Feed on
Posts
Comments

When doing Computer Forensics it is uninvitable that you sooner or later will come across a computer where a person full life is stored in pictures, letters and so forth. That is the time you realise what is tough in this line of business. It is not finding a way around an encrypted file or reading page after page with agreements or mails. It is seeing the guy, you know have done something bad, on vacation with his kids. Seeing them laugh while you are preparing to bring havoc in their lives.

Lets face it. Many times your investigations means bad things for people. They loose their work, they loose money, they loose their freedom and goes to jail. In the meantime you sit there with there vacation photos.

Before you start out in this line of work make sure you have a contract with a professional speaking partner in case you need it. You never know when you can´t stand to see the pictures more and thats the time you need the support. No one can work with Computer Forensics without getting a bad case or two. If you cannot stomach it, be a professional and hand it over to someone who can.

Even if encryption is a very good tool for protecting data it do tend to come in the way when doing Computer Forensics. Pointsec gladly has a way to login in so that you could read the harddrive decrypted without booting the operatingsystem. By pressing CTRL+F9 when you see the logon to Pointsec and then login you will be able to have it boot from a floppy. You will not notice any changes in Pointsec when pressing CTRL+F9 but the boot will take place on the floppy, and on floppy only. By using a bootdisk from www.guidancesoftware.com you could then start the DOS-version of Encase, set the computer up in Server mode, connect it with a networkcable directly to another computer(not via hub or switch) running Encase and from there start copying the harddisk. It takes about 6-12 hours so you are up for a wait.

You could also mount the drive using a writeblocker if you have loged on to another computer with pointsec that has access to the drive you are mirroring. I have not tested this, yet.

Security Architecture is a wonderful tool to use. There are so many marvelous words to use to really make everything totaly hopeless to understand. I recently attended a discussion regarding Security Architecture and was served a lot of terminology that I did not understand. When I asked him it turned out that he did not either. So I decided to explain a few words that often comes your way in this area.

Trusted Computing Base is in short the computers that you trust are safe and secure. When looking at how you protect your information, servers and so forth the trusted computing base is that part that you do not need to protect your other computers from. Just to give you an example: many years ago everyone always trusted the computers inside the firewall in the corporate net. Then viruses came through floppys and in a short amount of time clients was excluded from the trusted computing base. Today you probably do not trust anything but your domain controllers if even that.

Trusted computing base is used as a way to reason regarding changes in your IT-structure. Lets say for example that you decide to let a company store your mail in case your mailservers are down. They will probably screen for spam and viruses as well. When you look at it from an information perspective you actually let that company decide what information is passed to your company. If you also choose to not have own screeners for spam and email then that company is actually part of your trusted computing base. The question is: Do you trust those guys? Have you actually thougt about that you trust them with access to your information?

When I do Computer Forensics one of the largest problems is to find all the needed information. Most of the time we have to recreate this from different sources if it is at all possible to do. With this little casestudy I will try to give the basic setup for what is needed to have a good workable that has the possibilities for computer forensics without beeing intrusive.

From a business point of view Computer Forensics is just a waste of money as is most kinds of security. Thats why we have compliancestructures like SOX, PCI DSS and so forth. In many cases compliance states that to be compliant you have to log usage of information. To be able to do that you have to have an agreement with the local union (differs from country to country) and a security policy that states that due to compliance issues some or all access to information will be logged. It should also state that the company is allowed to analyse the computer and look for cases of non-compliance.

From an information point of view the information that should be logged has to be classified as sensitive. This should be done in conjunction with the local laws and regulation and also include privacy laws.

When we look at the systems that containes the information this could be everything from a fileserver to a complicated business system or datawarehouse. In all cases access to and usage of the information marked sensible should be possible to log into either a central repository directly or to local files that are frequently copied to a repository. This may sound simple but could in many cases rule out many systems or demand extensive changes.

The last part is the infrastructure. At this level we have to focus on where information resides, travels and are consumed (used). In all these cases we have to have logging activated. We should be able to trace a computer through a network, to a server, to the actual information it tries to access and back again. We should also be able to track who is using the computer so logs from the cardreades at a the doors, thumbprints and such will also help. The central repository should be access by as few people as possible and be as big as possible to make queries against it possible to run in a small amount of time.

Finally it should be easy to copy a harddrive in case it is needed. With the right amount of logging this will seldom be needed. So if encryption is used at clients computers, as it should be, it should be possible for a administrator to unlock it.

When I look inside a computer I find a lot of stuff that could prove as evidence in several cases but sometime the evidence in it self is not enough. In some cases we want to find where the information came from, what connections existed on the computer when it was active or how an infection spread to and from the computer. The solutions for this is logs, logs, logs. On every computer there should be a local firewall with logging capability and logs that are copied to a central repository. In the outgoing firewall there should be extensive logs that are also copied to a repository. These logs should be made availabel for the investigator as well. With this we could have true computer forensics going on.

In swedish newspapers there have been a prolonged discussion regarding young girls beeing harassed or threatend to be harassed if they do not do guys homework, do this or that on a party or whatever the culprit is after. Sadly the reaction has been way to mild and possibly this is due to little or no knowledge from the reporter and school management. During my years as an investigator I have helped persons beeing harassed by playing hide a seek and making the culprit expose themselves. First thing to do is to activate logging in each and every part of possible conversations. If MSN Messenger, ICQ, Skype or other chattprogram is used extensive logging should activated. The namestandard sadly differs but what is needed is the history of the conversation. Added to this should printscreens be taken catching the online name, email and timestamp of the person harrassing. This information should be used as proof.

Next thing to do is to check and eliminate as much as possible of sensible material from internet. What the sensible material is differs of course but most commonly is pictures. With this is not said that a persons life should disappair from internet but to minimise the possible ways to create damage until the problem is solved.

In case mobilephones is used every SMS and call should be logged. Check with the phone service company and request tracking of phonecalls. This information should be used as evidence as well. 

Last but not least is to check the header of every email. Bu looking at the IP is is rather easy to find the person behind it. If it is regarding as a simple prank it could be a little harder to make the police give you the name of the person behind the IP. In many cases the IP is the local school. This information could be found on www.ripe.net. From there you go to to local IT-responsible and hope they have firewalls with logging capability that makes it easy to find the computer where the person has logged in. And from there we could find the actual account that was used.

In cases that the harasser decides to hide him or herself I have sometimes taken over chats and steered them against a date or some other activity where they expose some kind of personal details. You should never every do this by yourself. You could never know who is on the other side, what kind of drugs this person could be using and so on. After we have had enough of evidence we have set up a meeting and called the police.

It is very hard for someone to be anonymous on the internet but with todays investigation resources it is very easy to get away with this kind of crimes. But as long as logs exist there is always a chance to capture them.

Most important is to actually take the girls (and boys) concerns very seriously. It may for a grownup with a solid personal integrity seem like something that you just ignore but for a teenager it could and possibly would be a direct assult on them they are not prepared to handle.

A few simple words. How do you create a security architecture? The answer is: You don´t! What you really do is to take an architecture that shows the businessflow, information flow or the technical infrastructure and adds security properties on all and every object while you look on the three different phases information could reside in: stored, transported or consumed.

By applying a good knowledge of security on an architecture there is a good chance the you will be able to secure your company from external threats. As long as you know what the external threats are. If you havn´t done any kind of riskanalysis then you could be in for a good surprise when you look at whom you try to defend against.

Some tools

Every investigator needs access to several tools. One of the most important is you investigationapplication, for example Encase. In this you´ll do the mainpart of your analysis and there you´ll find deleted files, encrypted files, check timestamps, views pictures and so forth. Every investigation will generate a lot fo files that you need to examine further euther because Encase cannot handle them or if they are protected by a password. The most common files are mailfiles like.pst or .ost. Fo be able to view these you have to use a tool to convert the .ost to .pst and possibly later on crack passwords. Good tools for this are OnTrack Easy Recovery Professional, Office Recovery Enterprise and Passware Kit. After you have gotten the .pst in a readable format Outlook is the most appropriate tools to view the mails. Microsoft has published a tools named LookOut that indexes the mails. This one is a real timesaver and makes sure that you do not miss any important information. Other good tools to crack passwords are L0phtcrack and a few large Rainbow tables containing swedish letters.

Theese tools is a starters edition for simple investigations makes you able to initiate smaller investigations for mailfraud, breach of information security policy and so forth. The licensing for these tools are around 6 000 € making the initial cost for CF rather high.

Computer Forensics (CF) is the art of securing evidence in an computer to be able to give answers when an incident happens. Depending on the case different kinds of computers and devices has to be copied to the investigation.  Note the word copied. To make sure that all information is available, that an investigation in any given aspect could be repeated in court and to lower the downtime of the system every computer or device should have their harddrives and memorychips copied. The files are then added to an investigation in for example Encase (www.guidancesoftware.com) but there are of course several others as well.

Computer Forensics is not a big industry in sweden and the number of experienced investigators is very small. In USA CF is a lot bigger and the tendency we see is that the market is slowly growing. To be able to grow there are several criteria that has to be in place. For example a security policy should be published in the company to make sure that there are now legal problems with initiating an investigation.

« Newer Posts