data, the 1s and 0s, but you also have to look at the motivation. That will point you in the direction where you should look for evidence."

For the most part, the artistry of forensics lies in the skills of the team that you assemble. Graff looks for three different skill sets in his forensic investigators. The first is technical skill, an understanding of how data is stored and retrieved, and a knowledge of the tools that are used. The second is sound training in the legal requirements of evidence-gathering and presentationthe procedures that investigators need to observe to preserve the chain of evidence and remain within the parameters of the law. Finally, he wants his team to have a good understanding of how people use, and misuse, computers.

Add to all that the ability to look beyond the information that technology presents on the surface. "You have to see a computer in a different way than how people usually look at it," says Graff. "As human beings, we generally don't see what is literally in front of us, the pixels on the screen. We make use of the models provided for us by computer designers, the windows, cursors and icons. But forensic investigators need to see beyond those constructs to what's actually there."

Forensic investigators must also be prepared to defend their work on the witness stand. In fact, you can divide the world into two groups of people, says Eric Friedberg, executive vice president and general counsel for Stroz Friedberg: those who have been through a lengthy cross-examination by a high-powered criminal defense attorney and those who haven't. Investigators with that experience "always approach their work with a level of care and double-checking because they never again want to go through the experience of having their head ripped off in front of 12 people and a judge," says Friedberg.

Often, forensic testimony is dismissed on a technicality, like an assumption the investigator made or the way he described something to the jury. Individuals with a law- enforcement background are used to being second-guessed. They come from an environment where their work has always been carefully scrutinized, and the chain of custody aggressively dissected. As a result, they learn to handle investigations with future cross-examination in mind.

Of course, having the nerve to endure the probing questioning of a defense attorney is useless if the investigator lacks the technical knowledge for proper execution of the investigation, so Friedberg notes that cross-pollination is often the best way to ensure the right mix of skills. "It's hard to put the geek into the cop and the cop into the geek, so we try to hire both kinds of people and have them work closely together," he says.

That approach has been successful at PayPal, where Vice President of Risk Management Ken Miller heads up a fraud unit that comprises 20 percent of the PayPal workforce. "We started out hoping to find that right blend of background, but it didn't exist. It was up to us to create it," he says. In fact, in a midsize corporation where a forensic unit is liable to be a very small group with two or three trained individuals at most, cross-pollination can be invaluable.

A forensic team can also benefit from acquiring some of the softer skills that IT staff members traditionally have lacked. An investigator needs to be able to communicate well in order to distill for a jury of forensic neophytes the complexities of various technologies. And often investigators have to coax information about the inner workings of a product out of hardware and software manufacturers reluctant to provide assistance.

Forensic investigators must also dig information out of a broad array of devicesfrom PDAs to video game consolesthat have been turned into inexpensive Linux computers. All of that requires a certain amount of creativity and inquisitiveness to invent processes where none previously existed.

Finally, forensic investigators need the tenacity to stick with an investigation even when the answers are slow in coming. "All the people we've fired in forensics have had the same mantra," says Friedberg. "'There's nothing there.'"

Along with the right skills and temperament, the addition of certifications and training will enhance the investigative skills of your staff and stand them in good stead in court. Unfortunately, no single certification is accepted across the industry as the standard for a forensic investigator. Many of the current offerings aren't broad enough to verify a solid understanding of the basic rules of forensic practice. Training also tends to be product-oriented and focuses far too much on tracking down hackers in a corporate climate where CSOs are rightly more concerned about the dangers posed by insiders that have been granted access to valuable corporate resources. Despite these current limitations on certification and training, product-oriented and niche certifications can help establish an investigator's credentials (see "Forensic Certifications," this page).

"Who do you want on the stand representing your company?" asks Mike Higgins, a professor in the graduate information security management program at the George Washington University and the managing director of the technology risk management practice at Tekmark Global Solutions. "Do you want the 19-year-old systems administrator or the 35-year-old CISSP with 27 other letters after his name?"

Aside from certifications, investigators can also get training in the softer skills necessary for a forensic investigator. Several people within Graff's forensic unit have undergone expert witness training. Industry organizations such as the High Technology Crime Investigation Association (www. htcia .org) offer such courses.Fish or Cut BaitThe decision to sink corporate resources into an investigation or simply fix the problem and move on involves risk management. But it's one in which the security organization should play a critical role. A cursory forensic investigation will determine how much damage has occurred and what an investigation is likely to yield. A quick assessment of the technical sophistication of a person who has hacked the corporate network should tell you if he can be caught and if it's worth catching him. For what good is it to get a multimillion-dollar judgment in court against a couple of kids who hacked into your network and made a mess when you'll never see any money out of it? When you weigh that against the cost of tracking these individuals down, it's a losing proposition. While it might make management feel good to catch hackers, it won't mean much if they miss their quarterly numbers.

1 2 Page 1
Page 1 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.