Hacking Exposed
Page 4
Investigator Use of Evidence
Evidence is a tricky thing. The best rule of thumb is that if you didn’t empirically find the evidence through hands-on investigation, don’t use it. Hearsay is not admissible in a court of law, and we all know what happens when you make assumptions. The best course of action is to treat every investigation as a blank slate with no prior knowledge. Begin an investigation with an open mind, and take the unsubstantiated words of others with a grain of salt. The tools and the processes exist for a reason; use them and trust them. The more that politics and personal agendas influence your analysis, the less credible your results become in court.
Investigator Liability
If you ignore the caveats and decide to conduct the investigation, you are financially and legally liable if it becomes a civil or criminal case and you are not doing a corporate investigation. In the best case, the courts throw out the analysis and a third party conducts another investigation. In civil cases, you may be liable for loss damages resulting from the destruction or inadmissibility of evidence. All those high-priced lawyers that your company is using to go after someone will soon be coming after you. In criminal cases, you can be tried for negligence and serve jail time.
Being a Good Investigator
Know your limits, and don’t be afraid to call in qualified professionals if the situation requires it. This may sound basic, but practice with your tools. Constantly revalidate your processes for handling evidence and test the results of your tools. You must be able to execute flawlessly when the time comes. This is a hard lesson that most rookie investigators learn in their first deposition when the opposing counsel’s experts contest them. They leave the deposition with egos deflated, wishing that they had finished reading this book.
ELEMENTS OF A GOOD PROCESS
The task of a computer forensics investigator is difficult. It is one of the most adversarial occupations in information technology. You will have every aspect of your technical competency and methods scrutinized to their very core. As such, it is imperative that you use a deterministic, repeatable process that is clear, concise, and simple. Adherence to this process is the examiner’s greatest asset. Deviate from it, and your investigation will be for naught. Having a defined, proven process means you show several elements:
• Cross-validation of findings
• Proper evidence handling
• Completeness of investigation
• Management of archives
• Technical competency
• Explicit definition and justification for the process
• Legal compliance
• Flexibility
This list will become your lifeline the day you either take the stand yourself or hand off the investigation to authorities who will pursue it further. These items are the difference between an effective, expedient investigation and playing around with a neat piece of software. Software is good, and while your friends may be impressed with your comprehensive knowledge of the latest in-vogue forensic tool, the opposing counsel, and more importantly the judge, will not.
Cross-validation
Whenever possible, rely on more than one tool to back up your findings. Cross-validation is one of the key tools available to the forensic investigator. If you trust only one tool in your investigation, you live and die by that tool. If the opposing counsel can rip holes in the single tool you use, it doesn’t matter how solid your investigative process is. A member of law enforcement once told me that he would assume that he could win cases based solely on the fact that the defense used a tool he knew had several holes. You can mitigate this type of situation by cross-validating findings with multiple toolsets. Better still, have another skilled investigator test your results independently and attempt to validate your findings.
Proper Evidence Handling
A good rule to follow as a forensic investigator is the same one taught to all incoming medical students: First, no do harm. Computer evidence is notoriously subject to the “observer effect”: the mere act of viewing data on a system without using proper forensic techniques can cause the data in the system to change. You must be able to show that the evidence you present in court is exactly the same as the evidence that existed at the time it was collected. That means you must not modify the evidence in any way as part of your investigation.
The forensic investigator must always be aware of the chain of custody of evidence after collection. It is vital that you show who had access to the evidence, what they did with it, and that no tampering with the evidence occurred. Become familiar with the different cryptographic hashing functions, such as MD5 and SHA-1. These algorithms act like fingerprints, allowing you to show mathematically that the evidence is the same today as the day the investigator collected it. Also, always keep records of who accesses evidence, when they access the evidence, and what they do with it. This will help to refute evidence injection arguments that the opposing counsel may make during litigation.
Completeness of Investigation
When conducting an investigation, a forensics investigator has to be able to show that she conducted the search for evidence in a complete manner. Lawyers hate new evidence brought up days before court time that they didn’t know about. The clients they represent hate it even more when that new evidence causes them to lose the case. Know what you know and know what you don’t know. Follow your counsel’s direction on what evidence to look for and don’t go outside the scope of that. But use a process that ensures that you will locate every piece and reference to that evidence. If you don’t use a solid, tested process for evidence collection, analysis, and reporting, you will miss evidence.
Management of Archives
In the legal world, just because a judge has ruled does not mean the case is over. An investigator may be asked to rework a case months or years after the initial investigation. This makes it imperative always to ensure that proper archiving and case management is part of the process. If counsel comes back six months after a ruling asking you to rework a case for the appeal, you must be able to fulfill that request. This means proper document retention, data storage, and backup policies. As with your initial testimony, you will be required to show proper evidence handling and authenticity of the data. The last thing you want as an investigator is to formally request the opposing counsel for an image of a hard drive because your process didn’t include proper retention procedures.
Technical Competency
Have a complete technical understanding of everything you do. The surefire way to lose a case is to justify your actions by saying, “That’s what the tool says to do.” Challenge your tool’s assumptions. If you do settle on a specific toolset, understand the tradeoffs that the developers made when designing the tool. Know your toolset’s weaknesses and strengths so you can stand by it when questioned.
A prime example of this is the way that the novice investigator treats digital signatures. It is common for someone with a basic understanding of a cryptographic hash to make the statement that “each dataset will create a unique hash.” While this statement is true as a matter of practice, the “birthday attack” shows that this can be subverted. If you understand hashing and are familiar with the birthday attack, it is easy to address this subversion when questioned. If you don’t understand these basics, you will be torn apart by the opposing expert.
The birthday attack is based on the fact that if you continually change input datasets, the resulting hash will be the same alarmingly more often than one would expect. Its name is derived from the fact that with 23 people in a room, there is approximately a 50 percent chance that two of them share a birthday on the same day of the year.
Explicit Definition and Justification for the Process
Hardware malfunctions. Software crashes. You must conduct your investigation in a manner that allows you to retrace all your steps. You must follow a discrete and clear path while performing an investigation that is easily explainable to a judge and opposing counsel. If you end up
questioned on your methodology and the line of thinking that led you to the results you are presenting, you have to justify yourself. Do this by showing the steps and walking others through the investigation. If, when questioned on your methods, you can’t provide clear evidence that they were correct, the investigation was for naught.
Legal Compliance
Always ensure that your process conforms to the laws in the jurisdiction of the investigation. For an internal corporate investigation, ensure that it complies with the corporate policies set forth. The most technically creative and astute investigations are meaningless if they don’t adhere to the legal rules of the case. Talk to the lawyers or the corporate higher-ups. Get feedback on how the investigation should proceed, the type of evidence desired, and where the legal or corporate policy landmines exist. Remember that at the end of the day, the role of the investigator is a supporting role in a much bigger play. Talk to the legal or corporate experts and don’t perform the investigation in a vacuum.
Flexibility
Every investigation is different. Each has its own set of requirements and pitfalls. The process that you use to conduct investigations must be able to cope with change. A common issue with rookie examiners is reliance on just one tool. If an investigation requires you to find evidence on technology not supported by the tool, your process is worthless. Make sure you design your process to handle new technologies and requirements that may pop up as the investigation continues, and as you take on new investigations.
DEFINING A PROCESS
Now that you know what makes a good forensic investigator and what the elements of a sound process are, let’s define a process. The remainder of the chapter will focus on the process used by the Electronic Discovery Reference Model (EDRM). The EDRM is an industry working group that was created in May 2005 to create an industry standard process for the analysis and production of electronic data. It is sound and has been tested in both legal and technical aspects. In addition, it is flexible enough to handle the diverse requirements that you may see as an investigator.
Following are the relevant stages of the EDRM:
1. Identification
2. Collection and preservation
3. Analysis
4. Production and presentation
When applied correctly, these steps can guide you to a complete and justifiable investigation. They have been tested in court time and time again, with years of refinement.
The EDRM working group comprises industry members from all areas of electronic discovery and forensics (including the two authors of this book). For more information on the EDRM project, visit www.EDRM.net.
To understand the process as a whole, you must understand what each step in the methodology entails.
Identification
This first phase of the process details what you do when you’re presented with a case and need to determine a course of action. Five core steps guide you through the initial identification phase:
1. Determine scope and quantity of the data. This requires that you, as the investigator, work with the individuals requesting the examination to determine what the investigation will cover and approximately how much data the investigation will entail.
2. Identify repositories. Before beginning an investigation but after determination of the scope, you must identify the location of data that could potentially hold evidence. This could be anything from personal computers to enterprise servers, personal digital assistants (PDAs), or cell phones. At this point, you need to determine whether you have the tools you need to complete the examination properly.
3. Strategize preservation. Once you determine where the data to examine is stored, you must decide what steps will be required to protect that data at all costs. If it can be shown that the data was modified outside normal business processes after the incident occurred, you will have problems justifying your findings. This preservation action must occur as quickly as feasible. As will be discussed in later chapters, accomplishing this depends on the circumstances of the investigation; no hard-and-fast rule applies to every case.
4. Establish chain of custody. After protecting the evidence, it is a legal requirement that chain of custody be established. As discussed earlier, this entails creating a record of who did what to the data when. The longer you wait to establish chain of custody, the more difficult it is to trace the findings back to the original data. You must be able to show that the data is unmodified and that every attempt to access and interpret it was logged.
5. Preview the data. Only after the completion of steps 1 through 4 should you preview the data in a manner that guarantees it is not changed. This allows you to prepare for the acquisition phase of the process, when you will create a forensic copy of the data for the purpose of investigation and interpretation. Be very careful to use only forensically approved tools, as standard interfaces such as Windows Explorer can cause inadvertent modifications to things such as file metadata.
Collection and Preservation
This is the point at which you will actually collect the data in a forensically sound manner for conducting the investigation. Detailed discussion of this phase occurs in later chapters. However, at a broad level, four core steps are involved in this phase of the process:
1. Identify the source media. Data is stored on media, and you need to know what type of data is stored and how to access it. While this step sounds obvious, some pitfalls can occur. This issue can be especially problematic when you are presented, for example, with 15-year-old tape backups and no one has a clue in what format or media the tape is actually stored. Creativity and ingenuity are paramount in such situations.
2. Select acquisition parameters. Establish the parameters required for proper imaging. The type of case and legal requirements placed upon the investigator will determine this. To use an old construction analogy, some jobs require a hammer and some require a screwdriver. Know what you are dealing with and act appropriately.
3. Create the image. After you have determined the media and set your parameters, create the image. The image creation process must ensure that it hasn’t modified the data and that the image is complete. You must have metadata to accompany the image so that you can validate this process.
4. Authenticate. The purpose of this phase is to determine whether the image that you have created is identical to the original data. The reliable way to accomplish this is through metadata cryptographic hashes. Before you create the image, create a hash of the original data in its pristine state. Immediately after you create the image, create a hash of the image data. These two hashes must match; if they don’t, you did something wrong and you will lose the case. It is also important that these hashes exist outside the data. If you place the hash inside the data to be imaged, you will alter the original data and thus invalidate your image and your investigation. Also, ensure that the hashing algorithm you choose is sufficiently secure. A simple checksum is too easy to spoof for evidence verification. The two common algorithms used in this step are the MD5 and the SHA-1 algorithms. While the forensics community battles about which is better, at the end of the day as long as you can justify your usage of your flavor of choice, either will be OK to use in practice.
Analysis
After you have determined what data you need to examine and have forensically verified images of that data, you can begin analysis. This is the meat of the investigation. The entire second part of this book addresses this phase, so we discuss it only at a broad level here. The key thing to keep in mind whenever performing analysis is completeness. Always be sure that you have looked in every nook and cranny and that you haven’t missed anything relevant. Lawyers hate it when opposing counsel finds new evidence that destroys your case. Be complete and creative; unconventional thinking will help greatly in this phase.
Production and Presentation
After you complete your investigation, you will probably have come up with evidence and information relevant to the case. Other people are interested in
these findings, especially those paying your bill. This phase is discussed at length in the third part of the book. In general, just remember to keep it simple. To test how well you articulate your case, find the least technically competent member of your family and explain your findings to him or her. If you accomplish that goal successfully, you are ready to present the data to counsel. Lawyers are lawyers and CEOs are CEOs; if you find yourself having to describe the intricacies of the latest image format to them, you probably haven’t distilled the findings sufficiently. For highly technical investigators, this can be the most difficult phase of the process, so tread with care.
AFTER THE INVESTIGATION
After you have detailed your findings and the case has concluded, you must archive the data and findings because you may have to readdress the case in the future. The manner in which you go about this varies case to case. Ask yourself the following three questions to determine how to archive the data: