Computer Forensics for CEO s and Managers

Transcription

1 Computer Forensics for CEO s and Managers Robert Reed, MSCIS Forensics Investigator, Tucson Police Department Synopsis Computer forensics can serve a vital role in any organizations incident response planning. The ability to quickly capture volatile data and evaluate its means increased agility of organizational response. Once volatile data is collected it can be evaluated to determine if a more thorough examination is required identifying potential offenders and their locations. Forensically trained personnel can also assist in developing and auditing policies to assist the organizations in identifying and mitigating violations prior to them resulting in costly legal action.

2 Introduction Modern corporate, industrial and governmental organizations face an increasing complex maze of legal and competitive challenges. To address these challenges they have turned to computer and information systems. These systems help organizations control a multitude of business objectives. Computers control access to data, track adherence to statutory requirements, represent the organization on the World Wide Web, and perform a host or other business functions. The increased reliance of organizations on computers and information systems in many ways has been a renaissance. The increased integration of computers has allowed organizations to re-task personnel to more productive areas of the organization. In the past large numbers of personnel were targeted at maintaining rows and rows of file cabinets. Inside these cabinets the life-blood of the organization resided. Contracts, contacts, plans, blueprints, employee data, banking information, as well and other information were all housed inside these containers. Considerable investment went into housing all this information. Today rather than spending the resources required on paper, personnel and structures, we can hold this information in computer systems for a fraction of the cost in perpetuity. Personnel that were formerly used to create and control this information can now be used in areas of the organization that produce revenue rather than consume it. Not only have computers allowed us to reduce the capital costs to house data, they allow virtually instantaneous access to current and historical data. This ability to store and access virtually unlimited data has not come without hazards. In the past persons wanting unauthorized access to this data would have needed to cart off reams of paper. Undoubtedly a person or persons carting off boxes of files on a hand truck or dolly would not go unnoticed. Today an intruder can carry off millions of records on a single USB flash drive or quickly move them across the internet to offsite locations. Organizations and their data may be targeted by: Competitors State sponsored actors Current or former employees Criminals and criminal syndicates Social or political movements In addition to the threats posed by directed action, organizational data may be compromised by threats that are not directly targeting it. Computer viruses, malware, accidental deletion and hardware failures can all contribute to a potential loss of data representing a significant investment for the organization.

3 What is computer forensics? Computer forensics is the application of scientific and legally accepted techniques on computer systems and digital media in order to extract preserve and report on information contained on those devices or systems. Computer forensics differs from simple data recovery in that computer forensics seeks not only to recover lost data, but also explain how, why and from where, data has been lost, altered or accessed. In addition computer forensics and forensics practitioners do this with the ultimate aim of preserving the integrity of the evidence so that it may be used in potential administrative, civil or criminal legal action. Computer forensic life cycle Like most processes computer forensics examinations can be viewed as a cycle. The cycle consists of four distinct steps. 1 : Identification: During the identification phase a situation requiring actions is recognized. Resources likely to contain information of evidentiary value are identified and targeted for collection. Examples include computer intrusions, criminal conduct by employees, policy violation or legal notices requiring retention and potential disclosure of organizational data. These resources may include copies of computer memory, computers, computer hard drives, electronic data, log files, historical backups, personal statements, and a multitude of other possibilities. 2 Collection: During the collection phase resources identified as potentially holding evidentiary information are collected. Computer forensic practitioners will insure that the data recovered adheres to the rules of evidence governing the jurisdiction that any legal action could ultimately be heard. This means that the collector will insure that where practical the original media will be taken into evidence. Where not practical an exact, verifiable copy of the original data will be made and stored as the original evidence. Exact verified copies should include all areas of the physical media, active files, and unallocated (unused) portions of the media. By capturing the unallocated areas of the drive the examiner may recover deleted and hidden data as well as historical information on the device. The collector/examiner utilizes these exact copies of the original for subsequent forensic analysis. Some of the systems identified may be outside the organizations dominion and control and may require legal processes to obtain access. 3 Analysis: During the analysis phase the items collected are examined for information of evidentiary value related to the incident/action in question. This information generally falls into two categories, exculpatory or inculpatory. Exculpatory information is information that tends to show that something or someone is not responsible for the action in question. Inculpatory information tends to show that

4 someone or something is responsible for the action in question. The examiner may find information related to the incident in live files on the hard drive, memory captures, network traffic captures, unused area of a computer drive, or in artifacts that are created as a function of the software or operating system utilized. Some of this information may identify additional resources that were not originally known and need to be collected. 4 : Reporting: During the reporting phase the information gleaned from analysis is presented to decision makers for action. These decision makers could be anyone from a manager reviewing findings for disciplinary action, to jurors in a legal proceeding. This phase also includes a lessons learned/post mortem analysis identifying actions that may be taken to mitigate, or improve response to future incidents. Why computer forensics? Computer forensics allows executives and managers of any organization an additional resource in responding to computer incidents. Forensic response can facilitate a quick return to normal operation, audit policy compliance, mitigate risk and insure the ability to recoup costs in criminal or civil proceedings. Business continuity: Computer forensics is an often over looked element of incident response and continuity of business planning. In the event of a computer incident the primary objective is a quick return to normal business. If computer forensics practices are not an integral part of the Computer Security Incident Response Team/s (CSIRT) procedures critical information and evidence may be lost. Incident responders may only get one shot at collecting this data. If Incident responders immediately start processes for business continuity ignoring forensic principles, critical evidence tying suspects to the incident will be destroyed. In fact the changes made to the systems by well-intentioned responders may so significantly change the evidence as to make its introduction into legal proceeding impossible. When this occurs the ability for an organization to seek restitution or recoup damages may be forever lost. Policy compliance: Because the ultimate goal of computer forensics is the identification and production of evidence in a legal environment, having forensically trained personnel on staff can assist in generation or review of organizational policy. Computer forensic personnel can liaison with legal counsel, executives and managers drafting policies that best fit the organizations goals and objectives. These new policies can better address the legal environment in which it operates. The practice of random auditing of computers and systems can help identify policy violations. When these policy violations rise to the level of discipline or termination there may be potential legal consequences. In many organizations contractual agreements with collective bargaining organizations may govern disciplinary actions. In such organizations disciplinary action may be appealed to administrative boards and ultimately to a court of competent jurisdiction. By utilizing computer forensic

5 trained personnel the organization can insure that the policy violation is correctly identified and the evidence against the violator will be admissible in potential administrative or legal proceedings. Computer forensics not only helps organizations identify violations, it insures the organization pursues the correct violator. Simple actions on the part of a violator, such as spoofing an address, may obfuscate the true identity of the violator. In some instances the violator may seek to implicate an otherwise innocent party in the action. These techniques may go unnoticed by the untrained eye, but should be easily identified by the computer forensic practitioner. Risk Mitigation: In the prior section we discussed how computer forensics could help organizations develop, audit and enforce policy. How can computer forensics help mitigate risk? Most organizations have, or should have, acceptable use policies that employees read and sign as a condition of employment. When an employee violates these polices it may expose the organization to some form of liability. This liability may be criminal or civil and may be direct or vicarious. In organizations that develop and enforce strong policies regarding network systems and resources computer forensics can help audit and enforce those policies. To some degree this action can help mitigate risks associated with employee misuse of organizational resources. Organizations that have strong auditing policies and enforcement mechanisms likely identify and address wrong doing early allowing prompt action. Organizational boundaries: In organizations of the past boundaries were clearly defined. The old data warehouse consisted of a building with clearly defined walls within a single geographic region. Modern organizational boundaries are not so clear. Many organizations today have a physical presence in multiple countries with increasing presence in the cloud that is cyberspace. They often have intranets and extranets with business partners, and contractors all of which may have similar alliances and boundaries. This interaction effectively increases the surface area of the organization and its potential threat vectors. Many of these threat vectors may fall in geographic regions with different laws. With increased globalization in many sectors it is not uncommon for information systems to interoperate with systems in different regions or even countries. In fact doing so is a method to mitigate risk. An organization with offices in Miami may mitigate data loss due to hurricane damage by storing vital information in a data center housed in Cleveland, Ohio. Likewise organizations may interact with offices in other countries. The file that you access on your computer desktop in Miami could be on a computer in Brussels, Belgium.

6 From an organizational policing perspective this presents some additional challenges. In the United States data on organizational computers is generally viewed as the property of the organization. This means that auditing and compliance of data in these systems generally does not generally violate a user s (employee s) reasonable expectation to privacy. In some countries end users retain a much greater expectation to privacy in their personal data, even when stored on organizational computers. Since the data that you may be accessing from a computer may be housed in another country with different privacy laws, organizations must be cognizant of this in auditing compliance and collection during incident response. Simple implementation of acceptable use policies, banners and other warnings displayed to users while accessing systems can assist in reduction or elimination of a users expectation to privacy. Cost/benefit: Computer forensics can be a costly exercise for any organization. The organization must decide if it is financially viable to conduct a computer forensic examination to begin with? What are the potential costs associated with the incident? The costs associated may not only be directly associated with damaged property or theft. There are many other indirect costs that the organization could incur. How many man hours were used in responding to the incident? Does the organization have a statutory obligation to investigate or report the incident? What is the potential loss in goodwill or other intangible costs? Lastly what is the possibility of recovering costs, damages or, restitution via legal proceedings? Should the organization decide to pursue a forensic investigation, will it be conducted in house or outsourced. Proper implementation of a computer forensic program requires investment in personnel, training and equipment. There is also a continued investment required for continued education as technology and techniques evolve. Organizations must consider if the cost incurred to develop in-house programs will be offset by the amount of work and return on their investment. In those organizations were incidents will largely be outsourced, there is still good reason to provide some degree or forensic incident response training to personnel. Computer forensic training can assist organizations in identifying and preserving evidence for later analysis by contract examiners. With critical evidence identified and collected the business can concentrate a quick return to service. Summary: In closing we can see that computer forensics can serve a vital role in any organizations incident response planning. The ability to quickly capture volatile data and evaluate its means increased agility of organizational response. Once volatile data is collected it can be evaluated to determine if a more thorough examination is required identifying potential offenders and their locations. Forensically trained personnel can also assist in developing and auditing policies to assist the organizations in identifying and mitigating violations prior to them resulting in costly legal action.

7 About the Author: Robert Reed is a seasoned investigator with twenty years of law enforcement experience. He has investigated incidents ranging from simple traffic investigation to criminal homicides. With a Masters in Science in computer information systems he has leveraged this knowledge into the computer forensics field developing and operating the first ASCLD (American Society of Crime Lab Directors) Lab accredited computer forensic program in the State of Arizona. In the course of his career, Reed has investigated numerous crimes involving computers, computer systems or digital evidence. He has been the affiant on countless search warrant applications, and participated in the service and execution of many warrants including those involving digital evidence. He has testified in hundreds of Criminal, Civil and Administrative hearings. He has obtained multiple certifications including the EC Council Computer Hacking Forensic Investigator (CHFI) and is a Certified EC Council Instructor (CEI). Reed has taught computer forensics and cyber crime programs to clients from the US and foreign governments. Students include military personnel, law enforcement officials from national, state and local governments, educational institutions, corporate clients and Individuals. In addition to the computer forensic curricula, Reed has given guest lecturers to groups including the NSA accredited information assurance program at the University of Arizona, and the 2009 PISA (Policia Internacional Sonora Arizona) conference. About the MIS Department: Since pioneering one of the nation s first (MIS) curriculums in 1974, the MIS Department at, has become a leader in IT education and research. U.S. News & World Report has ranked us a top-ten program for over 23 consecutive years since the inception of the rankings in making us one of only three programs nationwide to maintain this status. With over $80 million in research grants, state and industry support, our program has initiated and participated in cutting edge research in information security and assurance, group systems, artificial intelligence, and data management projects while educating over 3500 undergraduate, 1200 graduate and 150 doctoral students. We are a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) as designated by the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA.) Visit us online at