Hacking Exposed
Page 12
Pitfall: Violating Private-sector Workplace Privacy
If an employer does not have a clearly defined policy related to an employee’s expectation of privacy or an Acceptable Use Policy (AUP) when an individual logs on to a company-owned computer or network, the employee may claim a reasonable expectation of privacy.
The courts generally look at two areas when evaluating workplace searches:
• The employer’s justification for conducting the search
• The employee’s reasonable expectation of privacy
Companies with poorly defined policies and procedures expose themselves to liability. Employees may be able to claim that their expectations of privacy were reasonable and their rights were violated.
Countermeasure: Correctly Written Acceptable Use Policies
It is critical that an AUP be written and implemented effectively. The AUP must indicate to a user that any private, non-business-related activities are at the user’s own risk, and the user should have no expectations of privacy. Employers should consider obtaining a signed document from each employee that acknowledges receipt and understanding of the corporate policies and procedures. This may help to strengthen an employer’s position should an employee challenge the expectation of privacy issue.
In the sections that follow, we discuss two major types of remote forensic capabilities: remote investigations and remote collections. A remote investigation is the practice of actually performing the investigation, such as keyword searching and file hashing on the remote machine. A remote collection is the practice of actually going across the network to take a forensic image of the remote machine for preservation and future examination purposes.
REMOTE INVESTIGATIONS
A remote investigation is the practice of actually performing an investigation on a remote machine. In most cases, you’ll want to investigate the machine before carrying out the remote collection. That way, you can verify the presence of suspect artifacts on the remote machine before collecting data.
One of the biggest challenges facing forensic investigators is how to access and investigate the suspect media prior to performing any level of forensic collection. It is still considered acceptable practice to acquire the machine’s image and then begin your analysis. However, such traditional approaches that involve collecting evidence before analyzing it make it almost impossible to conduct large-scale legal discovery and fraud cases without devoting considerable resources and disrupting business. This can be both costly and time-consuming, especially if the machines are located in a number of remote offices. Several tools are available, however, that allow investigators to analyze a network computer forensically without having to travel to the computer’s location and bring it offline to acquire its hard drive.
With the remote investigative capabilities available today, the forensic examiner can, from a secure location, carry out many of the standard investigative tasks discussed in other chapters—forensic imaging, examining file signatures, performing keyword searches and file hashing, viewing deleted files and images, reviewing forensic artifacts, reviewing registries, copying files to the examiner workstation, and generating reports of suspect information.
To conduct a remote investigation, the investigator needs to configure and deploy the appropriate software in advance. The tools discussed next have at least an examiner component that resides on the investigator’s machine and an agent component that resides on the target machine that will be investigated. In the case of EnCase Enterprise, a third component is required for authentication purposes.
Remote Investigation Tools
Three remote forensic analysis tools are EnCase Enterprise Edition, Paraben Enterprise (P2EE), and ProDiscover. The breadth of analysis varies depending on the technology used to carry out the remote investigation. No matter which tool you use, ensure that the appropriate security controls are in place.
You should test and deploy the remote investigative technology in your environment well in advance of actual use. The last thing you want to be doing is deploying agents to machines that you should be examining immediately.
Remote Analysis with EnCase
To perform remote analysis with EnCase, follow these steps:
1. Log on to EnCase Enterprise Edition from the examiner machine, as shown here.
2. Select Network from the View drop-down list.
3. Create a new node using an IP address or hostname within the network view. Then click OK.
4. Click the New button, which will create a new case from which you can work.
5. A new window appears, as shown next, where you can select the appropriate security role. (EnCase uses granular role-based permissions that let an organization clearly define what actions the examiner can perform and to whom. Roles are defined by the administrator during setup of EnCase Enterprise. The roles are a collection of investigative powers that are granted to an authorized examiner. Each examiner must be assigned a role before he or she can conduct any type of investigation.) After you select a role and click Next, the New Case dialog will appear.
6. In the Case Options dialog, shown next, add the appropriate information for the new case and click Finish.
7. At the top of the EnCase Enterprise window, click the Add Device button, as shown here:
8. In the Add Device window, shown in Figure 5-1, select the appropriate node under Enterprise and then click Next.
Figure 5-1 Select a node to investigate.
EnCase will display both physical drives and logical partitions or volumes. In most cases, you will want to select and acquire the physical drive. As shown in Figure 5-2, two entries are available. The second entry indicates that the target system has one physical drive (drive 0) with 4,194,304 total sectors. The top entry indicates a single logical partition (Volume C) with 4,192,901 total sectors. Make your selection and click Next.
When you remotely preview a computer’s hard drive across the network, you are viewing all the data in a read-only forensic fashion without having to copy the entire drive contents before analyzing them.
Figure 5-2 Select the physical drive or logical partition.
Once you’ve finished previewing the drive, as shown in Figure 5-3, you can perform a full forensic investigation of the remote system by analyzing the registry, carrying out keyword searches, performing file signature verification and hashing, carving data from the unallocated space, copying out deleted files, and many more operations.
The true power of a remote investigation tool is clear. Instead of physically acquiring the drive to conduct a forensic analysis, you can use just a few clicks to access the data. The user of the target system will never know that an examiner is previewing and analyzing his or her machine. In the real world, this remote and covert approach can be invaluable. You do have to consider the network speed between you and your suspect, however, or it may take days to finish the drive imaging.
Figure 5-3 Remote system hard drive preview
Remote Analysis with ProDiscover
Before beginning your analysis, keep in mind that ProDiscover does not have encryption enabled by default, which means all analysis and collection traffic will be transferred in the clear until encryption is enabled. In addition, ProDiscover has no user permission system in place to prevent unauthorized examiners from carrying out investigations. Make sure the remote investigative technology deployed by your organization has been thoroughly tested and approved by the security organization.
To perform a remote analysis with ProDiscover, follow these steps:
1. Launch ProDiscover and create a new case by clicking open, as shown here:
2. Select Connect To from the ProDiscover toolbar.
3. In the pop-up window that appears, enter the hostname or IP address of the target machine, and then click the Connect button. You will then have access to the remote file system.
Once you’re connected, you can carry out a forensic investigation of the remote system by viewing images and performing keywo
rd searches and file hashing.
As is the case with all forensic tools, training is critical to ensuring that the tool is used properly and that you understand how the technology works. You may have to defend your use of the tool and process if it becomes a material issue in a civil or criminal proceeding.
Remote Analysis with Paraben Enterprise
To perform a remote analysis with Paraben Enterprise, follow these steps:
1. Launch the P2EE Captain module.
2. In the Login dialog, log in to the Captain module, making sure that you specify the IP address for the P2EE proxy server that is visible to the computer you are going to inspect. Then click OK.
3. In the Explorer pane on the left side of the main screen, right-click Agent, and then choose Add Agent.
4. In the Agent Install window, type the IP address of the system to which you want to connect, and then click Scan.
5. Enter either the network administrator login information or the local administrator login information for the system you chose.
6. Click the right arrow button to move the system from the Available Computers list to the Selected Computers list for agent deployment.
7. In the Options area, choose Enable Security to turn on security features, Completely Log if you want the install process logged for you to view, and Restart if you want to restart your computer when the process completes.
8. Click Install to deploy the agent.
You can now view the registry, the drive contents, and the suspect’s screen, and you can perform tasks in Paraben Enterprise.
Failing to Keep an Investigation Covert
Depending on the sensitivity of the case and the people involved, your ability to conduct a covert forensic investigation from a safe location is critical. Investigating a machine remotely means you no longer need to acquire the machine in the middle of the night (typically referred to as a black bag job) or escort the suspect away from his or her machine, causing a commotion among coworkers. Scenarios and issues that endanger a covert investigation include the following:
• Somebody discovers who is involved in the investigation and notifies co-conspirators, damaging the investigation.
• The subject discovers he or she is being investigated and destroys the evidence.
• The subject discovers he or she is being investigated, and when coworkers find out, employee morale is damaged.
• The subject discovers the investigation is taking place and modifies any inappropriate behavior, such as ceasing to perform fraudulent transactions.
Properly Performing Covert Investigations
EnCase, Paraben Enterprise, and ProDiscover give you the ability to carry out covert examinations without the subject discovering that he or she is being actively investigated. This capability is a key aspect of these technologies and if used correctly can determine the success or failure of the investigation. The following techniques and actions can help you ensure the success of a covert investigation:
• Minimize the number of simultaneous operations to minimize system resource usage. For example, don’t perform a keyword search, file signature analysis, and hash analysis all at the same time.
• Give the remote investigative agent an operating system-friendly name such as svchost.exe and run it from the system directory, or in the case of Paraben Enterprise, choose Secure Mode.
• If your organization uses personal firewalls, make sure a standard policy is in place to allow inbound connections from the examiner’s machine. Otherwise, the subject could be alerted by the firewall that somebody is trying to connect to his or her system.
• Ensure that the remote investigative agent does not leave any events in the event logs, because many savvy users check them regularly.
• Minimize the number of people who know about the investigation to reduce the risk of the subject finding out accidentally or intentionally that he or she is being investigated.
• To keep from alerting the subject, try to use an agent that runs as a system service each time the machine is started. That way, you aren’t required to connect to the remote machine and start the service before beginning the examination.
• For sensitive cases, conduct the investigation during the evening when the suspect is most likely not at his or her machine.
• Time the investigation for periods when the subject expects a lot of hard drive activity, such as during regular antivirus scans or recent security vulnerability announcements.
• Search only the data that is relevant to the case. For instance, if you are looking for documents, narrow your search to specific areas and data types.
• Determine whether the target machine is a laptop or desktop machine. If the suspect is using a laptop, sustained hard drive activity can alert him or her to the investigation.
• Be patient and don’t rush the investigation; if necessary, break it up into several phases.
REMOTE COLLECTIONS
Remote collections are changing the manner in which forensic investigators, compliance officers, human resource personnel, and other forensic practitioners are conducting computer- and network-based investigations. By remote collection, we mean acquiring a computer hard drive across the network in a forensically sound manner without having to be within physical proximity of the target media. Previously, we discussed remote investigations, which typically occur before you carry out a remote collection. In almost all cases, using remote tools such as EnCase Enterprise, Paraben Enterprise, and ProDiscover, you will first check for relevant artifacts and then begin collection if necessary. In Chapter 4, we covered methods and procedures for examining the evidence on-site. It’s clear from the previous discussion in “Remote Investigations” that being able to investigate a system remotely without first acquiring it dramatically changes the way traditional investigations are conducted. If you need to acquire the machine for preservation or authentication purposes, you can accomplish this across the network using remote collection tools. The creation of these tools has reduced and simplified many of the challenges of collecting forensically sound evidence. You no longer have to travel to the target location, power down the machine (and potentially disrupt the business), or crack the computer case to collect media.
Sometimes, performing a remote collection is your only option. Here are a few examples:
• When you need to acquire a revenue-generating production server that can’t be brought offline for any reason.
• When you’re dealing with a large RAID server with many drives and complex configuration, in which case acquiring each individual drive and reassembling for analysis is an unreasonable option.
• If the machine is in a hostile environment, going on-site could be potentially dangerous.
• When critical evidence will be lost between the time an investigation is deemed necessary, and when the investigator can gain physical access to the computer.
To carry out a remote collection, the investigator needs to configure and deploy the appropriate software in advance. The tools discussed next have at least an examiner component that resides on the investigator’s machine and an agent component that resides on the target machine. In the case of EnCase Enterprise, a third component is required for authentication purposes.
Remote Collection Tools
The collection options available to the examiner vary depending on the technology used to carry out the remote collection. No matter which tool you use, make sure the appropriate security controls are in place and that the tool works well over various network types, such as slower WAN (wide area network) connections.
Remote collection tools can cause serious network problems if they are used incorrectly. It’s important that you understand your network environment and plan accordingly. Unlike the remote analysis process that brings only a subset of the drive data across the network to the examiner, the acquisition process, in essence, brings the entire contents of the hard drive across the network. Remember that acquiring hard drive contents ac
ross a network is the same as copying a very large file, but in this case you’re copying a forensic image. The amount of time it takes to collect a drive is typically a function of the available bandwidth and target machine resources and the amount of data on the remote machine’s hard drive.
Remote Collection with EnCase
To perform remote collection with EnCase, follow these steps:
1. Log on to EnCase Enterprise Edition from the examiner machine.
2. Select Network from the View drop-down list.
3. Create a new node using an IP address or hostname within the network view, and then click OK.
4. Click the New button to create a new case.
5. Select the appropriate security role from the new window that appears. (These roles are described previously in “Remote Analysis with EnCase.”) Then click Next.
6. In the Case Options dialog, enter the appropriate information for the new case, as shown here, and then click Finish.
Several different methodologies are available for structuring your case information. It’s important that you follow your organization’s policies and procedures or what you learned from a forensic training program.
7. Click the Add Device button and select the node you are planning to acquire under the Enterprise section. Then click Next.
EnCase will display both physical drives and logical partitions or volumes. In most cases, you will want to select and acquire the physical drive. As shown earlier in Figure 5-2, two entries are available. The second entry indicates that the target system has one physical drive (drive 0) with 4,194,304 total sectors. The top entry indicates a single logical partition (Volume C) with 4,192,901 total sectors.