Hacking Exposed
Page 7
SmartMedia
Also known as the solid-state floppy-disk card (SSFDC), the SmartMedia card was developed by Toshiba. They range in capacity from 2MB to Multiple GB, with physical dimensions of 45 mm long, 37 mm wide, and less than 1 mm thick. These cards have a very small NAND electrically erasable programmable read-only memory (NAND EEPROM) sandwiched between a plastic base card and a gold plate of contacts. Write protection is performed using a small metallic sticker placed in the upper corner of the card. These cards write and erase data in very small chunks, in 256− to 512-byte increments. This allows for fast and reliable data transfer, but be aware that their size and design can create problems with ruggedness and they will break.
CompactFlash Cards
CompactFlash cards were developed by SanDisk in 1994. They are very similar in design and function to SmartMedia cards but vary in several ways. First, they are thicker, which increases the lifetime of the card in the real world. Second, they are not just dumb memory; they have a controller built into the card itself. The storage capacity varies from 8MB to Multiple GB and the controller can take the load off slower computers. Another type of flash cards are xD-Picture cards. xD cards are used primarily by Olympus and Fujifilm and use a proprietary format.
Sony Memory Sticks
Memory sticks are the Beta tapes of the flash memory world. In fact, the memory stick was designed by the same company that brought us Beta. Sony broke ranks with flash memory standards and created its own standard for its devices. The memory stick has a very distinctive form factor and color—it looks like a purple stick of gum. The first generation of the memory stick maxed out at 128MB, but later revs took the capacity up to 1GB. In addition, Sony introduced its MagicGate technology, which placed DRM technology inside the stick itself. These memory sticks have a slider that denotes the read-only mode.
Working with Memory Technologies
From a forensics standpoint, the whole thing can be summed up in one word: read-only. Most of these technologies have a hardware-level read-only mode. Always, always take advantage of this feature to prevent modification of the data. Make sure read-only mode is a part of your methodology even before inspecting the media. Another main problem with flash memory is getting an adequate reader. For the most part, this is an easy task, but you may end up obtaining some exotic or obsolete flash memory card that requires a reader that is not easily obtained. Learn what you are working with and how to set it to read-only as quickly as possible once you find out what you are going to be given. Also, sometimes pulling an accurate image from one of these devices can be a tricky process. Chapter 13 will cover this topic in more depth.
CHAPTER 3
FORENSIC LAB ENVIRONMENT PREPARATION
In this chapter, we discuss four components that work together to make your lab’s output successful: the physical lab, forensic hosts, forensic tools, and case management. Each of these work in conjunction with the others to preserve, identify, and extract evidence:
• The lab’s security, host computers, tools, and case management affect your forensic capabilities. Having the appropriate protections, documentation, storage mechanisms, room requirements, and environmental conditions aid in the successful discovery and preservation of evidence.
• Computer platforms used for forensic acquisition and analysis vary in usefulness and usability. They also vary from inexpensive homegrown platforms to extremely expensive, proprietary, prebuilt specialty machines.
• Hardware and software tools used during the investigation can make or break your case. You need to understand what tools will yield the results you need for your case. Your decision to use open-source or proprietary tools also plays a role in this discussion.
• Solid case-management practices provide the foundation for conducting and archiving the investigation.
THE ULTIMATE COMPUTER FORENSIC LAB
The very nature of this assertion should grab your attention, because it is impossible for us to know the particular circumstances you might face. How can we possibly know the best mix of equipment, policies, personnel, qualifications, and myriad other criteria that will produce the ultimate lab for your organization? The best forensic lab for you is a careful combination of cost and effectiveness. This chapter provides a short education on the best resources for a well-equipped lab as well as the pitfalls often found in homegrown forensic labs and how to counteract them. Keep in mind that our focus is on the corporate lab, not labs found in law enforcement or government agencies.
What Is a Computer Forensic Laboratory?
The computer forensic laboratory houses the equipment and suspect media in a secure environment for day-to-day operations. You must consider a number of necessary components when designing your lab. The physical lab size, placement, security controls, policies, and procedures vary depending on your organizational needs. Small companies that handle the occasional civil case may not need more than an office behind a locked door and an inexpensive, fireproof safe. A corporation with tens of thousands of employees may have a substantial case load containing several dozen investigations each week. The differences here are obvious and include time, money, and resources necessary to sustain operations. You must design the right lab for your needs.
Forensic Lab Security
Ask yourself the following questions: How difficult would it be to compromise evidence in your lab? How many people have access to the lab? If a janitor came into your organization and visited late at night, would your evidence storage and processing facility be subject to compromise? Multiple attack vectors exist to destroy or alter evidence in your lab, and as a computer forensics examiner, you should account for these in your lab environment. They present a direct threat to the preservation, or integrity, of your evidence. You must protect both physical and network access to your lab and provide the appropriate environmental safeguards to protect the evidence.
Spoliation of Evidence Through Lab Network Access
The threat from curious and malicious crackers, hackers, and rogue employees grows because of the increased technical proficiency and curiosity of the workforce. A computer on an isolated network is protected from open access to hackers, viruses, and other malicious threats. If a trusted computer were placed on an open network without protection, the computer would no longer be trusted because it would present an opportunity for compromise. Protection from malicious network access is very important. Simply put, if the trusted platform is compromised over the network, the evidence findings may be in jeopardy. In the corporate environment, some initial level of protection is usually present. However, you must also consider isolating the corporate network from the forensic lab with an air gap (physical isolation) or at least a firewall (network isolation).
Granted, proper preservation procedures will document the authenticity of the evidence and therefore protect against the argument that the evidence was tampered with. However, lots of components must line up—the discovery of the evidence must be reproducible, the authenticity of the evidence must be verifiable, and the examiner must follow proper procedures and not take shortcuts. You do not want to find yourself in a deposition trying to explain why your lab network’s security is careless and poor.
Spoliation of Evidence Through Lab Physical Access
Perhaps one of the easiest methods used to destroy or tamper with civil evidence is simply walking into a lab and taking it. Depending on circumstances, this may be easier than you think. Multiple books and self-proclaimed experts in the market discuss several methods for “social engineering” their way into a building to conduct malicious behavior. Unfortunately, in some cases, not even this bit of effort is required to compromise the sanctity of an organization’s evidence. If a company doesn’t take the time to place evidence in a secure location, how much credibility does that build for the company? What does this say about how well the company understands the value of critical evidence?
Spoliation of Evidence from Poor Environmental Safeguards
F
ires, floods, and other disasters spell out a bad day in the lab, especially if no one has thought in advance about the risk mitigation of such disastrous events. A low rating represents the popularity, or likelihood, that this type of event will take place. However, note the rating for impact! Impact is a huge consideration in both a large corporate lab and a smaller company that desperately depends on the evidence findings.
Like insurance, nobody likes to pay for security, but should something happen—and it may—you need to be prepared. If you have not conducted a basic physical survey of your lab, you are needlessly jeopardizing your equipment, records, archives, storage, and any pending internal and external cases.
Protecting the Forensic Lab
The security stakes for the large corporation are possibly much higher than those for a small organization, and so is the expectation for lab controls and policies. However, small companies must still adhere to common sense and “best practices.” A wealth of information is available about lab security, including the information in this chapter. Take the time and inventory the critical components needed for your lab. We will discuss some of these components in this chapter, but this is not meant to be an exhaustive review.
Protecting the Forensic Lab’s Network Access
The traditional school of thought is to isolate the examining computer completely from the network. However, some tools on the market are causing a shift in the way networks are used. These tools preview suspect computers prior to a formal examination in an effort to triage and determine the need for further investigation. An example of such a tool is EnCase Enterprise from Guidance Software, which allows a computer forensics examiner to examine a computer for documents, images, and other data (including volatile data) over the network without having to acquire the hard drive. (The advantages of a remote investigations tool are enormous and discussed in Chapter 5.) Consider the implications of leaving your analysis host on the network, unprotected, while you’re examining evidence. It’s an excellent practice to remove any doubt up front and affirm the integrity of your lab through carefully documented practices and formal lab policies regarding how your forensic hosts are used.
Using the Internet during an investigation is a powerful tool, and in several cases the Net has proved to be enormously beneficial in helping to understand a suspect’s behaviors and interests. However, you should always access the Internet on a separate, segmented network. Many professional labs use three separate computers:
• One for Internet access
• One for administration
• One for evidence, testing, and training
Bottom line: Protect the integrity of your forensic lab from the rest of the corporate network. If possible, use a separate, standalone computer for Internet access during an investigation.
Protecting the Forensic Lab’s Physical Access to Evidence
The degree of security and access control required depends on the nature, sensitivity, and importance of the investigated evidence for your organization. If you are protecting information you believe may lead to a criminal investigation, you should increase the control of the material in question. Depending on the potential severity of the cases your organization will handle, you may be interested in the following types of access control considerations to help deter, detect, or defend possible asset compromise.
Remember also that there are multiple ways to skin a buffalo. The end result is that you want to minimize your risk. The following example illustrates this point.
Structural Design
Some time ago, a young office administrator received sexually suggestive e-mails from an anonymous e-mail address. After several weeks of receiving the e-mails, the offended office administrator began to suspect a fellow coworker in her group. The forensic examiner for the investigation covertly reviewed the suspect’s drive and found remnants of web-based e-mail. The web-based e-mail clearly contained sexually explicit language directed toward the office administrator. When the examiner reported the findings to HR, the suspect was immediately called into the HR office, where HR staff were waiting on the examiner to print out the e-mail remnants. This should have been an easy task.
Unfortunately, the forensic examiner was locked out of the lab. The office held the critical evidence that HR needed to view so that they could settle the allegation of sexual harassment. Frustrated, the forensic examiner asked a coworker to look up the number of the manager who had the backup key for the office.
The coworker looked at the locked office door and said, “Young Grasshopper, go around the door, not through the door.” A minute later, the investigator watched as the coworker climbed over the wall and dropped through the ceiling, landing on the office floor.
Structural design can be as complicated as erecting a concrete and steel bunker capable of withstanding category F5 tornadoes, or it may be as simple as mitigating the structural risk with locked containers and strict policies that ensure evidence is locked in a protected enclosure, such as a small safe, when the investigator is no longer working on the evidence. The perimeter walls of the forensic lab should not just partition the lab from the rest of the building, extending to just above the ceiling. They must extend all the way to the next floor deck. Otherwise, someone could easily climb over the wall into the forensic lab, as the example illustrates.
Again, multiple methods can be used for achieving the end result. If the walls cannot be extended, consider ways you can secure the ceiling entrance. For high-security forensic labs such as those you would expect from a consulting services organization or a large corporate environment, the room should be alarmed, and not with just contacts on the doors. Properly placed motion sensors will detect a door opening as well as a person climbing through the roof or over the wall. In both cases, the alarm signal could go to the onsite guard and police.
Locks, Doors, and Windows
Two components are necessary for creating effective lock-out controls. The first component is the physical lock, and the second component is controlling access to the authentication components to make the lock function. In simple terms, the door to your house has a “good enough” quality deadbolt that will keep out most criminals looking for a quick crime of opportunity. You control access to the authentication piece (the key) by allowing your children and spouse to have a key, but not your neighbors.
Locks for your forensic lab should be made of high-grade materials and specialized for high-security protection. Several types of locks on the market require multiple forms of authentication prior to operating. The authentication means vary as widely as requiring a special key, PIN code, fingerprint, proximity badge, and other such methods. You must make the best decision based on the materials you control in your environment and the resources available to build out your lab. In short, your protection mechanisms need to be defensible as reasonable precautions used to protect the evidence and the lab under your control.
Additional considerations for doors and windows prevent them from getting easily bypassed. Doors should either hinge from the inside or have specialty hinges that prevent a person from removing the pin in the hinge and popping out the door. Windows and other glass should be too small for a person to fit through.
Evidence Lockers
Evidence lockers provide additional protection beyond the physical barrier provided by the perimeter of the lab. With strict policy controls, such as locking away original evidence at all times when an investigator is not in the lab, you help ensure that your evidence is protected from tampering and physical disaster. Large case processing facilities typically have a room within a room for holding and working on evidence; however, this is not practical in most resource-constrained corporate environments. An evidence locker can be as sophisticated as a keyless, multi-compartmentalized system used by some police agencies, or as simple as a locking, fireproof safe available at your local office supply store. (For some inexpensive solutions, check out SentrySafe online at www.sentrysafe.com.) An inexpensive safe costing a few h
undred dollars can accommodate several dozen hard drives, while more expensive safes can easily run in the tens of thousands of dollars.
The important message here is to protect your evidence. Standard backup procedures also apply. Whether your gig is investigating civil or criminal cases, you simply cannot afford to lose evidence. Take the time to find a secure method that works for you.
Policies and Procedures
In addition to obvious physical protections, policy and procedural requirements are necessary for controlling access to the lab. Access control lists (ACLs) determine who has access to the lab and who is allowed to escort others into the lab. Ideally, every entrance and exit to the lab contains a log that is initialed or signed by the people entering and exiting the lab. At a minimum, anyone not associated with the lab, as in not specifically listed on the ACL, should log his or her entrance, escort, date, time, and reason for entering the lab.
All of this tracking is especially true for evidence. Evidence must be traceable from the moment the media was confiscated to preserve the all-important chain of custody, as discussed in Chapter 1.
Protecting the Forensic Lab from Environmental Damage