IT Autopsy

No longer an obscure component of network security, computer forensics has blossomed into a science all its ownReader ROI Understand the science of computer forensics See how forensics can uncover evidence of crimes Learn to use forensics to your advantage The call came in early on a northern winter morning last year. An urgent voice spoke about corporate espionage and theft of trade secrets. After a few deep breaths, the caller identified himself as counsel representing an international bank and said he was highly distressed about a developing situation with one of the bank's former employees. He outlined allegations that before joining another company, the employee took internal client information valued in the million-dollar range. The official said he was turning to investigators from New Technologies Incorporated (NTI) for help.

Paul French, manager of NTI's Computer Forensics Laboratory, opened an investigation right away. With cooperation from the bank and the suspect's new employer, French got the employee's old and new computers and made copies of the hard drives on each one. Working off these copies so as not to damage the originals, French then used proprietary tools to search for hidden information about certain files. In a matter of hours, NTI investigators confirmed that the employee had taken key documents from the bank, downloaded them onto a floppy disk, and saved them on his computer at his new job.

"All in a day's work," French deadpans, in the best Sgt. Friday [employee] thought that by tossing files in the trash, he could erase all the evidence of his crime. Suffice it to say, he thought wrong."

Bad guys always overlook some-thing, and this ill-fated criminal underestimated the effectiveness of computer forensics. Like more traditional police forensics, this science has one overarching goal: to find evidence of crime and preserve it for eventual use in a court of law. Once regarded by technophiles as an obscure component of network security, the discipline has blossomed into a science all its own, garnering widespread attention from analysts and CIOs and sparking an industry of companies such as NTI. This boom makes perfect sense - as enterprises become more complex and move more information online, they leave themselves increasingly vulnerable to high-tech crimes of every ilk. Securing evidence necessary to convict an attacker becomes a matter of paramount importance.

Still, because the industry is fairly new and response efforts can cost millions, it is primarily CIOs at large, well-endowed companies who have had the opportunity to tackle the science in-house. Those looking for cheaper solutions have outsourced computer forensics on a case-by-case basis, calling a third party for help after an attack. Both strategies work, so long as evidence of a crime is obtained through the proper methodology. And computer forensics is perhaps the best way to track down who did what, and how he pulled it off, according to Thomas Talleur, managing director of the forensic technology services group at KPMG (US). "Corporate criminals don't always tell the truth," he says. "Their computers, however, usually do."

Forensics 101

While the industry has taken off only in the last few years, the science began back when computers were used mostly for word processing and spreadsheets. In those days, if corporate officials suspected employees of foul play, they'd dispatch secretaries to snoop around hard disks after hours. When these secretarial spies uncovered something fishy, officials instructed them to use the digital document as a guide while they rifled through file cabinets, desk drawers and the trash. The thinking here was practical - because few businesspeople eschewed the printed page until the rise of the Internet, it was a safe bet that any document stored electronically had a matching hard copy somewhere nearby.

Gradually, as computers entered the mainstream and computer crimes became more complex, forensic methods changed. Today, with recent statistics from the Meta Group indicating that the vast majority of all documents are stored digitally, the science hinges almost entirely on computers themselves. Computer forensic specialists call on a mix of investigative wit and high-tech know-how to reconstruct the particulars of a hack, theft of trade secrets or pornography scandal conducted on company machines. To extract a deleted memo, for instance, they can scan thousands of hidden backup folders for certain key words. To establish someone's whereabouts on a particular day, they might peek at a series of pages in the Web cache or in an area called file slack - the microscopic space between individual files - for time-stamped text documents.

"Forensic investigators of the modern age can resurrect e-mail messages from a computer that hasn't worked in years, or establish a time line of crime from the hard drives on 15 separate laptops," says Talleur. "We sure have come a long way from sending the secretary to rifle through the trash."

Despite this evolution, a key aspect of the science, called chain of custody, hasn't changed at all. Chain of custody is the record of who had possession of the evidence and what they did with it. The chain, which can be established with documents or testimony, enables lawyers to show the court that comp-uter records submitted as evidence are in the same condition they were in at the pertinent time, and that they have not been tampered with or altered so as to become inaccurate records of the event, according to Linda Stevens, general partner in the litigation and intellectual property groups at law firm Schiff, Hardin & Waite in Chicago. While this provision is intended to protect the defendant from evidence tampering, the requirements can hurt the plaintiff if the evidence is mishandled. A perfect example: last spring, after a hacker broke through the firewall at Connecticut-based CD Universe and stole 300,000 credit card numbers, authorities declined to prosecute a teenage suspect because they claimed specialists responding to the situation had tainted the evidence. Details are still sketchy, but experts familiar with the case allege that employees from one or more of the computer security companies that handled the break-in inadvertently altered access times on log files from the day of the attack. Joan Feldman, founder and president of Seattle-based Computer Forensics, followed the case closely; she says this kind of mistake would have made it impossible to authenticate any evidence whatsoever.

"On a PC running Windows or NT, when you go into Explorer and click on a file, you automatically change the last access date, right?" Feldman says. "If you do that to the only copy of a file that's critical to a case of computer crime, you've just ruined your evidence."

Process Makes Perfect

What happens when a company suspects a security breach and turns to forensics for help? First, as with any other crime scene, it's crucial that no one disturb the evidence. Even without a body or bullet casings, a computer can contain just as much evidence as the site of a homicide, says Julie Lucas, director of information security at Houston-based network consultancy GlobalNetwork Technology Services (GNTS).

To ensure that evidence is processed safely and to eliminate discrepancies in the industry, investigators follow a standard four-step regimen. First, they isolate the system, making sure no perpetrators, outside or in, can further damage or alter the crime scene. Next, they secure and copy the evidence for analysis. One way to do this is to mount an external tape-drive and take an exact binary image of the computer's hard disk. This digital duplicate becomes the version investigators use to explore the evidence without ruining it, and its importance is yet another reason why IT staffers should avoid tinkering when something dire occurs.

Many investigators take the original hard drive and lock it in an onsite storage facility such as a closet or safe. With this evidence secure, investigators finally can do what they do best - investigate. Using a bevy of forensic tools made by niche companies, investigators search hidden folders and unallocated disk space for copies of files a user thinks he's deleted. The tools allow searches by keyword, file type or access date.

These procedures usually take a few days to complete; evaluating the data they produce takes much longer. Once experts have conducted an investigation, it can take weeks for them to make sense of everything they've found. Verification is the final step in the forensic process and usually ends with the preparation of a findings report that can be used in a court of law. Documentation is key here. Sean McCreight, CEO and chairman of California-based Guidance Software, says investigators must be able to explain the methods they employ to uncover every byte of data. Because evaluation strategies differ, McCreight notes that this is the part of the forensic process that sets one investigator apart from another. Do it right, he says, and you're golden; do it poorly, and you could find yourself on the wrong side of a devastating legal loss.

"Data without the proper validation and documentation is just pure data," he says. "It's one thing to have volumes of information in front of you. It's another thing to be able to dig in there, give everything some context and put it together in a way that everyone in a courtroom can understand."

Do-It-Yourselfers

Companies that develop forensic capabilities in-house use money from the general IT security budget to develop divisions devoted to chasing down evidence after crimes. At Boeing, Motorola and others, for example, CIOs have hired squadrons of network security specialists to double as forensic investigators. Because these companies have so many security concerns, it's actually cheaper for them to build forensics teams from scratch than to farm out services on a per-case basis.

Microsoft, for instance, has hired Howard Schmidt, former director of computer crime and information warfare at the Air Force Office of Special Investigations, as chief security officer and has groomed a team of 10 investigators to gather digital evidence. Late last year, EDS launched a Global Information Assurance program structured around a spanking new CyberForensics Lab at the company's Virginia office.

Companies can also use forensic techniques to engineer some pre-emptive security checks. At EDS, for instance, forensic specialists occasionally monitor employee hard drives to make sure nobody's stealing company secrets.

At Microsoft, Schmidt says his job hinges on much of the same. "With all of the top-secret stuff we have going on here, we need to make sure that none of our employees are taking classified information and sending it elsewhere," he says. "When we're not tracking down evidence of wrongdoing, we're proactively searching for it, scanning hard disks in the name of corporate security."

These projects can get expensive. While they declined to reveal actual figures, Schmidt says Microsoft spends "millions and millions" on forensics every year, and Daryl Eckard, director of operations for EDS's Global Information Services Group division, says his company threw a "significant" amount behind the new lab. But financing is only the beginning, and even with the necessary funds, establishing an in-house computer forensics program on the corporate level can be tough. First is the issue of education. Investigators who have not received formal law enforcement training must endure rigorous knowledge transfer classes to learn the craft. Second is the issue of policy. McCreight and Schmidt suggest that before IT leaders even think about forensics, they should sit down with representatives from the legal and human resources departments to discuss procedural requirements and other expectations.

Chris King, program director of the global networking strategies team at the Meta Group (US), warns, too, that CIOs should be aware of how network security decisions might affect an employee's perception of privacy. Because plans such as Microsoft's hinge on regularly imaging a company's hard drives, employees often speak out against them, publicly invoking passages from the 1986 Electronic Communications Privacy Act (US) and privately comparing employers to Big Brother. While concerns like these are legitimate, KPMG's Talleur suggests that employees should be told that forensics is a matter of self-defence, and if they don't like it, they can work somewhere else.

"Being able to retrieve digital evidence is more about catching em-ployees stealing company secrets than it is about nabbing them abusing the Internet," he says. "If an employee is spending the day looking at [pornography], you can bet we'll take note. In the scheme of things, though, that stuff is harmless compared with the crimes we're really out to find."

A Little Help from Their Friends

Because not all companies have the resources to handle forensics endeavours on their own, their CIOs have turned to vendors and consultants who specialise in forensics solutions of every kind. Experts say this set-up benefits everyone involved - vendors earn more charging for services by the hour than by selling a product, and clients achieve peace of mind knowing that their evidence is being processed by true pros. Some forensics, says King, is better than nothing at all.

Perhaps the best known of these forensics companies is NTI, where French and his colleagues foiled the former bank employee earlier this year. From its modest headquarters in Oregon, a staff of 20, including 10 computer forensics specialists, supports 25 proprietary products. On a recent winter morning, investigators (they call themselves "geeks") huddled around one of their own as he evaluated evidence for a $US6 billion class-action lawsuit involving more than 20 laptops at a Fortune 100 company. Using a product called FileList, they strung together access dates in hidden files on each machine. "Of course we think our products are the best, but we don't care if we use our products or the next guy's," says Mike Anderson, the company's founder and CEO. "We'll do whatever we can to establish evidence that our clients can use in a court of law."

Others subscribe to the same philosophy. In Virginia, Riptech supplements an outsourced 24/7 information security monitoring and management offering with a computer emergency response team that performs general analyses and remediation efforts onsite. Utah-based AccessData recently released a Forensic Tool Kit to complement a previously limited consulting business that special-ises in troubleshooting encryption crises of any kind. Then there's WetStone Technologies, a company that offers products and services for helping companies address steganography, the process by which nefarious employees encrypt and embed data within ordinary e-mail attachments.

Not every company offers both proprietary products and advice on how to use them. Guidance Software sticks to software, devoting most of its efforts to developing its flagship product, EnCase, which it markets as a full-service forensic tool. GNTS does the reverse, eschewing sales for what the company considers to be a more practical focus on incident response and information assurance assessment. This second model appears to be popular; of the two dozen or so companies in the forensics space, more than half take a similar approach. At CFI, for instance, investigators help corporate attorneys understand the nuances of the evidence they find. And at California-based Foundstone, specialists tackle fraud and other computer crimes unique to the financial services industry.

"People can buy products anywhere, even online," says Kevin Mandia, Foundstone's director of computer forensics. "Talented, reliable and experienced people who understand a niche - now that's hard to find."

Looking Ahead

Mandia is right, but changes in the forensics landscape may soon make it easier for CIOs to spend a couple of bucks and secure evidence on their own. A number of software companies such as AccessData and WetStone are developing applications that automate forensic responses, ostensibly eliminating the need for investigators. These programs promise to manage everything from copying hard disks to evaluating evidence. What's more, because most of them are slated to cost less than $US1000 per licence, industry watchers such as Meta Group's King say that just about anyone with security concerns can purchase them and implement them painlessly.

While these new products could represent the democratisation of computer forensics, vendors and forensics consulting companies see automation as a direct threat to their businesses. "Why would you pay to have a person secure evidence when you can have a program do it in a fraction of the time?" asks Larry Kanter, partner in charge of the computer forensics practice of PricewaterhouseCoopers. "With changes in the industry, with software that handles many of these forensic applications, I'd guess that a number of CIOs at smaller companies will handle this themselves."

NTI's Anderson disagrees, saying that so long as human beings sit on juries, there will be a need for some degree of subjective interpretation from real live people.

Whatever happens, many forensic experts are getting ready to fight other fights. The first is political, and dozens of investigators are lining up to help US government officials review the recent recommendations of the Committee of Experts on Crime in Cyber-Space, an international coalition, for a treaty espousing increased computer surveillance for law enforcement officials around the world. The second skirmish is perhaps more immediate: with a new wave of tools and techniques for computer criminals to crack into corporate networks, government experts expect 2001 to bring more computer crime than ever before and are working furiously to develop ways to stop it.

For some CIOs, this will require increased commitments to raising awareness of the need for computer forensics, both inside their organisations and out. For others, it has inspired a return to basic forensic practices and a desire to enrol in classes to brush up on their forensic skills. Schmidt, Microsoft's CSO, says these trends are only the beginning of major changes in the industry. And as more computer crime cases make their way to the courts, lawyers continue to establish precedents on which to build future arguments, preserving the future for a science that can only grow in scope.

"Sure there are threats, but on the whole, I'd say that as this industry hunkers down for the next big wave of crime, it's also ready for more technologists to embrace forensics on the whole," says Schmidt. "The more people in IT understand about forensics, the more CIOs will jump aboard and start employing it. Will crime increase? Perhaps. But if you're a bad guy, look out, because the chances of getting caught are about to increase tenfold."

Tools of the Trade

With the amount of mission-critical information stored digitally increasing every day, there's never been a better time to purchase tools to help track down computer crime in your organisation. Which do industry experts rate most highly? Here's an incomplete list.

EnCase. This full-service product from Guidance Software offers a Windows-based environment from which users can copy and investigate data on their own. What's more, the application's evaluation capabilities ostensibly obviate the need for a trained investigator. Consistently ranked among the best forensic programs on the market, EnCase recently matured to Version 2. www.encase.com Net Threat Analyzer. Net Threat Analyzer is like a dog that can sniff out Internet access. Put out by New Technologies Incorporated, this DOS-based tool searches Web caches and file slack for ghost files that indicate where a user has been. Users can search data for particular words or frequently used addresses. This product is only available to and used by law enforcement agencies. www.forensics-intl.comForensic Tool Kit. Though it does not image hard disks with a built-in tool, this new product from AccessData provides applications to investigate original evidence, enabling users to search with a number of strings at once. It works well with encryption programs and is designed to draw on them to weed through hard-to-reach places on a network or hard disk. www.accessdata.com SilentRunner. A new product from Raytheon, SilentRunner spots suspicious clusters of activity on a company network and alerts systems administrators immediately. Part artificial intelligence, part pattern recognition, this program is more of an intrusion detection application than it is a forensic one. Still, users can print out results for further examination if necessary. www.raytheon.com SmartWatch. Watching a host computer like a hawk, this product from Wetstone Technologies detects even the smallest changes to computer files, then reports them immediately. The program can be configured to image a disk repeatedly during an attack or can be programmed to recover key resources from a secure backup to automatically reinstate files. www.wetstonetech.comBuilding a Legacy Experts say training programs are the keys to the future of forensics. Here's why The best way to understand computer forensics is to learn from the pros, and that's exactly what Ken Keeler did as he sat through a three-day forensic class sponsored by New Technologies Incorporated (NTI), a computer forensic consulting company. Keeler, a security analyst at the online brokerage AmeriTrade, had come from San Francisco to NTI headquarters in Oregon, to bone up on some techniques in extracting data hidden on a hard drive.

"We try to do a lot of this [extraction] stuff, but now I know we've been doing it all wrong," he said. "It's amazing how much you can learn about it from the pros."

Yes, in training sessions at companies across the US, IT professionals are learning similar lessons, both literally and figuratively. For anywhere from $US500 to $US3000, these employees can learn to copy hard disks without ruining evidence, search unallocated file space for particular words or information, and establish time lines of computer activity based on hard-to-find folder access dates.

The day Keeler was flying through data extraction, 14 other attendees were on hand to practise some of the same techniques. They laughed as Mike Anderson, NTI founder and CEO, joked about network security. They growled in frustration when NTI cofounder Joseph Enders tossed them brain-twisting instructions to search for a particular name. And in the end, none of the students could graduate until they found their diplomas on an ostensibly empty disk.

"The diploma exercise is the ultimate test to see what they've really learned," Anderson whispered as students tried maniacally to get the certificate in the four-hour time limit. "That disk looks empty, but there's stuff on it, and if they can't find it, they're not ready to investigate real crimes."

Training courses at other companies are remarkably more subdued. At Guidance Software, for instance, instructors teach the ins and outs of the company's EnCase product; at AccessData, they teach the nuances of the new Forensic Tool Kit. Some of the major corporations have got in on the act as well. At both Cap Gemini Ernst & Young and Microsoft, forensic specialists teach clients how to use a number of off-the-shelf products, including some from Network Associates, Guidance and NTI. Not surprisingly, many of these specialists took classes from some of these vendors themselves, as recently as six months ago.

A little incest never hurt any industry, and experts say that as the industry grows, training will become more important, providing many investigators with a formal way to sharpen old skills and learn new ones.

Back in Gresham, Gary DeRosiers, a corporal in the Lee County (Florida) Sheriff's Department, said he enrolled to acquire the skills necessary to find evidence on a computer he believed a man used to mastermind a $US20,000 cheque-forging scam.

"I can't wait to get back and dig into [the machine]," said DeRosiers, who found his diploma without a hitch. "I just hope I remember everything once I'm there."

Take a Bite out of Crime

Over the past few months, electronic criminals have developed new methods to commit computer crimes. According to industry experts, many of these tools are available for free on the Internet, and criminals pass them back and forth to help each other out. Some of these tools include:

Anonymous Remailers: Machines on the Internet configured to receive and resend traffic by replacing the original source address of the sender with the address of the anonymous remailer machine. Intruders use them to mask their identities.

Internet Packet Filters: Software that allows intruders to intercept network traffic.

Nukers: Software tools used by intruders to destroy system log trails.

Password Crackers: Software that allows intruders to "break" encrypted password files stolen from a victim's network server.

Scanners: Automated software that helps intruders identify services running on network machines that might be exploited.

Spoofers: Software tools that allow intruders to masquerade as other users.

Trojan Programs: A legitimate program altered by the injection of unauthorised code that causes it to perform unknown (and hidden) functions to the legitimate system owner or user. Intruders use them to create undocumented "back doors" into network systems.

Say What?

SO YOU'RE NEW TO THE WORLD OF COMPUTER FORENSICS?

To make you feel more comfortable, here are some of the most common words and phrases in the industry.

Ambient data: Data stored in non-traditional computer areas and formats, such as in the Windows swap file, unallocated space or file slack.

Clusters: Fixed-length blocks of data (one to 128 sectors) in which DOS and Windows-based computers store files.

File slack: The data storage space that exists from the end of a file to the end of the last cluster assigned to the file.

Mirror-image backup: This copy of a hard drive, or other storage device, exactly replicates every sector of the original. It is accepted as a substitute for the original in a court of law.

Sectors: The smallest unit of storage on a computer. Sectors are composed of bits, and are generally a power of 2 bytes in size. A "regular" disk sector is 512 bytes.

Steganography: Encrypting and hiding data, for example in graphics, by changing the least significant bits into the message bits.

Unallocated file space: The area on a computer's hard disk where content goes when files are deleted or removed. The only way to clean this space is with cleansing devices known as scrubbers.

Windows swap file: A file that Windows-based computers use as a "scratch pad" in which to write data when additional random access memory is needed.

Join the newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Villano

Latest Videos

More videos

Blog Posts