SUMMARY

The United States Department of Justice categorizes computers involved in crimes in three ways: contraband, instrumentality, and “mere” evidence. If a network manager discovers contraband (illegal or illegally acquired equipment), he or she should simply turn the matter over to law enforcement.

Computer instrumentality implies that hardware played a significant role in a crime. Within network-related crimes, “innocent” computers are often used as instrumentalities—they are used to commit further crime, either denial of service attacks or by providing a pass thru for the criminal. Law enforcement will often seize computers used as instrumentalities; they must seize them if the crime falls under certain federal statutes.

Computers classified as “mere” evidence are usually not seized. The goal is to acquire the data of evidentiary value from the computer while adhering to computer forensic principles. Before getting into specifics on how this is actually done, let us first examine some policies that should be in place before the need for forensics arises.

Haste Makes Waste

Every business should have a computer security plan, part of which must include collection and preservation of evidence before, during, and after the incident. When formulating all policies regarding computer forensics, a balance must be struck between expediency and following a proper chain of command. It is neither feasible nor desirable for the CIO of a large corporation to be called every time a computer is attacked; at the same time, some oversight is important. Each organization needs to decide how far to proceed up the hierarchy when responding to different levels of attacks.

Because laws will affect corporations differently, and because desktop forensics is extremely important for internal offenses, it is wise to have separate policies for internal attacks and external attacks. A recent study performed jointly by CSI and the National Infrastructure Protection Center arm of the FBI found that a significant number of attacks (81%) came from disgruntled employees (Figure 20.1).^{[iii ]}

Figure 20.1: A joint CSI/FBI study determined that an overwhelming number of desktop attacks (81%) came from disgruntled employees. (©Copyright 2002. Computer Security Institute. All rights reserved).

This is not only the case at university-type settings, where public labs are plentiful and security is often lax; but also remains true for all types of organizations. When dealing with internal policies, desktop examination is a crucial element, whether the matter is simple misuse or corporate espionage. Regardless of the reasons, following proper forensic procedures will help establish a legal case.

The one most important privacy law for this chapter and book is the Electronic Communication Privacy Act (ECPA), which begins in the United States Code at Title 18, section 2701. The law contains certain provisions that should be incorporated into every policy. For the purposes of this chapter, assume you are dealing with an e-mail system that employs user authentication to verify active employee status. Policy rules regarding an open Internet service provider (wherein anyone can pay and join) are significantly more stringent.

Law enforcement commonly refers to Title 18 USC 2703(f) as sending an “F-letter” (referencing that the law is section F of the statute) to a provider. Usually such a request will be communicated via telephone first, followed by a letter. A company should immediately take the steps mandated via the phone call, without waiting for the letter’s arrival. Under the second part of this section, the records must be preserved for a period of 90 days, and the government has an option to extend this another 90 days. There should be appropriate policies in place to handle this possibility, from the administrative receiving end all the way to placement of the backed-up records. These policies should be created in a partnership among management, computer services personnel, and legal counsel.

How does a manager know if the staff possesses the requisite knowledge to create sound corporate policies on evidence-recovery? This is an extremely difficult question to answer, but one approach might be to determine whom, typically, would not be qualified. The average system administrator usually doesn’t have the required knowledge; the Microsoft Certified Systems Engineer (MCSE) test also doesn’t include such information. A dedicated network security specialist may or may not have the appropriate knowledge, but this is probably the best place to start looking. That individual, who might be CISSP or SANS certified, will have a fundamental understanding of security issues that a normal system administrator probably would not.

Mapping the Labyrinth

Even though the corporate computer forensics specialist is not a law enforcement officer, he or she will still find merit in following the same forensic procedures. This includes limiting access, photographing the computer screen if information is visible, and, most important, documenting every step. From the moment a computer is recognized as compromised, documenting should begin.

Documentation should hold to a general standard: If someone with comparable knowledge picks up the first examiner’s notes, he or she should be able to reach the same conclusion after following each step. Documentation should include the basic “who, what?, when?, and where?” criteria, and also how long each individual spent diagnosing and repairing any problems, which is used to determine damages. The amount of damage may not only influence the involvement of federal investigators but also a resulting federal trial; under U.S. Federal Sentencing Guidelines, damages determine the punishment.

It is essential for companies to keep track of their damages when responding to an intrusion threat for purposes of criminal prosecution. The courts in determining the sentence for an intruder use the costs incurred by a company to detect, repair, and deter future intrusions, including labor costs. Thus, companies are asked to keep track of their costs so that intruders can be effectively prosecuted.

One of the most critical aspects of proper evidence collection is proper shutdown and the creation of a bit stream image of the violated computer. If the computer in question is a Microsoft DOS/Windows computer, proper procedure is to pull the plug from the rear of the computer—preferable because normal shutdown procedures may compromise important evidence.

What imaging software you choose to use is largely a personal preference, provided that it satisfies the criterion of providing complete bit-by-bit imaging. The person performing the imaging procedure must verify the software’s ability and accuracy every time a new update is released. Some popular choices (although this author and publisher are not endorsing any) are Byte Back (http://www.toolsthatwork.com/byte.shtml), SafeBack (http://www.forensics-intl.com/safeback.html), Fred (http://www.digitalintel.com/), and Encase (http://www.encase.com/html/index.html ).

Some popular commercial imaging software may or may not offer forensic capabilities. It may be an option. Just remember that before any software is used, the individual performing the image must verify it. This is done by proper hash testing, discussed later on.

Sealing off the Unix Crime Scene

Unix can be more problematic in response to a forced shutdown that occurs due to power loss. There are several options and opinions within the field regarding how best to handle a Unix box. How the shutdown should be handled will depend on how critical the data on the victimized computer is, among other criteria. Regardless, the first step is, as always, to document the state of the system before touching it. This may include photographing the monitor and the computer. The next step is to collect any possible evidence from RAM, accomplished by using the command line ps -aux or ps -ef depending on the Unix version.

The individual should look for and be able to recognize any programs that are unauthorized. If any are found, the associated RAM contents should be saved. The method for accomplishing this may vary with the Unix version, but one example is the gcore command. A computer forensics specialist should also be familiar with programs such as List Open Files (LSOF), beneficial in isolating trouble spots. It’s important to make sure all programs are authentic and updated; intruders may replace commands with their own “trapped” versions.

After RAM documentation, there are several options: One is to sync, halt, reboot, and mount the drives from a CD. One possible danger is that the sync command may have been altered, thus damaging evidence. This procedure also changes the state of the hard drive, which is a possible concern. Another option is simply to pull the power and leave the system in a dirty state. Afterward, the drive can be mounted dirty, and bit stream copies can be created from the original.

A third option is to make a bit stream copy by utilizing the Data Definition dd command. This is not a command that can be covered briefly, as it has many options and parameters, such as identifying a data-definition element in a definition list, and converting a file while copying it. It is important that any person using this command is trained to do so.

Truth Serum

No matter what operating system (or program used to create copies) is being utilized, some type of verification software should be part of the forensics equation. The purpose of these programs is to ensure that the copy of the bit stream image of the violated computer is the same as the original. This is accomplished by using mathematical algorithms, called “hash functions,” which calculate hash values (also known as checksums, or “fingerprints”) based on the original file/image. To be valid, hash functions must meet two primary requirements: The original text may not be determined from the hash function, and they must be collision free—meaning that two different messages cannot produce the same hash value.

A file-hashing utility should always be used to verify the copying of all files or images. The use of the SHA-1 hash is highly recommended. The hash values should be recorded and kept in order, along with such data as when the program was run, who ran it, and what program was used—valuable information for the event reconstruction typical of court cases.

Security Officer’s Log: Mission-Critical

Logs create evidence when they capture the actions of an illegal act. What logs an organization chooses to keep, and how long it will keep them, largely depends on available space and average number of entries received. It might see frequent probes—anything from port scans to DNS-version requests on an open system. Although such probes are annoyances that are not even necessarily illegal, it may be important to keep logs of them. If the organization chooses to go to court, such logs will provide a complete picture for a jury.

To keep logs from being destroyed by malicious intrusions, system operators will often output some logs to a printer or a CD-ROM device; this can be an expensive route, but it frequently offers greater security. If utilized, this option should be noted in an organization’s policies and procedures, as law enforcement may not automatically think to ask for logs copied in this fashion.

One of the primary logs used in computer forensics is syslog, the main system log containing a variety of important messages. This is no secret to hackers, and, hence, is often one of the first logs to be modified. In addition, routers and firewalls can be configured to add messages to the syslog.

Some popular logs that may prove useful include acct, aculog, lastlog, loginlog, sulog, utmp(x), wtmp(x), void.log, and xferlog. Remember that when any of these logs are copied, a hashing program should be used to ensure proper back-up creation.

Windows NT’s three main log files—appevent.evt, secevent.evt, and sysevent.evt are kept in the percentsystemroot percent\system32\config directory and are normally viewed using Microsoft’s built-in Event Viewer. Various Web and ftp servers will also have their own logs and should be preserved as well. It is important to have a current list of programs and services installed, to have a checklist for log preservation.

Ghosts from the Immediate Past

State tables are another potentially important source of evidence, although their temporary nature makes them difficult to acquire. State tables show actions that take place either in real time or in the immediate past. One of the most popular and powerful is the netstat command, which exists in both Unix and Windows NT environments, with different options for each. The netstat command “displays network connections, routing tables, interface statistics, masquerade connections, netlink messages, and multicast memberships.”

Another temporary log that can sometimes be useful is a system’s Address Resolution Protocol (ARP) cache; designed to discover MAC addresses on Ethernet-based networks. MAC addresses do not cross routers. This is important because packets sent over the Internet will not contain the sender’s MAC address, but, instead, will have the MAC address of the last router they traversed. If the router is keeping the correct logs, and a packet has only traveled over a few routers, this information may be useful. Both NT and Unix create a temporary cache list of the IP-to-MAC conversions, viewable by using the arp -a command.

There are special steps for state table preservation. Not only should they be cut and pasted to a text file but also printing the screen shot is advisable. The log should then be hashed and preserved with other evidence.

Protecting the Evidence

Generally speaking, two separate back-ups of every relevant file and/or image should be made. These files should be hashed along with the original. The media a company chooses to use will depend on size, speed, and cost issues (tapes versus DVD-RAM versus identical hard disk drives, and so on). More important still is the method by which the media are handled. The forensic chain of evidence requires that the person creating the back-ups, along with anyone who touches the media prior to presentation in court, be clearly documented. Obviously, care must also be taken to protect the media from various environmental elements: Preferably, it should be placed in an appropriate container, taped shut, then initialed and dated. This ensures media authenticity after completion of the back-up. Some type of standard tracking method should be used with every piece of evidence.

Costs of Precaution

No summary chapter on computer forensics would be complete without an examination of costs involved. There are two types of costs however: the cost of doing nothing about data-evidence-recovery, and the cost of doing something about it. The most recent CSI/FBI study reported that total losses incurred via data loss, fraud, or abuse for 273 respondents totaled $265,589,940 (see Figure 20.2 for a breakdown).^[v]

Figure 20.2: The 2000 CSI/FBI study totals losses incurred from data loss, fraud, or abuse for 273 respondents at $265,589,940. (©Copyright 2002. Computer Security Institute. All rights reserved).

Personnel costs associated with computer forensics are dependent on several factors, including the number of different operating systems the person is expected to know. Each additional operating system requires additional training. Costs are fluid, and should be taken only as ballpark figures. Training a staffer with preexisting knowledge to be the rough equivalent of an individual in a forensic laboratory may cost around $25,000 for one platform. Costs for materials examination may run from $10 to $400 for one case. The salary level of the examiner will fluctuate with location and experience. It is possible, of course, to hire an outside forensics specialist. The cost for this type of service varies greatly.

There is a wide range of options when it comes to the software itself. The cost of forensic tools may range from no cost for older, basic tools to over $1,500 for one software package alone. There are also costs for password cracking, both for software and the time necessary on a computer (cost per CPU cycle). It is important to reiterate that every company should keep track of all costs related to the attack, including the amount of time each person spends responding to any damage. Tracking all of these costs is extremely helpful if any court proceedings occur.

Homegrown Salvage Team

Computer forensics is an important part of a larger picture. Every organization should consider forming a Computer Security Incident Response Team (CSIRT, sometimes referred to as a Computer Emergency Response Team, or CERT), if one hasn’t already been established.

Incorporating computer forensics into the responsibilities of any CSIRT bolsters organizational security and makes court actions more successful. This can only help create a safer environment for an organization’s employees, customers, and business partners.

Computer Forensics to Play Central Role in Terrorist Fight

Computer Forensics begins at home. And for the IT manager, that means the server room, where the Internet has brought not only the promise of a worldwide audience but also the threat of worms, hackers, and cyberterrorism. As the United States mobilizes to shore up security at airports and public gathering spaces and in the country’s infrastructure, the IT industry has a central role to play—a role that not only makes business sense but also is important in the unfolding war on terror.

In the same week that the terrorist destruction of the World Trade Center took place, the Nimda worm ran rampant through the Internet. Although there may not be any overt connection between the two events, the continued marauding of worms and viruses across the Net only reinforces a general anxiety about living in an insecure world and a specific feeling that the Net will never be a place where real business can be conducted.

In the past, much of enterprise IT security has been built around firewalls or monitoring products meant to keep the bad guys out. Although that is fine for providing a sense of relief that you avoided the virus that halted the company down the hall, it doesn’t do much to solve the problem. That’s one of the reasons why there was so much to like in the LaBrea 2.0 worm buster. Not only is it effective in helping you keep your network worm-free but it also stops the propagation of the worm. Of course, the other thing everyone liked was the price, which was free for the download.

The role of computer forensics in the current rush to security cannot be overstated. Before the government rushes to mandate face scanners, fingerprint identification systems, or simply networks to signal when a bad guy might be applying for a crop duster license, there has to be some consideration of the systems that will be required to run these programs. Developing systems that have what appears to be an effective front end, but in reality are porous, is at least partly to blame in the lax airport security programs that had such a horrific result and still do.

Scanning-in lots of data, tapping lots of phones, or opening lots of encrypted e-mail can drown you in data if you don’t have some way to collect, sort, and analyze it and alert the security official who needs to know of a breach in process. Too much data is often more dangerous than too little, as overwhelming data can give you a false sense of security.

Where does that system expertise reside? It resides in systems that manage credit-card transactions, phone connection and billing system, and data-management systems. The war on terror will be marked by huge amounts of data, gathered electronically and in person, which will be analyzed to focus on a small group of fanatics. It is telling that President Bush used an attack on financial information as the first salvo in the terror war. The IT sector through computer forensics has a crucial role to play in stopping the terrorists before they can strike again.

^{[iii ]}Grant Gottfried, “Emerging Technology: Taking A Byte Out Of Crime,” Computer Security Institute, 600 Harrison St. San Francisco, CA 94107, 2002. (©Copyright 2002. Computer Security Institute. All rights reserved).

^[iv]John R. Vacca, Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill, 2001.

^[v]Grant Gottfried, “Emerging Technology: Taking A Byte Out Of Crime,” Computer Security Institute, 600 Harrison St. San Francisco, CA 94107, 2002. (©Copyright 2002. Computer Security Institute. All rights reserved).