Product Details
Product Rating
Data forensics (2003)
Part of your security package should include forensic testing, and the process is as important as the tools you use. Jon Tullett identifies the right approach
With incident response closely tied to business continuity and the bottom line, computer forensics has become a core component of corporate security, and a daily weapon in the arsenal of law enforcement agencies.
Firstly, forensics is not about the tools, but about the process. All forensic investigations follow a series of steps to move from the stage of identifying what is to be examined to the point of presenting evidence. This may be for use in court, for internal disciplinary procedures or simply to monitor an incident. Failing to follow accepted forensic guidelines will cause evidence to be questioned and the collapse of what could be a bulletproof case.
For this group test we examined products with varying capabilities from within the framework of the forensic incident recovery process.
When selecting tools for forensic investigations, the overriding goal should be to find solutions which will support this process. For example, a tool that copies data from a suspect drive may update the time stamps on the files, which could raise questions about when the file was created, who modified it last, and so on. To be forensically sound, the tool must create bit-for-bit identical copies.
Many companies are nervous about involving the authorities early on in an investigation, fearing adverse publicity. But a criminal's tracks can be quickly obscured by a changing system, and a clumsy system administrator could accidentally destroy evidence. If the decision is finally taken to prosecute, it may be too late.
The forensics tool chest has expanded a great deal with the evolution of incident response. From their roots in after-the-fact analysis of static data, forensics tools are now being used to examine systems from the moment an incident is detected, often without interrupting the system in question. While a user's desktop PC may be taken offline for ad hoc analysis, a production server delivering Web services is another matter.
The forensic process breaks down into four stages: identifying the evidence; acquiring it in a forensically sound manner; analysing the data; and preparing it in a form suitable for presentation. At each stage, it is essential to avoid contaminating the evidence and to ensure that correct procedures are followed.
During the identification stage, all the information related to the investigation should be looked at. This will include identifying what evidence is required, how it should be acquired, and related data (such as log files and audit trails) which may be needed for corroboration. It is likely that an ongoing investigation will turn up further data that will need analysis, but the initial picture should be as thorough as possible.
This is where real-time monitoring tools are particularly useful. The identification stage is a window of time between spotting an incident and beginning a full investigation, so anything which shortens that gap is a boon. The faster you can detect anomalies, the better, and having a predetermined incident response procedure can save vital hours, or even days.
The acquisition stage is a purely technical process in which all relevant data is forensically copied ("acquired") for later analysis. One of the most common techniques is imaging a target hard disk. This can be done with software which boots the system with the target drive in a read-only state and then copies it on to a new disk.
Live data can be acquired, but steps must be taken to ensure that its state at the moment of acquisition is known. This can be done by generating a "hash" – a unique signature – for the data being acquired. At each stage of the investigation, so long as the evidence file creates the same hash, it can be trusted to be a perfect snapshot of that data.
Analysis is where the real work begins, with captured data turning into evidence. This is also the stage at which many companies call in specialists to perform data recovery or in-depth analysis. The process will vary depending on what information needs to be recovered, but this may include extracting specific e-mail messages, illicit files (such as pornography or trade secrets), or identifying the damage done during a hacking incident. The process must be carefully documented so that an independent examiner (such as a defence expert witness) can duplicate the results.
Lastly, presentation is the stage in which all the evidence is collated into a report complete with the checks and balances, proving it to be forensically sound. This may be destined for an internal disciplinary proceeding or a courtroom.
Throughout this group test, it became obvious that no single product or set of skills can cover all the bases of a forensic exam. If anything, reliance on one solution to provide your company with a "forensic capability" is flawed approach.
But, provided that the work you do with whatever tools you have is conducted in strict accordance with forensic guidelines, this need not be a problem. What is important is that when it becomes necessary to call in the authorities or an independent forensic expert, the evidence will stand up to a rigorous investigation.
