Computer Forensics Investigations: Body of Evidence

Part art, part science, a computer forensics practice requires more planning and investment than technology vendors would have you believe.

1 2 Page 2
Page 2 of 2

It's not always easy to keep such decisions focused on the needs of the business. "As a society, we're fairly testosterone-laden," notes Higgins. "Our first response is often, 'Let's get the bastard! We want to prosecute!' But it's the job of the security people to help get the focus back on the business." CSOs should be the voice of reason in communicating with line of business executives about when a forensic investigation should be pursued and when it doesn't make sense.

The forensic team and its policies and procedures should be tightly woven into the fabric of the corporate contingency planning process. Corporate counsel, human resources, the CIO and CSO, line of business executives and trained forensic professionals (whether internal or external) should all work together to develop a plan that can be executed when a situation arises. The process should include some exercises that consider the different kinds of security breaches that forensics could be called upon to investigate and a discussion of the parameters of those investigations so that everyone has the same expectations from the team. Ongoing communication among these constituencies is also important because information resides within different pockets in the corporate structure, not just on the network. In many situations there's a traditional investigation going on at the same time as a forensic investigation and that information has to be pulled together to get a complete picture of what happened. If an employee is accused of IP theft, information about his rocky relationship with the company may also be found in his HR files and within his business unit.

It's also critical to build a good relationship between your forensic team and any law- enforcement groups with whom it may have to work. At PayPal, Miller and his fraud team have worked to establish good contacts with local police departments around the country and federal agencies. The result: Both sides have a better understanding of the other's needs and are extremely responsive. "Sometimes they come to us requesting information; we're always quick to help out and often we go to them," Miller says. "There's respect there." When Forensics FailsOne of the most difficult aspects of forensics is that much of it is counterintuitive. Graff recalls an incident at a previous company where an employee was suspected of IP theft. He was concerned that if the employee in question was confronted, then he might unleash some sort of malware on the network. One morning Graff came in at 8 a.m. and members of his staff quite proudly revealed that they had surreptitiously recovered the suspect's computer and were in the process of booting it up on the network to take a looka perilous move that endangered the network and could have destroyed the evidentiary chain. "If you want to know what a person was using a computer for, the last thing you want to do is boot it up," says Graff.

Forensic work requires a unique train of thought because, while you want to prove what happened, you can't risk making even the smallest change to the evidence. Otherwise, the company could be vulnerable to the charge of evidence tampering.

That problem also occurs when IT staffers who don't understand chain of custody and basic forensic procedures decide to investigate for themselves. Keith Jones, computer forensics manager at Foundstone, notes a situation his team often sees when they go into a company where a system administrator or other IS staffer has neglected to apply a patch and a hacker got in. Rather than admit to his boss up front that he is at fault, the staffer will go in to investigate and, without thinking, overwrite all information pertaining to the breach and inadvertently change the date stamps.

Evidence can also deteriorate when companies wait too long to look into it. "When an incident occurs, it basically creates a computer document," says Jones. "That document is not deleted from the hard drive but, as time goes on, what with people surfing and regular network activity, the chances of that document being overwritten is greater and greater." Logging facilities have a finite amount of space, and as new activity takes place the old stuff dwindles off.

Although there are no industrywide forensic standards at present, companies that don't establish their own internal standards may find their methods called into question. At the Department of Defense Computer Forensics Laboratory, or DCFL (see "Searching for the Truth," Page 43), forensic examiners were originally allowed to customize their own workstations with the tools and systems they preferred to use.

"If you allow examiners to go down the road of customization: How do you know if they don't have the exact same tools and setup, that what examiner A finds in his investigation will be the same as what examiner B would find?" asks Lt. Col. Ken Zatyko, director and special agent with the DCFL. In the absence of set standards, many companies choose to standardize their forensic units using the tools and procedures used by law enforcement.

Another mistake that companies fall prey to is picking the wrong forensic partner. At a recent security conference, Doyle noted that it was difficult to find a booth on the trade-show floor that didn't have the word forensics plastered on it. But when vendors tout a tool as being "forensically sound," you'll want to make sure that they're giving you more than marketing spin. In order for a tool to be considered forensically sound, it has to withstand the scrutiny of the Daubert standards of acceptability in the federal rules of evidence. These standards require testing the product, conducting peer review, determining error rates and having the product generally accepted within the scientific community. You should also be sure that vendors of any forensic product are willing to go to court with you to testify to these factors and establish the soundness of their product.

While no standards currently exist to inform a forensic practice, several organizations have issued guidelines that may be the rough drafts of future standards. The Information Systems Audit and Control Association and The National Institute of Standards and Technology have both put out guidelines that are relevant to forensic examination.

The final challenge facing CSOs and their forensic teams is the proliferation of technology in the corporate sphere that stores information and evidenceeverything from printers to PDAs and laptops. Maintaining a knowledge of the inner workings of these various tools and accessories is going to be an educational challenge and a significant training expense for years to come.

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies