Managing Digital Evidence - Essay Example

Interoffice Memo 04/08/2008 Mary Lastrade, Director of Facilities Security YOU as CISO RE: Chain of Custody Question Question 1: Managing Digital Evidence Good morning. You have requested that my team participate with the information security group in the investigation of computer incidents that may involve company computers. You mention "chain of custody". Most of my team comes from law enforcement backgrounds and, of course, we're familiar with the concept of chain of custody as providing the assurance that evidence could not have been tampered with from the time it was collected until the time it is used in court. However, that is for physical evidence. How do you suggest that we manage bits and bytes flowing through cyberspace or trapped on a computer disk Do we just bag and tag the disk or something like that Thanks for your prompt (and clear) reply. We're always glad to help but my team is not computer-trained. Ms. Mary Lastrade, Involvement of Law Enforcement Team We do not undermine the importance of your team in the investigation at hand. I do believe that law enforcement agents can be an asset in this field of investigation where digital evidence need to be handled with care much like any physical evidence should be handled in order to be assured that evidence would not be tampered with from the time it is collected unto the time that the evidence is used in court. As you have informed me, your team is not computer-trained. This should not stop your team from broadening the scope of their responsibility. It used to be that only people who are highly trained in computers are able to assist in such cases of crime as involves computers or data objects found in computer files. However, due to the proliferation of computer crimes in recent years, it has become quite impractical to be only employing the "experts" as it slows down the investigation process. It is not only impractical; it becomes quite unreasonable to have a few experts perform these duties by themselves (O'Shea, n.d.). Thus it has become necessary that law enforcement agents also be involved in the "chain of custody" in a crime scene where computers are directly involved. In this connection it would be a good thing to come together and discuss vital issues on the management of digital evidence. Your law enforcement team could undergo basic training on how to recognize, seize, transport and store original evidence in order to preserve it for forensic examination. Details of this training will be discussed in a meeting that I hope to soon have with your team. But in a nutshell, let me lay out what I hope would give you an overview of how your law enforcement team could participate in the investigation of the case at hand. Seizure Methodology Let us discuss seizure methodology. Traditionally, the first thing that must be done is to secure the physical scene, followed by securing the digital scene. In such a scenario, "all hardware and media are seized, documented, labeled and packaged for delivery to the lab" (O'Shea, n.d.). In the lab, all seized data is analyzed. This is the simplest chain of duties to be done. This, however, works well if there is only a single computer or a few computers involved. In our case where a number of computers are involved, the methodology becomes a bit more detailed because seizing all the computers would be quite impractical to do. In the event where there are a handful of computers involved, the following steps are involved: digital media identification, prioritizing the physical media so as to minimize the crime scene and then the seizure of storage devices and media. In digital media identification we simply try to find the digital media that has the highest probability of having the much sought after evidence. After the identification of all possible media involved, it must be determined which among these contain information leading to the crime. It would be impractical to get all the devices at the crime scene. Pain must be taken to identify the correct sources of vital evidence. Finally, all items that are tagged to be seized are labeled properly and thoroughly documented. (O'Shea, n.d.) This, at a glance, is what we hope to attain by the training. By this we can look forward to working side-by-side with your team in our effort to eradicate the computer incidents that were reported to us recently. Thank you. Interoffice Memo Date: 04/08/2008 To: James Harrison Ford, CFO From: YOU as CISO RE: Purchasing forensic tools Question 2: Your Request for Forensic Tools I have received your request for several computers and software packages that you say are to be used for "computer forensics". All I know about forensics is what I see on CSI and I don't believe that we are investigating murders here at Three-Prong Blivits, Inc. You have asked for a specialized PC, a copy of something called EnCase Forensics, training for your team and several other items. How are you going to use these Are we conducting post mortems of dead computers Why do we need all this stuff It's pretty expensive. If I can get your justification by the end of the week, I'll take it up with the CEO and get back to you. Mr. Ford, Computer Forensics What you have written in your memo was also true to my case. For once, long ago, all I knew about forensics was what I have seen on CSI. However, I have learned that not all forensics are used for investigating murders and physical criminal activities. There is also such a thing as computer forensics. The CSI-type forensics uses the physical evidence or examines the evidences and relates it to the crime. The computer forensic on the other hand has to look for that evidence. Basically, the difference between the two is the following: CSI-type forensics focuses on identifying and individualizing evidence. Computer forensics on the other hand focuses on locating the evidence from the digital sources and analyzing these data. For example, if they find red liquid in the crime scene, physical forensic seeks to find out if the red liquid is fruit juice or blood and from what source it had come from and how it will relate to the crime. In computer forensics, an example could be unearthing the evidence in a deleted email message and relating it to the crime. Computer forensics is as important as physical forensics. Why Because in this present age, computers are being used by almost every sector of society. We communicate with computers, we keep records in our computers and we can do a host of tasks using computers. Thus, with this advancement comes also a new set of criminals using the computer as their crime scene. No, we don't investigate dead computers but computer forensics investigate crimes done using the computer or within the computer. Furthermore, computer forensic experts do not merely try to locate evidence on computer media but they also make sure that the evidence that they recover are protected, maintaining a strict chain of custody so that the evidence is presented in its original form. En Case Forensics To answer your inquiry about the specialized PC and EnCase Forensics software that I have requested for the training of my computer forensic team, let me say that the amount that we will spend on these items are worth the service that it can render to Three Prong Blivits, Inc. To give you an idea of what this software can accomplish let me say, first of all, that this provides computer forensic investigators with a single tool that can handle large-scale investigations from start to finish. It has an intuitive GUI, superior analytics, enhanced email/Internet support and a powerful scripting engine. Data acquisition is very reliable and it is being used in courts around the world (Guidance Software, 2007). This single tool can investigate and analyze multiple platforms such as Windows, Linux, AIX, OS X, Solaris and the like. It also works in the shortest time possible in terms of analysis because it automates complex and routine work with built in EnScript modules. More importantly, information that criminals seek to hide or delete are found by this program. It can view and manage volumes and volumes of files and is able to transfer evidence files directly to the proper authorities. Thus reviewing and reporting are done with ease (Guidance Software, 2007). Need I say more Your computer information systems are thus protected and, incidences of computer crimes become manageable. In which case, the possible amount that you can spend on forensic investigations are diminished with the use of this single tool. PC Requirements Finally, on the need for a specialized PC, this is what I have to say. If you are convinced with the EnCase software, then it becomes necessary that we satisfy the systems required to the run the program. In which case, we shall be needing PC that have the following: Windows 2000, XP, or 2003 Server; Single 3 GHz Intel or AMD processor or better; 1 GB of RAM (2 GB or more recommended); 1 USB Port and ample data storage to support evidence file acquisition (Guidance Software, 2007). I hope that this has given sufficient justification for my request for the computers and the special software for our forensic team. We look forward to your positive response regarding this matter. Thank you very much. Interoffice Memo Date: 04/08/2008 To: Deliberto Incapax, CIO From: YOU, CISO RE: Hacking Incident Investigation Question 3: We Bin Hacked!!!! I have been notified by the senior network administrator that we have experienced an intrusion from a Middle Eastern country. She suspects that the attacker has placed a bot in our network for the purpose of stealing intellectual property. She says that you and your team are real forensics wizards and that I need to get you on this at once. The incident happened about four weeks ago and it involved two of our main servers. Can you get me an investigation plan ASAP, please I would like to get on this within the next month if possible. Mr. Incapax, Importance First of all, if you delay looking in this process for a month, you might just find all you computers infiltrated by the bot that is in your network. You cannot imagine the damage that it can do to our company because at the rate a bot network works to steal intellectual property you might just wake up one day losing all the vital documents stored up in your computers . Let us imagine a real theft that was committed in your home. Once you realize that a thief is lurking in the surroundings, your first reaction should be to put up a wall to protect your premises, if you haven't put up one. This might at least disable the thief from future entrance in your home. Another device that you could put up is a burglar alarm system to further protect your premises. Firewall and IDS I would liken a fence to the software called "firewall", it has a security application which controls the network traffic that goes in and out, and denies or permits passage based on a set of rules (Wikipedia). In like manner the burglar alarm system is like that of IDS (intrusion detection system) which generally detects unwanted manipulations of computer systems, mainly through the Internet. (Wikipedia). This I would suggest is what we should first look into immediately, and then an investigation process will follow where planning, gathering of evidences and apprehending the perpetrator will follow. In the event that the use of firewall or IDS systems fail because of the sophistication of modern intrusion techniques, the company has to develop a proper and quick response plan in order to meet future security incidents. In this regard our forensic team would follow a clear-cut set of steps in our post incident investigation. Post Incident Investigation Plan. The basic procedure here is the documentation and collection of all relevant data that could be gathered from the digital crime scene. This should be done before the company initiates a change of system or a re-installation of affected components of the system. Changes or reinstallations may greatly affect the original data needed in the furtherance of the investigation. Simply restoring a system might be an easy solution to the problem but digital investigation, while not easy to perform, has more considerable benefits (Rekhis, 2007). The following is the post incident investigation plan (Rekhis, 2007) our forensic team hope to follow: 1. Try to find out how the hacker was able to infiltrate the system, and how it was performed. Knowledge of this solves a big chunk of the problem because through this we could identify the weakness of our security system and its design. Where was the hacker's point of entry What method did he use 2. Try to find out the source of the bot network. This can help us trace the identity of the intrusion perpetrator. 3. Collect digital information from the secured digital scene. These data are analyzed using special software like EnCase. From the results of the analysis we can have ample proof to bring the hackers who committed the crime, to prosecution. 4. Study furthers the hacker's movements, his trends, motives and operation behavior. This is beneficial for future use. With this we can take better security measures so that the same incident will not happen in the future. 5. Study the results with methods and techniques that are well-tested and proved. This investigation plan should prove beneficial to the company. Our computer forensic team is looking forward to helping bring the perpetrators for prosecution. Interoffice Memo Date: 04/08/2008 To: Sherri West, Network Administrator From: YOU, CISO RE: Incident handling procedures Question 4: Incident Response Following our recent incident with a bot inside the network as the result of a breach of our firewall, the CIO has asked me to put together an incident response plan. Part of that plan needs to address a serious problem we both know that we have. My job is to keep the systems on line and in production as efficiently as possible. Your job is to investigate incidents. That means that you have to take down our computers for forensic testing. How can we both do our jobs if our two goals are in conflict like this I really think that we need to resolve this in the incident response plan. Could you drop me an email with your thoughts about this in the next day or so, please You know Deliberto he got a pretty stern talking-to from the CEO after the last incident and he wants this managed ASAP. Thanks! I'm sure that we can work this out. Ms. West, Problem Observations Your observations have been noted by our team. The problem, however, is not as complicated as you perceive it to be. I agree that we need to come up with an incident response plan, which I hope to propose in the remainder of this message but as for the moment we are already faced with the problem at hand, a bot inside our computer network. You have mentioned conflicts in our areas of responsibility. I beg to disagree with your statement that we cannot do both out jobs efficiently while this hacking incident is being investigated. To make the discussion brief, our forensic team's task is initially to identify only the system components that were primarily affected by the security breach. To secure the digital scene does not mean that all computer systems have to be shut down until all investigation is done. Our team's first task is to limit the digital devices that need to be taken down and secured for investigation because it would be quite impractical to be shutting down all systems for investigation. Only those components which are highly probable to contain evidences of computer crime are taken down to the lab. In this way, the crime scene is limited in scope which will speed up the resolution of the crime. Hence, computers and other devices which are not found to be containing vital information or evidence regarding the criminal activity are not to be used in the investigation. Not all systems will be shut down and therefore your work need not be disrupted greatly. Of course, you will have to suffer some inconveniences for losing some devices that are being used in the forensic investigation. Be that as it may, the whole company procedures and processes do not need to suffer delays because of this. Incident Response Plan As I have promised earlier, I do wish to propose the following incident response plan (Tulane University, 2006, Shimonski, 2004, & Carnegie Mellon University, 2008) which can be useful in future incidents that might occur within our company. 1. It is always good to have an incident response team ready to take on incident occurrences at the quickest possible time frame. This team will be composed of company division heads and members of the computer forensic team. In the event of security breach problems, this team is in charge of initial handling and communication of the problem observed. 2. The team then conducts triage of the incident. After which they assist in containment of the incident, gather information for reports and in the event of criminal activity they may conduct or assist in forensic investigation. 3. The team then assesses the damage that is done to the system and takes charge of making company operations go back to normal, rebuilding servers and systems and a host of other considerations to restore whatever has been affected by the incident. This is one of the most critical steps that have to be performed, that is, to get your systems back online. 4. Finally, the team is to follow-up by making reports to parties affected or parties that need to be informed, like notifying law enforcement agencies in the case of cybercrimes. This follow-up procedure also include discussions on changes to be done in company procedures, issues on configuration and any tasks that were not completed during the early response stage. As part of the strategy, we find the need to update our policies regularly. Update a plan after an actual incident so that you may see how it fares and how you may have been able to do things better. I hope that through this I have relieved you of the dilemma that you are facing right now. And may we soon be able to form that computer security incident response team that will handle initial work in the event that criminal activity in cyberspace is detected. REFERENCES Rekhis, S. [2007]. Theoretical Aspects of Digital Investigation of Security Incidents. Retrieved 8 April 2008 from http://www.cnas.org.tn/thesis/thesis_report_final_version_english.pdf Tulane University Computer Incident Response Plan [2006]. Part of Technology Services Disaster Recovery Plan. Retrieved 8 April 2008 from http://security.tulane.edu/TulaneComputerIncidentResponsePlan.pdf Shimonski, R.J. [2004]. Make an Incident Response Plan. Retrieved 8 April 2008 from http://www.windowsecurity.com/articles/Make_an_Incident_Response_Plan.html Carnegie Mellon University. [2008]. CRIST FAQ. Retrieved 8 April 2008 from http://www.cert.org/csirts/csirt_faq.html O'Shea, K. [n.d.]. Seizure of Digital Information. Retrieved 8 April 2008 from http://www.syngress.com/book_catalog/sample_1597491632.pdf Wikipedia. Firewall. Retrieved 8 April 2008 from http://en.wikipedia.org/wiki/Firewall_(networking) Wikipedia. Intrusion Detection System. Retrieved 8 April 2008 from http://en.wikipedia.org/wiki/Intrusion_detection_system Guidance Software.[2007]. About EnCase Forensic. Retrieved 8 April 2008 from http://www.guidancesoftware.com/products/ef_index.aspx Read More