Cybercrime is on the rise. Two-thirds of all UK businesses have suffered from some form of premeditated or malicious 'incident' in the last 12 months – a staggering 55 percent rise in two years.
But cybercrime isn't just about the virus writers and hackers who hog the headlines. Cybercrime encompasses any criminal act perpetrated in part or entirely using a computer – from corporate espionage, fraud and extortion, to sharing illegal pornographic material or coordinating terrorist acts. The fact is, the sort of crimes committed are mostly the same – computers have become just another tool for the criminal.
The attraction of computer-based crime is obvious. Twenty years ago, corporate spies would have to raid the contents of a filing cabinet, but today they can slip a disk in their pocket or email data to an online electronic swag bag. It's much easier to steal, leak, manipulate or destroy electronic data.
But as in the physical world, cyber-criminals leave their electronic fingerprints all over a digital crime scene.
The fledgling concept of computer forensics, which has matured into today's highly skilled discipline, was first nurtured within the law enforcement community around 20 years ago. There was a rapidly growing need to equip officers with the skills and tools that would enable them to collect, investigate and present electronic evidence.
An overriding imperative, however, was to ensure that any procedures and methodology used would be compatible with the traditional rules of evidence. The highest burden of proof is enshrined within criminal proceedings and is based upon 'beyond reasonable doubt'. In the U.K., the Police and Criminal Evidence Act 1984 is the mechanism by which this level of evidence is achieved. So this must be the evidential standard that all computer forensics investigations strive for.
In the U.K., this requirement led to the creation of the Good Practice Guide for Computer Based Evidence, which was subsequently endorsed by the Association of Chief Police Officers (ACPO). This guide is effectively the "computer forensics bible" and sets out what should be regarded as the minimum standards required for dealing with digital evidence.
Below is a practical guide to handling an incident and the corresponding computer forensic considerations. It draws on various sources, but comes with a major caveat: investigations should only be undertaken by skilled computer forensic investigators. DIY attempts to gather electronic evidence will almost certainly result in the failure of an investigation. It is best to call in either the police or a commercial computer forensics firm as soon as you can.
As anyone working in law enforcement will tell you, computer crime statistics should be taken with a grain of salt, because the vast majority of digital crimes are never reported, let alone make it out into the public domain.
Today, between 93 and 95 percent of all cybercrimes go unreported, because companies rate unwanted publicity as potentially more damaging to their business than the incident itself.
Disruption to business operations is also a significant factor behind why organizations are unwilling to report incidents. If getting the business up and running quickly is their main priority, reporting an incident is more often seen as a big risk – one laden with the fear that business could be crippled by police shutting down the office and tapping it off as a crime scene.
There are seven distinct steps you need to take from the crime scene to the court room.
1: Define exactly what you mean by an "incident"
The first step is to define what constitutes an incident. This will vary for each company and will be dependent on a risk-assessment process.
The only piece of U.K. legislation that has been solely created to deal with computer crime is the Computer Misuse Act 1990. The Act is useful in helping to determine what would constitute an incident and is worth paraphrasing in any subsequent company documentation. But remember, it only covers criminal activity and you will also need to include any activity that would be in contravention of your usage policies for email, internet and the company network in general. You will need to document the full range of potential incidents, ideally within a global security policy. BS7799/ISO17799 is an excellent model for any security policy.
2: Plan your response
The next stage is to create an incident-response plan. You need to consider who should be informed when an incident is discovered, who will form and/or lead the response or investigation team, whether to use external specialist investigators, and the need for police involvement, if any.
The planned response to any given incident (including the investigation process/methodology) must be compatible with current legislation. You will therefore need to make sure you have read and understood any laws dealing with data protection, and if your firm operates within the E.U., the European Convention on Human Rights (specifically Article 8).
When deciding upon the escalation procedure for an incident, it's advisable that these departments are involved at the earliest stages of an incident – HR, legal, corporate/IT security, senior management/the board.
By involving these areas of the business at the earliest stages of an apparent incident, you will ensure that there is a commitment to the process. Through that commitment, the ensuing investigation will have the "buy in" from all those involved and result in a well-managed incident.
3: On discovering an incident
Once a potential incident has been discovered, it is paramount to classify it. It is not necessary to report all or any incidents to the police unless they involve specific types of crime. Reportable offenses will be anything that is of a paedophile nature or is believed to involve organized crime.
The classification of the incident will also help to determine the level of response and subsequent allocation of appropriate resources.
4: Seal off the crime scene
The biggest temptation in the corporate world when an incident has been identified is to "have a quick look." This is by far the worst mistake that could be made and could jeopardize any investigation.
Electronic evidence is fragile. It can be altered, damaged, or destroyed by improper handling or examination. For this reason, special precautions should be taken to document, collect, preserve, and examine this type of evidence. Failure to use forensically sound techniques might lead to evidence that cannot be used or an inaccurate conclusion. It is critical, therefore, that the right methodology is used to preserve the integrity of electronic evidence.
There are four principles set out in ACPO's guide to good practise that should form the backbone of any investigation methodology:
First, no action taken by the police or their agents should change data held on a computer or other media which might subsequently be relied upon in court.
Second, in exceptional circumstances, where a person finds it necessary to access original data held on a target computer, they must be competent to give evidence explaining the relevance and implications of their actions.
Third, an audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent, third-party should be able to repeat the processes and achieve the same result.
Finally, the onus rests with the officer in charge of the case to ensure compliance with any law pertaining to the possession of, or access to, information contained on a computer. The officer must be satisfied that the use of any copying device, or actions of any person having access to the computer, complies with these laws.
Regardless of the final outcome – internal discipline, civil recovery or criminal conviction – these principles should be rigorously adhered to.
When a crime has been committed which involves a computer, the machine should be considered a crime scene like any other and sealed off to ensure evidence is not tampered with. It is critical in the early stages that the condition of electronic devices and the immediate surroundings are not altered in any way – if the computer is off, leave it off. If it is on, leave it on. If you interact with the computer in any way, you might alter its content and corrupt evidence.
5: Conduct preliminary interviews
Make a note of all potential witnesses at the scene and, if applicable, record details such as location, time of entry, relation to potential suspects. Gather any information which will be helpful to an investigator such as email, network and security passwords, user names and internet service providers. Also, make note of any additional company property which might be with a suspect off-site, such as PDAs, laptop computers and mobile phones.
6: Gather evidence
The next step is to call in a professional computer forensic investigation team, whether in-house or external professionals.The first thing they should do is identify and "secure" the potential sources of evidence.
Almost certainly, within the corporate environment, the best source of evidence will be the computer that the suspect used personally every day. If, as would be the case for an internal email harassment case, you have access to the suspect's and victim's computers, then both of these need to be secured. If it is not possible to gain access to them, then thought will need to be given to backup tapes and the servers through which the data would have passed and could potentially be present on.
The exact details of the computer should be recorded – make, model and serial number. If the computer is on, record what is on the screen by photograph or by description. If the machine is off, record the fact. If there are any drives present, record the fact, including details of any media present in them.
In some cases, if the computer is on, an investigator will need to pull the plug out of the wall in order to prevent damage, preserve data, and also avoid changes to time and date. But this cannot be done with Linux-, Unix- or NT-based machines. These systems are far more complicated and each requires a specific methodology/set of criteria for shutting down. Only an experienced computer forensics expert should shut the computer down, to avoid damage.
Once power has been removed, it is preferable that the computer is sealed in a container and taken to a secure area for investigation. This seal can be as simple as an endorsed sticky label, secured to the bag with sticky tape.
If bags cannot be obtained, then the computer should be sealed with signed labels covering those areas which would allow the cover to be removed and take out the hard drive. When the seals are broken legitimately during the investigation, they should be retained and replaced with fresh ones when required.
Once the sources of evidence have been identified, secured and the continuity trail of each source of evidence has been started, the next stage is to begin the imaging process to make an exact copy of the evidence.
This acquisition should be performed without regard to the type or amount of data that resides on the computer's hard disk. It must not write to the original disk and every last piece of information, regardless of whether it is live, deleted or historical data, should be copied. It is good practice to take two copies, one of which can be sealed and stored to act as a backup and might be used verify your imaging process and subsequent findings. This is called a "master copy;" the other, which all subsequent work will be carried out on, is the "working copy."
As you would expect, several companies provide a software and/or hardware solution. These all have their merits and demerits, so it is important to be clear on what you require your solution to provide.
A computer forensic investigation laboratory can be set up using little more than a laptop, or it can contain a multitude of imaging machines and servers for storing investigation material. The scale is very much in response to the business need.
As with all things forensic, there a number of principles worth following to ensure the highest standards are met:
- Do not use your everyday computer for forensic investigations;
- Where possible, use new media for imaging to;
- If not, then use a rigorous formatting process prior to re-use;
- Do not use general disk or network tools as an imager;
- Ensure the imaging software is forensically sound – for example, it will not write to or alter the original data during the imaging process;
- Ensure that all investigation material is backed up.
It is always advisable to undergo training in the particular tool or tools that you have chosen to be considered competent in its use. The original vendor will usually provide this sort of product-specific training.
However, it is also advisable to seek supplementary training in these topics: computer forensic investigation techniques and methodology; basic law; and any statutes, acts or conventions that affect data protection or human rights in this area. Before choosing a particular training course, ask for reference sites and find out as much as possible about the trainers and the organizations they represent.
7: Draw your conclusions
After examining all the available evidence, the final stage of the investigation is to come to a a conclusion. This must be objective, unbiased and based on indisputable fact. Can you clearly connect the suspect to the computer from which the secret data was emailed at 3.30pm on Wednesday afternoon – beyond a reasonable doubt? It is at this stage, for anything more serious than an internal caution, that you should take professional legal advice on how best to proceed.
Simon Janes is international operations manager at ibas and former head of the U.K.'s Computer Crime Unit