When most people think about IT forensics, if they think about it at all, they likely imagine a scenario out of the hit TV series CSI.
“When the show first started out, they would show someone at the keyboard and one of the leaders would ask, ‘Oh, can we look at all his e-mails?’ Then the guy would hit two keystrokes, and he would say, ‘Oh yes, I see this e-mail came in,'” Robert Shields, senior director of marketing at forensics software vendor Guidance, told the E-Commerce Times.
“They make it seem like there’s a button that says ‘find evidence,'” he said. “The way they portray computer forensics is totally wrong.”
In reality, IT forensics is a complex and delicate endeavor. In addition, it differs from general information security because forensics addresses data after a crime has been committed, IDC research director Charles Kolodgy said.
“It’s designed to help you understand how an attack was handled so defenses can be [adjusted],” Kolodgy told the E-Commerce Times. “There is also the prosecution angle, but that is secondary.”
Who Needs It?
Although some organizations are early adopters that acquire this sort of technology in anticipation of future misdeeds, most companies seeking IT forensics solutions already have suffered a major incident, such as corporate sabotage, intellectual-property (IP) leakage or fraud, Shields said.
Rich Mogull, research director for information security and risk at Gartner, told the E-Commerce Times that organizations also employ IT forensics to investigate sexual harassment cases; help law enforcement officials investigate criminal violations, such as child pornography possession; and trace the origins of virus attacks and other security exploits.
Paul Proctor, vice president for security and risk strategies at Meta Group, noted that IT forensics can be divided into several areas — and that many IT forensics tools are on the market with strong capabilities.
“Disk forensics enable investigators to identify interesting, relevant or suspicious data on stored disks,” Proctor told the E-Commerce Times. “Network traffic forensics [helps officials] to identify interesting, relevant or suspicious data in network traffic packets. These are intrusion detection/prevention devices (IDS/IPS).”
Reconstructing the Evidence
Kolodgy agreed that IT forensics technology is already extremely sophisticated. However, despite the plethora of available data, an IT forensics specialist must understand how to collect it, analyze it and process what is real and what has been modified by a knowledgeable attacker.
“With all of the logs and data that [are] available, the problem isn’t one of having enough evidence, it is being able to reconstruct it and use the data available,” Kolodgy said.
“It is true that attackers can usually modify logs, but they normally can’t get them all, so it is possible to find the discrepancies that can show that the data has changed,” he explained. “There are also tools being deployed within enterprises that can help handle forensics.”
Kolodgy listed some forensics applications available to enterprises, including Computer Associates’ eTrust Network Forensics, Niksun, Network Associates’ InfiniStream and Guidance Software’s EnCase.
Hard To Erase
Mogull confirmed Kolodgy’s statement that enterprise networks can provide a computer forensics investigator with a wealth of data, despite attempts to erase hard drives or cover up incriminating information.
“An incriminating e-mail, for example, can be found in the server in-box, desktop in-box, local system, cached memory, in the places [the e-mail was] sent to, on tape backups — leaving digital footprints all over,” he said. “One picture of child porn may be found on multiple copies of enterprise backups spanning months, even years.”
Enron shredded paper documents in an attempt to evade incrimination, he noted. “When they discovered they could not do the same thing with digital information, they had a biological reaction.”
Making the Evidence Stick
Culling evidence, however, does not ensure a lawbreaker will be apprehended or, once apprehended, convicted in a court of law.
Because Internet infrastructure is still so immature, tracing the originator of a worm or denial-of-service (DoS) attack is difficult, Mogull said.
“For example, a Russian ISP [where the FBI believes an attack originated] does not cooperate with the FBI, so they cannot trace the attack back to the user, even if they find the right server,” he noted.
Moreover, proving a case and proving that case to a jury are two different things. “In one case of fraud, a defendant convinced a jury to let him off because when the virus left his computer, the prosecution could not prove he was on it at the time,” Mogull explained.
Finding the Right Investigators
For his part, Shields said putting evidence together and preparing to turn it over to law enforcement is a delicate art if an enterprise wants to prosecute a case.
“The art of, ‘Does this file make a particular person guilty or culpable in a particular instance?’ requires a trained investigator to make sure all angles are covered,” he noted.
“There’s a simple way to look at it: You don’t want Robert Shields on the witness stand presenting this evidence, even though with [Guidance’s] EnCase tools, I can find it. You want my colleague Jon Bair, who has his forensics certification and has presented in court before, to solidify your case.”
Proctor added that effective forensics “is all about training and feet on the street. Effective tools are really a very small percentage of the issue.”
Proctor went on to say that while traditional IT forensics methods work and newer tools will make the process faster and more efficient, the real answer is for organizations to become more risk aware and build resilience into their infrastructure.
For his part, Mogull said ISPs need to provide better protection to their customers, which he is starting to see happen. Meanwhile, enterprise software, notably Microsoft Windows, needs to become more secure, plain and simple.
“We should not be blaming the victim. It’s like blaming someone for installing a lock in a house that doesn’t work and then blaming him for not knowing to change it,” Mogull said. “Presently, software makers assume no liability, and that will need to change.”
Overall, Proctor noted: “Organizations need to take risk management and enterprise resilience more seriously. That will lead to the detection, apprehension and prosecution that will ultimately make a dent in computer crime.”