Hacking Exposed
Page 3
In addition, if you have any questions or comments for the authors, feel free to e-mail us at authors@hackingexposedforensics.com.
We hope that you visit the Web site to keep up-to-date with the content in the book and the other things we think are useful. E-mail us if you have any questions or comments; we′d love to hear from you.
A FINAL WORD TO OUR READERS
As we said in the first edition, this book is about what happens after the incident response has taken place and during the nights of prolonged investigation to find the truth. When we wrote the first edition of the book, we had a fundamental tenet: Write a clear handbook for performing investigations of computer-related fraud. Five years and a world of technology later, that principle still guides us and is more important than ever. When applied properly, computer forensics applies a new level of transparency and accountability to traditional investigations that we haven′t seen in the past. It is our sincere hope that this book can assist, even if in a very small way, this transparency and accountability take root.
That being said, we hope you enjoy reading this book as much as we did writing it. Thank you for taking the time to read what we have to say and good luck in all your investigations!
—The Authors
PART I
PREPARING FOR AN INCIDENT
CASE STUDY: LAB PREPARATIONS
Since its founding seven years ago, AcmeTech had seen its share of ups and downs. Started near the end of the tech bubble, the company’s early days were a long way from the glitzy, go-go days of the dot.com heydays with fancy offices with $1000 Herman Miller chairs and product launch parties featuring the Dave Matthews Band. No, AcmeTech’s early days could be described best as “scrappy.” But the company succeeded where others failed primarily because it had what many didn’t: a “killer app.” It also had an aggressive salesperson who did his best to ensure that every Fortune 500 CIO had seen the application and wanted it.
Seven years later, that one application had grown into a suite of applications and the company’s sales force had grown to 100 sales representatives in 10 countries. Leading the sales team was Herb Gouges, the same salesperson who, by sheer force of personality, got the company its first customer. Herb was now a seasoned veteran and was in high demand as a technology salesperson. While sales were booming, Herb was more than a little frustrated with AcmeTech management. He was one of the initial employees (and arguably one of its most important), yet he had received only a small amount of company stock. Worse, as the company grew, management reduced Herb’s commissions—fairly typical of a growing company but still frustrating to Herb. He was approached by a headhunter recruiting for a new technology company with a product competing with AcmeTech’s. Herb liked the product and the company but was concerned with having to start his sales efforts from scratch. While a non-compete agreement prevented him from soliciting directly from AcmeTech’s customers, Herb knew he could work “behind the scenes” at his new firm and direct his AcmeTech customers to the new product. All he needed was information: customer lists and data, pricing models, service agreement templates, and so on.
Cashing Out
The plan worked. Mr. Gouges and a small cadre of helpers compromised more than 60 computers across dozens of locations, and unsuspecting users suffered hundreds of thousands in monetary damages—these people lost some serious cash.
It wasn’t long before the U.S. Secret Service got involved and traced the source of the damages to Mr. Gouges. After capturing the suspect, they further discovered that Herb was taking advantage of ACME Services’ computers, but they did not yet know how. The Secret Service notified ACME Services quietly to control any potential negative publicity for the publicly traded company. Acting as a silent partner, the Secret Service coordinated with ACME Services to bring in outside help.
In the meantime, the judge released Mr. Gouges on bail. The story wasn’t over yet.
Preparing for a Forensics Operation
Before starting an investigation of any case, we have a thorough understanding of the forensics process, technical training, and proper lab preparation. These are critical to the success of an investigation. All the technicians assigned to our unit are required to have the necessary training and background to understand and conduct investigations. The training ensures that technicians avoid frequently made mistakes, such as turning on the computer to “check it out and see if anything important is in there.”
Our team runs a secure lab and a formal case-management system. Before we started on the ACME case, we validated all the tools in the lab and neatly tucked the portable hardware units into the flyaway kits. We were ready to go when the call came to us. Our case-management system lets us handle the case and organize the evidence as it is returned to the lab. We control a large number of systems, tracking where the systems go and assigning the systems unique numbers with the proper documentation attached. This enables us to compare notes quickly and understand similarities found in multiple computers.
Rapid Response
Our flyaway kit includes a fully portable system with write blockers and extra drive bays ready to copy data. We also carry a standard set of tools and hardware used for our investigations. The standard set helped immensely when we needed to re-create our working system onto five new computers to handle all the systems we had to image. Having the tools and paperwork ready beforehand was critical to the rapid response demanded by the customer, especially considering the number of computers we had to investigate.
Solid process controls, training, preparations, and case management allowed us to respond quickly and efficiently. Our success in this case depended on our investment in a deeper understanding of how case operations work and how we could get the system to tell us the information we needed to know.
CHAPTER 1
THE FORENSICS PROCESS
fo·ren·sics n. (used with a sing. verb) The use of science and technology to investigate and establish facts in criminal or civil courts of law.
Corporate espionage. Illicit images. Violations of corporate policy. Hacking attempts. Work in information technology for even a short amount of time and you will find yourself dealing with one of these situations. When an incident occurs, the inevitable first words from management will be “What happened?” Apply computer forensics correctly and you answer that question in a way that is technically, legally, and analytically sound. To meet this goal, a forensics investigator must combine time-tested forensic techniques, legal framework, investigative skill, and cutting-edge technology to determine the facts.
Forensics is, first and foremost, a legal process. Depending on the investigation, you must understand and apply a vast array of legal concepts and precedents, such as chain of custody, spoilage of evidence, and dealing with production of evidence in court. If this sounds daunting, that’s because it is. If the crime is heinous enough, a lawyer will call on you to take the stand and testify about your investigation, your findings, and your qualifications as an investigator. If you do not perform the investigation with dedication to the process, technical details, and legal issues required, the facts that you uncover are useless. In the extreme, criminals get away, corporate secrets are leaked, and the investigator is held with a fiduciary responsibility for the mistakes made during the investigation. To put it in more concise terms, Be prepared. Have a process, understand what you know and what you don’t know, and create a list of who to call when the investigation exceeds your knowledge of either the technical or legal issues.
TYPES OF INVESTIGATIONS
Determining the type of investigation you are conducting is vital in discerning the correct process to follow. Each type of investigation has its own set of pitfalls, and knowing the parameters for the investigation you are conducting will help you avoid them. For the purposes of this book, investigations are divided into four main categories: theft of trade secrets, corporate or employee malfeasance, external breach, and civil litigation.
Theft of Trade Secrets
/>
By far the most common type of forensic investigation is that of theft of trade secrets. Black’s Law Dictionary defines a trade secret as “Information that is not generally known or ascertainable, provides a competitive advantage, has been developed at the [company’s] expense and is the subject of [the company’s] intent to keep it confidential.” A trade secret may be a patent, trademark, or other intellectual property, or it may be something as simple yet important as a customer list or proposal template. The classic example of a trade secret is the formula for Coca-Cola.
Trade secrets are protected by law, and employees and other entities are prohibited from stealing them or making them available to the others. Despite this prohibition, employee theft of trade secrets is rampant. It typically occurs when an employee or a group of employees leave a company to work for a competitor. Everyone wants a leg up, and for the employee that might mean taking competitive intelligence to his new employer. Depending on the nature of the information taken, this can have serious consequences for the owner of the stolen information in terms of lost customers, contracts, revenues, and so on. Because of this, and because most trade secrets today are stored electronically, internal and external forensic investigators deal with this issue more than any other. Depending on the nature of the information stolen, these cases can be very fast-moving investigations because of the potentially negative financial impact on the company.
While these investigations may start as an internal investigation, they can quickly turn into litigation in the form of temporary restraining orders and lawsuits. As a result, an investigator must assume from the outset that the evidence collected in a theft of trade secrets matter will be ultimately presented in court and should use defensible technical methods and follow appropriate processes.
Corporate or Employee Malfeasance
Investigations into malfeasance on the part of a company, an individual, or a group of employees can take one of three forms: internal, external such as a governmental investigation, or quasi-internal such as a board of director’s investigation of senior executives. These investigations require an element of secrecy, as the suspects are typically active employees who are in violation of the law or corporate policy. The simple knowledge that an investigation is occurring would be enough for the suspects to destroy evidence, potentially causing more harm. The clandestine nature of these investigations makes them different and challenging. Alternative means of evidence collection may be employed to preserve the secrecy of the investigation. Forensic activities may take place without the knowledge of the company’s IT department, making the investigation even more complicated. And because the information gathered may ultimately end up being used in a criminal case, the methods must be rigorous and unassailable.
External Breach
You are most likely familiar with this type of an investigation because it’s typically the one that gets all the headlines. Individuals from outside the company penetrate the company’s network to exploit the data or the network itself for commercial gain, retaliation, or purely for fun. To the extent that customer data such as transaction information or financial records are involved, these types of hacking incidents can be very harmful to a company’s reputation and can open it up to expensive regulatory action and litigation. Theft of credit card information from banks and Social Security numbers from universities are famous examples of external breaches. Time is of the essence in these situations. But while steps must be taken to secure the breach, an investigator must be mindful that these steps do not, if at all possible, compromise the investigation that will ensue. Too often we have seen the remediation and the investigation occur sequentially when in reality they should occur simultaneously. Documentation in these investigations is critical, as it is important to ensure that the evidence is preserved so that it can be used in future civil or criminal litigation.
Civil Discovery
Civil discovery is less of an investigation and more of a step in the litigation process. Our legal system allows parties to litigation the opportunity to review documents in support of or in refutation of a legal claim. This means that if one company sues another, each is entitled to review the other company’s documents that are deemed to be relevant to the case. For example, in the case of a theft of trade secrets, the competitive firm is allowed to review all the evidence collected during the investigation that relates to the theft. Forensic investigators may be asked to identify and produce electronic data from their company to comply with a discovery request or review the evidence provided by the opposing company to establish proof of the company’s claim.
While the pace of civil discovery may be slower than an investigation into an external breach, the importance of well-documented processes and methods remains critical. Either side may make an issue over how the evidence was collected and produced. Should the judge agree that the processes used were negligent, the company could suffer in the courtroom. We’ve seen entire cases thrown out or monetary sanctions imposed as a result of faulty methods used in the preservation or collection of relevant data.
A Special Note About Criminal Investigations
While any one of the aforementioned investigations can rise to the level of a criminal act, they are most likely to occur in instances of corporate malfeasance and external breach. These investigations are often for the highest stakes. The suspect’s livelihood and/or the company’s reputation and even viability are on the line, and every aspect of the investigation is scrutinized and reworked multiple times. Accuracy is paramount, with attention to the process and documentation a close second.
Know your process, know your tools, and above all know your limits. For an internal investigator, these cases can be particularly problematic as the pressure to muddle or even suppress the truth can be intense. In these situations, it’s best to encourage the use of an external forensic investigator. As an external forensic investigator, be judicious in selecting in which criminal matters you get involved. These cases play out in the media, with the latest happenings of the court showing up on the 6 o’clock news. Credibility of the investigator is also at a premium, and if you don’t have the proper credentials and background to testify properly on your findings, your credibility will be destroyed on the stand in a very public forum.
Determining the Type of Investigation
Knowing the type of case you are dealing with defines how you conduct your investigation. This determination is never as easy as it sounds. Cases can escalate in the blink of an eye. You don’t want to get in a situation where evidence has to be thrown out because you took the situation too lightly and didn’t fully think through what type of case you were dealing with. Always treat a new case with the same standard procedures you know are tested and true. This simple guiding principle, although not followed as often as we’d like to believe, can save an investigator immeasurable grief down the line.
THE ROLE OF THE INVESTIGATOR
What makes a good computer forensics investigator? The ability to be creative in the discovery of evidence, rigorous in the application of a disciplined process, and understanding of the legal issues that are involved every step of the way. However, other factors play into the equation, depending on the investigation’s context. Stories of investigators who ruined or destroyed a case because of incompetence or arrogance are all too familiar. You must have a complete understanding of the risks when you embark on a case.
Investigator Bias
The investigator must play the role of an unbiased third party. Think of it in terms of traditional forensic sciences. For example, if the scientist performing a blood test in a violent crime case is friends with the suspect, the results of the test will be considered dubious at best. The same holds for computer forensics. As those who have been on the stand in this position will attest to the fact that you must be unbiased. If the opposing counsel can create the impression that you are biased, you will be embarrassed on the stand or in deposition. This is particularly true of internal forensic investigat
ors. If you are perceived to be operating solely in the best interest of your employer and not to the furtherance of the truth, you’ll become raw meat to a good opposing counsel. Internal investigators need to take even more steps to ensure the integrity and completeness of their analysis than even external investigators do to overcome this perceived bias.
Resolving Bias
Always practice full disclosure with your clients, internal and external. Discuss with them potential conflicts of interest. If you had dinner at the suspect’s house two years ago, make sure they know about it. If the other side knows about it but your guys don’t, you are in for a bad time during and after deposition. Don’t be afraid to recommend a third-party firm or investigator who can conduct the investigation in an unbiased manner.
Investigator Qualifications
The investigator must be qualified to perform the analysis in a skillful manner. For criminal investigations, the law enforcement examiners go through rigorous training seminars to become skilled in the art. Experts who have a track record in the industry and who have enough credentials to imply competency often conduct civil investigations. Commonly, IT administrators conduct internal investigations, or in the case of large-scale corporations, a special division of the company is employed. Don’t make the mistake of assuming that you’re qualified to be a forensic examiner just because you’re a skilled IT manager. I have been a party to many dinners and outings where experienced investigators tell war stories about going against “newbies.” These stories always end badly for the newbie. Don’t be the subject of one of these stories. If you are not properly qualified and credentialed to perform the investigation, the court will throw out your findings and you will be in a world of hurt with your superiors.