Forensics tools can help stop threats to ever-expanding networks
Connecting state and local government leaders
As threats have evolved, so have the tools for forensics investigations. Although forensics inspectors were once limited to conducting research only after an incident had taken place, they are now more likely to capture evidence in real time.
As networks have become increasingly distributed yet interconnected, the scope and types of threats to computer systems have grown with them. Meanwhile, the forensic tools available to prevent unauthorized access and thwart illegal activity have also grown.
For one thing, computers store more information, which means any forensics investigation has to sift through more data. “Media has become cheaper in the last five years, driving users to larger disks,” said Sam Brothers, director of Digital Forensics at QinetiQ North America. “This has increased the average size of our [forensic] investigations from 100G to well over 1T," he said.
Forensic challenges also have increased on other fronts. “Most people carry flash drives or iPods that can contain a wealth of information in addition to the data an examiner might obtain from a standalone computer.” Even security measures can complicate forensic investigations. “The common use of encryption is on the rise and presents an increasing challenge for the forensic community,” he said.
As threats have grown and changed, so have the tools for conducting forensic investigations. At one time, forensic inspectors were limited to conducting research only after an unauthorized or illegal activity had taken place. They are now more likely to capture evidence in real time — both on disk and in a computer’s memory.
"Additional tools have recently been developed to capture data from live, up-and-running systems," Brothers said. "In the past, many [forensic] examiners were told to ‘pull the plug,’ shutting the system down before going to work on it. But now, with many examinations focusing more on malware exploitation, many examiners are collecting data from the memory of a running machine that would be lost if the machine were to lose power.”
More than 150 open-source and commercial forensic tools are available, so choosing tools that will yield accurate and valid results is a crucial part of building your forensic strategy. The National Institute of Standards and Technology has a project named Computer Forensics Tool Testing (CFTT) that focuses on developing standards to ensure reliable results during forensic investigations.
CFTT is defining requirements for specific categories of forensic tools to create a requirements framework. From this framework, the project derives testable outcomes that can be applied to a particular forensic tool or suite.
Test results are available to forensic tool providers and law enforcement agencies, and they eventually will be on the CFTT Web site. The project seeks to help forensics tool providers improve their products over time, keep the justice system informed, and make the information available to agencies and other organizations. If your agency is developing a standard forensic toolbox, reviewing the CFTT published reports on forensic tools across various categories is a good place to start.
Phased approach
From a strategic viewpoint, forensic activity breaks down into four phases: evidence collection, evidence preservation, analysis and reporting, according to forensics experts. Of those, the collection phase is the most crucial, especially if agencies suspect illegal activity. Depending on the type of incident, forensic tools can collect data from a variety of sources, including servers, user hard drives, log files, application data, portable devices and security tools, such as intrusion detection systems.
When forensic investigators collect information, they can collect information in real time — for example, from RAM — or take an off-line approach by removing a suspect hard drive and making a write-protected image of the contents by using a forensic workstation. Newer portable devices also allow security employees to boot from a CD on a separate machine and safely extract an image of a hard drive via a USB or Ethernet port.
For user devices such as desktops, laptops, smart phones, and personal digital assistants, you typically want to capture an image of the entire contents. On large, multiuser systems, you might only need to see specific folders, such as a user's home directory, or data from specific tables. Both forms of collection are admissible in court as long as the collection process is well-documented and security employees use proper seizure methods.
During the preservation phase, experts say, you should use cryptographic checksums to make exact copies of all of the collected data. A cryptographic checksum is a mathematical value assigned to a file and is used to verify that data has not been changed. If legal action is a likely outcome of your investigation, you can ensure the integrity of the collected images by maintaining checksum copies of the data.
With data images in hand, you can now enter the analysis phase. Sometimes during this phase, you will need to retrieve deleted or encrypted data. A variety of commercial and open-source forensic software can retrieve items, including incriminating evidence, that you might otherwise overlook. During the next part of the analysis phase, investigators search through the collected information for inappropriate or illegal activity.
Although you can use the built-in search tools in Linux, Unix or Windows operating systems, forensic search tools are available to help ensure that you are analyzing the correct data. For example, if a user renamed a file and its extension to try to hide something, the forensic search software could uncover the foul play.
After uncovering the data, the next step is to correlate the information from the investigation's various data sources. For example, you might need to construct a timeline of events. To accomplish that, you might need to mesh network log timestamps and data with database access and usage logs. Forensic software will often include resources to help you correlate the information.
The final phase of forensic investigations is usually the production of at least one report that describes the investigation's outcome. Reports can include summary information about the event and detailed data.
Getting training
Agency security and risk assessment teams can learn about computer forensics by reading materials available online and in print. Over time, education material about forensics has evolved from general texts to subject-specific materials about one area of forensics.
Aside from books and whitepapers, computer forensics conferences can be a good source of information. Connect with practicing forensics experts and, if possible, try to adopt a forensic professional as a mentor while you get up-to-speed. Reach out to organizations, such as the High Technology Crime Investigation Association, to stay informed.
There are many security and law enforcement organizations that regularly offer forensic training. For example, the SANS Institute offers monthly courses at various locations throughout the United States and in other countries. In addition, several universities, such as the University of Central Florida, Champlain College and the University of Washington, offer courses on forensic tools and techniques.
Agencies need to remain vigilant about computer security and establish effective standard procedures to address illegal or unauthorized activity. Defining a forensic-specific subsection in your security policy is advisable, as is constructing a forensic toolbox, training employees, and identifying one or more external forensic experts whom you can call when needed.
Maggie Biggs is a systems architect, senior systems engineer and freelance writer.
NEXT STORY: A sampling of IT forensics tools