Computer Forensics

The Legal Side of Incident Response

Ioanna Kantzavelou

Technological Educational Institution - TEI of Athens

Department of Informatics

Symposium on Innovation of Computer Science Curriculum in Higher Education

February 2004

Outline at a Glance

The Incident Response area Computer Forensics

– Definition and meaning– Main principles– Requirements– Roadmap

Conclusion and Future Work Resources

Incidents Incident:Incident: any security relevant adverse event that might

threaten the security of a computer system or a network. An eventevent must have observable and recordable characteristics:

– the connection to a system via a network,– the file access,– a system shutdown, etc.

Adverse eventsAdverse events:– system crashes,– packet flooding within a network,– unauthorized use of another user's account,– defacement of a web page,– execution of malicious code,– floods, fires, electrical outages, etc.

Types of Incidents Most incidents point towards:

– CConfidentiality,– IIntegrity, or– AAvailability.

Different types of incidents:– reconnaissance,– repudiation,– harassment,– extortion,– pornography trafficking,– organized crime activity,– subversion,– hoaxes, etc.

Incident Response

Incident ResponseIncident Response is a new field with similar goals as IT Security.

ScopeScope: to negate or minimize the impact of an incident, reacting by taking certain actions.

It can be used to restore confidentiality, integrity, and availability.

A particular important part of the legal side of incident response is the area of forensicsforensics.

Computer Forensics meaning Forensic (adj.)Forensic (adj.)

– belonging to courts of law and it is used in law pleading.– It relates to sciences or scientists connected with legal

investigations. Forensics (n.)Forensics (n.)

– the art or study of public debate. ForensicsForensics

– any systematic or scientific examination of evidence in the investigation of a crime.

Computer forensicsComputer forensics– (cyber-forensics), is the detailed examination of computer

systems in an investigation.

CF scope and characteristics ScopeScope: The collection and search of specific data

that will serve as acceptable evidence in a court of law.

Computer Forensics deals with:– storage media (e.g. hard disks),– the examination and analysis of network logs.

The most repeatable and scientific process. An expert follows a step-by-step methodology,

preserving the integrity of the evidence. This methodology does not vary substantially

between different investigations and technologies.

Main Principles

ScopeScope: To protect the investigator, the evidence, and the accused party and his/her rights.

Principles regarding EthicsEthics:– The investigator must have the authority to seize and

search a computer.

– The search should have clearly defined goals.

Principles regarding the processprocess:– A set of rules eliminates the possibility of tampering

with evidence.

– Guidelines assist the maintenance of these rules.

Rules to prevent tampering with evidence Rule 1.Rule 1. The examination should never be performed on the

original media. Rule 2.Rule 2. The copy is made onto forensically sterile media. New

media should always be used if available. Rule 3.Rule 3. The copy of the evidence must be an exact, bit-by-bit

copy. Rule 4.Rule 4. The computer and the data on it must be protected

during the acquisition of the media to ensure that the data is not modified.

Rule 5.Rule 5. The examination must be conducted in such a way as to prevent any modification of the evidence.

Rule 6.Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of whom might have accessed the evidence and at what time.

CF Requirements An Incident Response teamIncident Response team (Computer Incident Advisory

Capability - CIAC, Computer Emergency Response Team Coordination Center - CERT/CC, etc.), or an individual expertindividual expert.– trainedtrained in the use of a wide range of such tools,– clearly understandunderstand the scope of the investigation, and– planplan the examination step-by-step.

Hardware– Build a forensics machine from scratch, or– To buy a ready-made machine from vendors.

Software (generally accepted software tools)– Media acquisition tools– Searching tools– Integrated suites

Roadmap

Data Acquisition

Examination– Conducts technical analysis to identify objects.– Evaluates for content as evidence.– Determines relevance (the “chain of custody”

problems).

Results Presentation Evidence

Media Acquisition Tools AcquisitionAcquisition objectivesobjectives:

– the software must have an exact copy, bit-by-bit copy, and

– the software must not modify the original data in any way.

Hardware-copying devices Disk-cloning software (e.g. DriveCopy,

www.powerquest.com) Safeback (www.forensics-inintl.com), certifies

that the copy is an exact, bit-by-bit copy of the original.

Searching Tools Searching RequirementsSearching Requirements:

– A capable search tool that do not modify data.– A careful plan on what to search for.

File Viewers (e.g. Norton Utilities). Dedicated File Viewers (e.g. QuickView Plus). Disk Editors (e.g. Norton Disk Editor). Hex Editors. The file search capability within Windows. The grep utility (UNIX and Windows NT). Specialized search tools for law enforcement use to search and

categorize images (pornography on seized systems). DiskSearch Pro (www.forensics-intl.com), a text search program.

Integrated Suites

Integrated software suites provide the capability:– To acquire data

– To perform searches

– To produce reports

Byte Back (www.toolsthatwork.com) DriveSpy (www.digitalintel.com) EnCase (www.guidancesoftware.com) Expert Witness (www.asrdata.com)

Data Acquisition

The U.S. Justice Department has defined guidelines for search and seizure of electronic evidence.

The basic rulesbasic rules are:– Document everything that the investigator does.

– Take all appropriate steps to ensure that the evidence itself is not compromised in any way during the acquisition.

(cont.)

Data Acquisition Steps to preserve the evidence and provide the

investigator with any required data:1. Secure the physical area2. Shut down the system3. Secure the system4. Prepare the system5. Examine the system6. Prepare the system for acquisition7. Connect the target media8. Copy the media9. Secure the evidence

Examination Examining the evidence is not straightforward. Plan what items to search for. Narrow the search to an acceptable scope. Define what constitutes a successful (or

unsuccessful) conclusion. Recover deleted files because data might be found in

file fragments or file slack. Image files which are often highly compressed, are

especially difficult to reconstruct. Certain OS might contain crucial evidence (e.g. the

Windows Registry, event log files).

Limitations A forensics examination can, at best, identify the

computer involved in an incident. Placing a specific person at that computer is

extremely difficult without additional evidence. Finding evidence that a computer was used to

access other systems, is much more difficult. A forensics examination that does not also involve

other corroborating evidence source cannot be conclusive.

A skilful user makes the examiner’s job difficult, if not impossible.

Conclusion and Future Work

Forensics is an extremely valuable tool in the investigation of computer security incidents.

Considerable legal issues arise when investigating computer systems.

Intrusion Detection might support Computer Forensics in the future, and vice versa.

Resources Computer Crime Investigation – Forensic Tools and

Technology, edited by Eoghan Casey, Academic Press, 2002. E. Eugene Schultz and Rusell Shumway. Incident Response -

A Strategic Guide to Handling System and Network Security Breaches. New Riders, 2002.

Warren G. Kruse II and Jay G. Heiser, Computer Forensics : Incident Response Essentials, Addison-Wesley, 2001.

Mohay G., Anderson A., Collie B., Oliver de Vel, and McKemmish R., Computer and Intrusion Forensics, Computer Security Series, Artech House Publishers, 2003.

Searching and Seizing Computers and Obtaining Electronic Evidence, U.S. Justice Department, www.usdoj.gov/criminal/cybercrime/searchmanual.htm

Thank you very much !