When a computer has been hacked, the first reaction of the system administrator is usually to restore the system and bring it back online as soon as possible.
As a result, the system administrator will most likely destroy valuable evidence that may be essential in identifying and prosecuting the perpetrator. Once the system is up and running, the victim may start thinking about the damage and losses incurred by the perpetrator. The company may then seek to identify the perpetrator(s) for a possible civil suit.
A step in that process could be filing a criminal complaint with a law enforcement agency. But by then, the traces that the hacker left behind, which could be used as evidence, are most likely gone. This leaves the police with very little information on which to base an investigation.
As in disaster recovery, companies should plan on how they will respond to a computer crime incident. They should have a plan in place and hold personnel responsible for its proper execution. For the police, the beginning of an investigation is a series of essential questions: what? where? when? which? how? - probably also, how much? - which all lead to, who? Transparency and accountability are also key factors in a police investigation.
The question "What?" can only be reliably answered if the evidence is properly secured. When a system is compromised it is good practice to restore the system from verified backups or original vendor software. The hacker may have installed backdoors, compromised binary programs or even installed a compromised kernel. An essential practice for computer crime investigation is to use a new hard disk when rebuilding the system and keep the old hard disk for the forensic post mortem investigation.
The second best option is to make a bitstream image backup (with snapback or dd for example) of the system and store it on an off-line workstation, using tape, CD-ROM or DVD. It is also possible that the hacker changed the shutdown routine of the system so that it executes a script or program that would destroy the evidence or further compromise the server. Therefore, one option is to disconnect the power instead of performing a normal shutdown. However, there is some volatile data that preferably should be secured before the system is turned off, such as:
- arp cache
- routing table
- open ports
- which programs are attached to these ports
- users logged in
- programs that run with super-user rights.
The best option is to run these backup programs, scripted and time stamped, and have the output redirected to a remote system using, for instance, netcat. Most actions will alter the hard disk in some way; it is important to document your actions carefully and to keep changes to a minimum.
If the compromised server is one of many with the same configuration, it is important for the system administrator to ascertain as soon as possible the method of compromise in order to patch other affected systems. In this type of investigation, a second copy of the hard disk must be used. The disk should be mounted in read only mode on an unaffected system. Booting the hard disk will cause numerous files to change. A good tool to use for this might be the Linux distribution disk that can be booted from CD. Findings from this investigation are also very helpful when filing a criminal complaint.
Coordinated universal time (UTC) or local time? Time is very important when reconstructing a crime. Is the system running on local time or UTC? What is the time zone of the evidence that is presented to the police? What is the difference between the time of the system and the accurate time of an atomic clock? A hacker normally uses several stepping-stones to disguise his trail. If such a method is identified and searchable, the right time might be essential in recognizing that this method belongs to the perpetrator instead of someone else. Also, at trial a timeline can prove an invaluable visual aid to the jury. Detailed notes, with date and time, should be taken of every action that is performed. As part of the normal operational procedure all systems should be synchronized with a secured NTP server.
To establish jurisdiction it is very important to determine the exact location of the compromised system. The Dutch police cannot investigate the compromise of a server that is actually situated in a data center in the United States. An up-to-date map of the network would be very helpful in visualizing the placement of the system within the network and in investigating the incident.
To be forensically sound, it is very important to know who exactly obtained the traces that will be used as evidence in court. But it is also possible that a system administrator literally saw a hacker's actions take place. If, for instance, the hacker was caught, he could sent an angry message to all the users logged in, stating that he was going to overwrite the system. A witness statement is then very important to prove the hacker's intent to destroy the system.
Take note of all of the IP addresses and hostnames that are assigned to the compromised system. Many IP addresses are dynamic in nature and it is hard to reconstruct them later. It will be very difficult to prosecute the perpetrator successfully if their computer is confiscated and the correct IP addresses are not known.
The operating system and the version number of the compromised server might help in detecting how the perpetrator gained access to the system. What services were running on the compromised system? What were the patch levels?
In order to prove the damage sustained, a simple overview and calculation of the material damage is needed. Depending upon your jurisdiction damages might consist of labor hours incurred, material or damages paid to customers, etc.
A standard method of operation for hackers is to sniff the network traffic for login names and passwords. This is usually possible due to clear text system logins. Even internal networks should use an encrypted login facility, preferably with at least two-factor authentication.
It is recommended that companies run a syslog server, which allows all the other servers to remotely store their logs. This is a good precaution to prevent the hacker from editing your log files. A lot of the above mentioned questions could easily be answered if un-compromised logs were available.
Besides the recovery procedure the forensic steps should be part of an incident response procedure. A properly developed incident response procedure seeks to ensure that the right person with the right skills takes the right steps at the right time.
About the Interpol European Working Group on Technology Crime
The mention of Interpol conjures up images of armed international law enforcement agents crossing national borders to apprehend and investigate international crimes. This is the Hollywood version of Interpol; the reality is quite a bit different. Interpol is an international organization second in size only to the United Nations, comprised of representatives from law enforcement agencies of the member states. Interpol facilitates and coordinates international cooperation for law enforcement, and makes available know-how, expertise and good practice in specialized areas of law enforcement.
At the 19th European Regional Conference in Budapest (1990) it was decided that a group of experts should be established to deal with computer-related crime. As a result of this conference the Interpol European Working Party on Information Technology Crime (EWPITC) was formed later that year. It is currently represented by members from Austria, Belgium, Denmark, Finland, France, Germany, Italy, Netherlands, Norway, Portugal, Sweden, Switzerland, Spain and the United Kingdom. To avoid duplication of effort, Europol is also represented in the meetings.
The EWPITC is a successful Interpol information technology crime-working group and serves as a model for others to emulate. Amongst its many activities are:
- An early warning system which consists of an international 24-hour response system, national central reference points (listing responsible experts within each of the 61 countries currently listed - this is now being expanded and has been endorsed by the High Tech Crime Sub-group of the G8) and a formatted computer crime message format (to ensure that all the essential information is transmitted).
- The compilation of a handbook on the investigation of computer-related crime.
- The compilation of a computer crime manual.
- A forum for members to discuss new trends in high-tech crime and notice correlations between the investigations that take place among the member states.
- Training courses presented by law enforcement experts to assist in developing and maintaining technical expertise in computer crime investigation.
The WP also drafted experts from European member countries into project groups, which are specific task-motivated groups led by WP members. Current project groups include:
Wireless applications: A project team has been mandated to research this subject and to devise methodologies which will allow law enforcement to deal effectively with the growing problem of securing wireless transactions.
Internet investigations 3: The aim of this project is to develop an advanced investigation manual, based on practical experience. It will be an additional aid to the already existing project, "Internet misuse and elementary Internet investigations."
Alternate digital evidence project group report: This will try to identify different types of digital evidence containers and build a taxonomy. It will also give advice on best practice to local law enforcement about the seizure and transportation of those devices (for instance some of them need a battery replacement, or a permanent power source).
C-stat project group: This project group is developing a uniform method of measuring high-tech crime by providing the different Interpol members with standardized crime definitions and task or investigation-specific descriptions.
For more details, see www.interpol.int/public/technologycrime.