Computer Data Forensics

When an incident takes place, the CIRT must decide whether they plan to pursue legal action against the offender. If it does, certain steps must be taken to ensure the forensic evidence gathered will be admissible in court. Before the decision is made, they should progress with the assumption that action will be taken.

The Investigative Process

Incident investigators should attempt to answer the same questions that journalists investigating a story pursue:

• Who is responsible for the incident? An insider or an outsider?

• What type of incident took place? Was it a Web site defacement? Denial-of-service attack?

• When did the incident take place?

• Why did the incident take place? What was the motivation of the hacker?

• Where did the incident occur? From where was it launched? What systems were impacted?

• How did the event occur? What security vulnerabilities allowed it to occur?

Gathering answers to all of these questions provides the CIRT with a complete picture of the incident.

Collecting Evidence

Evidence takes many forms in a computer security investigation. The types of evidence gathered depend upon the nature of the incident, but may include the following:

• System log files. System logs often provide detailed records of malicious activity.

• Session transcripts. If administrators detected an intrusion while it was still in progress, a keystroke transcript provides a step-by-step accounting of the hacker's activity.

• IDS/Firewall records. IDS/Firewall logs often provide valuable clues to an attack's methodology and origin.

• Backup tapes. Backup tapes are critical to identifying the contents of files that were illicitly modified or deleted.

• Hacker tools. Hackers often leave behind directories containing rootkits and other tools utilized during the attack.

Limitations of Evidence Collection

In all jurisdictions, criminal defendants are provided with certain basic protections that limit the power of law enforcement and protect the privacy rights of all citizens. In the United States, the protections are guaranteed by the Bill of Rights (the first ten amendments to the U.S. Constitution).

Although the specifics of these rights vary from country to country (and even within different states and provinces of each country), the general principles remain the same. Several of these are of particular concern to computer-incident investigators:

• Citizens are protected against unreasonable search and seizure of their property.

  Keep this in mind when conducting your investigation. It's fine to analyze audit logs of intrusion detection systems and other hosts under your control, but it's clearly not allowable to “hack back” to gather evidence on the perpetrator's system.

  The waters become a bit murkier if you're thinking about monitoring network traffic or exploring the personal file storage space of a computer user. The laws covering these situations vary from jurisdiction to jurisdiction and are often untested by the judicial system.

• Citizens are not required to make self-incriminating statements.

  Most residents of the United States are familiar with the Supreme Court's Miranda decision that requires law enforcement officers to inform a suspect of his or her rights prior to beginning an interrogation. These rights include the famous “right to remain silent” as well as the right to legal counsel. Normally, these restrictions apply only to sworn officers of the peace, but may also be interpreted to apply to computer-security investigators—particularly if the investigation is conducted by (or on behalf of) a governmental agency.

  It's generally a wise move to avoid direct contact with any suspects in an incident unless you are cooperating with appropriate law enforcement agencies.

As you can see, the process of evidence collection relies upon strict adherence to legal standards. The judicial system was created to protect the rights of suspects; therefore, the deck is stacked against investigators. Be sure to consult with your legal counsel before conducting any questionable aspects of an investigation. If you violate the rights of a suspect (intentionally or inadvertently), you may at best jeopardize the investigation and have the evidence thrown out of court. At worst, you may find yourself at the receiving end of civil or criminal charges.

Maintaining the Chain of Evidence

When prosecuting a crime, extraordinary steps must be taken to ensure that evidence is not tampered with during the investigative process. Law enforcement officials refer to these steps as maintaining the chain of evidence. It is critical to keep detailed logs (preferably on paper, rather than electronic form) explaining who had access to each piece of evidence from the moment it was collected until it is used in court and the reasons they needed access to it. Seemingly minor chain-of-evidence violations could result in an entire case being thrown out of court.

Procedures for Analyzing Evidence

After the response team gathers all possible evidence, trained investigators should analyze it to answer the six questions outlined previously. This analysis differs greatly from that used during the initial phases of an investigation because the standards are much higher. During an incident, the main analytical goal is to determine the cause and contain the incident. During the forensics process, investigators must ensure that the evidence presented proves their case beyond a reasonable doubt to ensure successful prosecution.

Reporting the Findings to Prosecutors

When all is said and done, the leaders of an organization must make the business decision to press charges or let the matter drop. Prosecuting suspects is a lengthy process that consumes the time of a large number of technical and managerial personnel. Also, prosecutions necessarily involve a large degree of public attention, which may be undesirable. Executives must weigh these concerns against the deterrent effect a prosecution might have on future attackers.