Illustration by Kevin Curry
Large and small enterprises are facing a number of issues when it comes to forensic investigations, reports Deb Radcliff.
Whether or not to launch a digital forensics investigation depends on many things: What is it the organization is trying to find, where is the evidence located, and how does an enterprise define forensics in the first place?
So, when determining the scope of an investigation, it's critical to start with the end goal in mind, suggests Jim Butterworth, senior director for cybersecurity services at Guidance Software, a vendor of digital investigative solutions.
"Are you going to terminate, litigate or incarcerate?" asks Butterworth, also an instructor with the Association for Certified Fraud Examiners. "The amount of effort to get the evidence to stand up to scrutiny in an incarceration case is a lot harder than for evidence used to terminate an employee."
Under the traditional law enforcement definition, forensics is the process of analyzing material evidence to develop a finite or concrete conclusion that can be backed up in a court of law, says Bryan Sartin, director of forensics and investigative response for Verizon Business.
Traditional forensics tools, such as EnCase from Guidance Software and Forensics Tool Kit (FTK) from AccessData, work under approved rules of preservation, starting with mirror imaging and tamper checks. They are built to search for hidden directories and files in unallocated slack space, temp files, email archives, attachments, native logs and elsewhere.
Nowadays, however, the term "forensics" is turning up in association with network IDS/IPS, discovery/intelligence/scanning, log management and other tools and processes. These tools help to put together a bigger picture and may satisfy regulators, says Douglas James, information security engineer with Tahitian Noni International, a vendor of noni-based products including beverages and beauty products.
But data from these tools alone won't stand up to much scrutiny because the data is no longer native system data. Instead, it represents snapshots of time as the evidence has been changed or "normalized." On its network, Tahitian Noni uses a network forensics appliance from Solera Networks for full stream data capture and storage. For source data, the company uses EnCase and FTK.
For most medium- to large-sized organizations, internal investigators start either with their own e-discovery after something triggers an alarm, or by request of a department manager.
In the latter instance, IT groups need some kind of buffer to prevent them from being dragged into "frivolous" investigations ordered by ill-motivated individuals, notes Jon Abolins, a data analyst who works for a government environmental agency with 3,000 employees. In his agency, digital forensics investigations must first be vetted through the HR unit.
"All of our cases involve civil and administrative violations," Abolins says. "If we find indications of a possible crime, we refer the matter to state police."
It's the law
Turning cases over to law enforcement is a hard decision for IT investigators because by doing so they relinquish control to the outside law enforcement agency. Therefore, part of any forensics policy should have a pre-established point of contact with the appropriate law enforcement responders, says Matt McFadden, sergeant with the Clovis (Calif.) Police Department, which supports cyber investigations for this city of nearly 10,000.
And determining just who is responsible is another area of concern. "Intellectual property theft is a big concern in our organization," says Kevin Bluml, an internal investigator at a large health services firm with 70,000 employees. "There are times when we have legitimate concern that someone leaving the company is taking intellectual property with them either via email or on removable devices."
Only about six times a year do these internal investigations result in action being taken against an employee, according to Bluml, who adds that six cases in the past five years did wind up in civil court.
Skills on hand
With an organization of his company's size, Bluml says it's difficult to find all the skills in-house to conduct forensics investigations on various systems in question. For example, his specialty is in Windows, but not in Macs, while some of his team members are experts with Linux. For areas outside their combined expertise, and for cases involving criminal litigation, his organization turns to outsourced services.
New skills and even new state licensing requirements are being required of forensics investigators whose evidence winds up in criminal court. And for this reason, there will always be a need for outsourced forensics services that can take investigations to the next level to include proper forensics procedure for evidence handling and documentation, says Bill Spernow, an independent digital forensics investigator and licensed private investigator in the state of Georgia.
For example, he points to a need to perform forensics on cell phones, which are involved in 30 percent of cases his agency investigates. "In one case that I recently investigated, an analyst was suspected of manipulating financial instruments for his own benefit," explains Spernow, who formerly was director of investigations at Experian and a research director at Gartner. "The guy was a compulsive list maker and he kept the lists on his cell phone. A list labeled 'Alibi' contained all the stories he needed to keep straight in order to cover up everything he was doing that was illegal."
Prepare for anti-forensics
Another trend with which practitioners need to keep abreast is a continued rise in the use of hiding and wiping technologies, being dubbed as "anti-forensics."
Steganography, in which data is hidden in image, MP3, Office and other file types, is on the rise outside the United States, according to Chris Novak, managing principal of the forensics and investigative response unit of Verizon Business. So forensics investigators should be cross-checking file sizes, he adds. For example, a two-page Power Point presentation with one picture in it shouldn't be 80 megabytes in size and should be cause to investigate further.
Encrypting evidence with solid unbreakable encryption programs, such as PGP and TrueCrypt, is also on the rise globally, he adds. So his trick is to look in memory and elsewhere on the system for the pass phrase used to unlock the keys.
Finally, say many experts, be ready to back up huge files as part of the imaging process, since evidentiary backups are falling in the terabytes ranges.
"We've been seeing a rise in digital forensics results being challenged by outside digital forensics experts hired by the other parties," says Guidance Software's Butterworth. "Evidentiary data designed for criminal court will come under tougher and tougher scrutiny."
Insider threat: Most cases punitive
For the most part, say experts, forensic investigations don't wind up in criminal courts where they're held to the highest standards. But these cases, particularly employee abuse of computer systems, can create civil liabilities and their evidence might be called into question.
“I just came back from what turned out to be a dispute between an employee and her boyfriend,” says Bill Spernow, an independent digital forensics investigator and licensed private investigator in the state of Georgia. “They were hacking each others' desktops – hers inside the client site and his outside. In another case in south Texas, the supposed bad guy turned out to be a senior VP harassing someone inside the company.”
Insiders accounted for 20 percent and business partners accounted for 32 percent of breach investigations conducted last year by Verizon Business Services, according to the 2009 Data Breach Investigations Report by Verizon Business' RISK Team. – DR