Ten Deadly Sins of Computer Forensics

Transcription

1 Ten Deadly Sins of Computer Forensics Cyber criminals take advantage of the anonymity of the Internet to escape punishment. Computer Forensics has emerged as a new discipline to counter cyber crime. This paper focuses on the ten deadly sins of Computer Forensics. 1. Introduction: The last decade has seen tremendous growth of information and communication technology (ICT), Internet and e-commerce. The ease and convenience associated with electronic channels has led to the proliferation of social networking sites, e-banking, e-retailing and numerous other e-services. This newfound ease has also led to the popularity and acceptance of e-payments through payment gateways, which have helped to make the Internet a repository of personal, financial and business information. The ICT revolution has also coincided with the emergence of transnational corporations, and growth of off shoring. This new grow industry has created a whole stream of intra-business and inter-business communications, functions, and data storage which depend largely on the use of computers, networks and all forms of ICT. Consequently, organizations hold a wide variety of customer and business data in electronic form. The flipside of this revolution has been the simultaneous growth of cyber crime. Cyber criminals are always on the lookout to steal different types of information through phishing, spamming and a host of other techniques. This has given rise to threats like identity theft, money laundering, credit card fraud, and infringement of copyrights among many others. The anonymity of the Internet sometimes, makes it difficult to trace the cyber criminals. This has resulted in the development of a new science known as computer forensics. 1.1 Computer Forensics Protection of customer, financial and business data is one of the prime concerns of organizations. Loss of data has both financial and legal implications. Organizations are vulnerable to cyber threats from both external and internal agents. Computer forensics is a science, which deals with collection, evaluation and analysis of data and information from networks, computers and storage devices with the purpose of presenting evidence of crime in a court of law. The data in computers may be either persistent or volatile. Page 1

2 Persistent data is in the form of files, databases, graphics, s and spreadsheets on the hard disk. Volatile data could be found in memory and registries. Investigators use techniques like imaging to collect data and cryptographic hash verification to identify modification of documents. It s obvious for perpetrators of crime to delete traces or files used by them. Computer forensics makes it possible to trace user activity and recover deleted mails, passwords, files, databases along with existing files and documents. 2. Ten Deadly Sins of Computer Forensics i. Investigators with inadequate experience: Computer Forensics is a specialized profession Evidence gathered during the course of a computer forensic investigation ought to be admissible in a court of law. The fate of a litigation of cyber crime depends on the credible evidence. Any negative outcome of litigation may have huge repercussions for the business. For example, banks need to protect confidential customer data regarding different financial products. Compromised data may damage the reputation of a bank. In such cases, it becomes crucial to identify the culprit whether internal or external, with credible evidence as quickly as possible. To protect the integrity of the information available on the crime scene or the affected device, investigators usually create a digital image of the hard disk. However, an inexperienced investigator may inadvertently tamper with the evidence through direct contact with the affected device. Any alteration to the evidence may make it inadmissible in a court. It is reasons like this that it is important for an organization to engage only skilled and certified computer forensics professionals. While engaging a forensics expert, organizations may consider factors such as requisite qualifications, experience and clientele. The organization may need to conduct background checks and cross check certifications, and they may also need to look for deliverables in the form of value for money, recommendations and speed of investigations. ii. Limited Scope of Investigations: Forensic experts may limit the scope of computer forensics investigations by prejudging that evidence would be available in a particular set of computers. The reasons may include judgment bias, to limit cost and lack of adequate expertise. Such prejudgments may backfire as evidence from certain systems, files, servers, and applications would remain uncollected. This would result in delays and adversely impact the result of litigation. Limited scope may also alter the nature of crime from criminal to civil case. Page 2

3 iii. Improper Planning The preparation phase is of immense importance for computer forensics experts. Computer forensics investigation may also be time sensitive depending upon the contract and court hearing date. Improper planning may result in inadequate incident response leading to loss of volatile evidence, delay in investigation and may alter the nature of the case. For instance, loss or alteration of volatile evidence may convert a criminal case to civil case or vice versa. Delays may also escalate cost of the investigation. A planned approach would involve formulating objectives of the investigation, evolving incident response system and using standard techniques. Sometimes, the evidence collection phase may take longer due to a large amount of data in the hard disk. This may not leave enough time for the subsequent phases of documentation, analysis and interpretation. The processing of evidence may take the computer forensics experts a lot of time of. The preparation phase may be used to make appropriate division of time for each of the phases. It would also help in identifying the requisite tools for faster collection of evidence. iv. Alteration caused by First responder After an incident, the first responders are usually the information security professionals of the organization such as system and network administrators. Information security professionals must be aware of the proper incident response procedures after a breach of their company s computer systems. The procedures in which an incident response is facilitated can also have an adverse implication on the evidence found on the affected systems. Some of the usual responses of a novice first responder in the event of system failure may include running an anti-virus program, restarting, shutting down, copying files, or formatting the drive and installing new software. However, these responses may wipe out crucial evidence such as volatile data. Ideally, an organization may designate a first response team consisting of professionals aware of the forensic collection policies. A first response team should document all requisite details of the incident (scenario, date and time, profile of affected computer devices, personnel involved and impact of device on normal functions of business). The team should get requisite approvals to monitor the affected device. The team should also formulate a data collection strategy and document all their actions such as the timeline of the collection process, forensic tools used and output received. A proper first response would be to verify the extent of crime and isolate affected devices and users from the network. v. Delay in Evidence collection Application of computer forensic tools helps in generating usage log and recovering lost files. However, evidence available on the computers may be time bound. Delays in evidence collection may be caused by lack of awareness, cost considerations, possibility of out of court settlements, and non-availability of desired experts on time. Page 3

4 Continuous usage of the affected computer system after the event may also result in overwriting of data and evidence degradation. Delays and interruptions may obstruct the creation of chain of evidence necessary for better analysis. Before proceeding with the evidence collection process, the First Response team should obtain to all requisite consent and authorization letters from the organization. The next step involves selection of appropriate methods of data collection, which is determined by the case scenario. It is important to initiate evidence collection as soon as possible, as evidence needs to be admissible in a court of law. For example, computer forensics helps in recovering deleted s, which may have crucial evidence regarding the crime. Timely collection of this evidence may be crucial for the success of the litigation. Imaging is one of the methods of collection and has proven crucial in data collection as this process creates an exact image of the hard drive including all drives, free spaces, disk partition, existing and deleted files. vi. Use of Outdated/Unlicensed Software: Collection, preservation and analysis of data for presenting admissible evidence are the major objectives of a computer forensic investigation, which is why it is crucial that forensic experts use the latest, standard and licensed software in their operations. Use of outdated, unlicensed or pirated software may not only lead to delays, failure of purpose, damage to computers, but may also lead to copyright infringement disputes. The evidence collected through unlicensed software may not be admissible in the court of law. vii. Insecure Location The computer systems and network systems under investigation should be free from tampering or manipulation. The systems should even be secure from internal agents because if an internal agent facilitated the crime, they may try to tamper with the evidence by modifying, destroying or overwriting the evidence. Be aware that unintentional operation of computers by unaware users may also lead to destruction of evidence. If possible, such systems may be shifted to a secure location; all computers, parts of dismantled computers and cable wires should be labeled. viii. Inadequate documentation All collected and preserved evidence needs to be properly documented. The documentation may incorporate information regarding the damage to the systems, consent letters, correspondence, date and time of evidence collection, detailed description of collected evidence, details of recovered data-file names, file creation and modification dates, images, and photographs, techniques used to gather evidence, details of licensed software used for forensics investigation, findings, Page 4

5 analysis and interpretation. Since the final document may be presented in court, it needs to be crosschecked for errors and mistakes. Proper documentation can play a key role in the outcome of the litigation. ix. Lack of adequate knowledge of legal requirements The evidence collected and analyzed by the forensic experts can be presented in a court of law therefore the experts need to be aware of the legal requirements as they pertain to evidence management and documentation. In addition, the computer forensics report must be drafted in a manner that it is easily understandable to the attorneys. If the presentation is not convincing enough, the benefit of processing the evidence and analysis may never come to fruition. The forensic expert should also anticipate legal hurdles and counter arguments by defendants. x. Inadvertent Disclosure of Privileged or sensitive information There always remains a risk of inadvertent disclosure of privileged corporate information. At times, it may be necessary to present collected evidence in court. In such cases, the expert needs to show caution in handling privileged corporate information. A computer forensic expert may come cross private communication between employees of the organization during the course of his investigation. When this happens, the computer forensic expert must follow an ethical code of conduct and judge whether revealing such information is required to substantiate a crime. 3. Conclusion: Computer forensics is a major breakthrough in the crusade against cyber crime. Nevertheless, challenges exist. Further awareness among information security professionals in handling evidence may aid in better results from computer forensics. The laws related to Cyber forensics are heterogeneous across the world and are still in the evolving stage. Page 5