 
|
|
In partnership with:
November/Decemeber issue The corporation: the non-policed stateDigital forensics is growing in significance in companies, and is a popular career development choice for information security professionals. Sarah Hilley surveys the evidence. Office workers type on their keyboards in a large corporation amid
non-photosynthesising green plants. One particular employee, who
has stolen £100,000 via fake invoices over the past year,
blends in and looks busy. Meanwhile a remotely controlled servlet
program slips into his computer and begins to make digital copies
of all his fraudster activities. Welcome to a crime scene investigation
in 2004! Not a policeman in sight. However, such a corporate case is unlikely to end in a prosecution. In fact, police involvement of any kind is likely to be avoided.
Money laundering and the discovery of child porn on systems are exceptions to this rule. Companies are legally bound to report these crimes to the authorities, says Phil Sealey, Senior Manager at Deloitte's Forensic & Dispute Services. But, apart from such crimes the, "the majority of cases we deal with don't proceed with prosecution," he says. The most pressing matter for companies is minimal disruption to business, and investigations must support this. Applications and servers must not stop; there is no time to cordon off the scene. So why do computer forensic investigations at all? Well, in the case of a fraud, for example, "Investigations are critical to give management as much accurate information as possible to help them make a decision on whether an employee should be dismissed," says Owen O’Connor, vice president of ISSA, Ireland. In addition, "The benefits of building forensic procedures into your incident response plan is that any information that you extract from systems can be trusted in a tribunal or court," says Andrew Sheldon, founder of EvidenceTalks, a computer forensics consultancy. A carefully implemented computer forensics handling process can also help get companies out of quite a few tight spots — see box ‘In-house criminality’. But digital forensic investigations are not just for the bad times, says Sealey. He advocates that they are useful for data retention. Imaging staff's machines as they leave an organization means that data can be easily retrieved if needed at a later date. Also, trawling through corporate servers for content that shouldn't be there, like illegally downloaded MP3 files, can protect a company from litigation risks and masses of storage and back-up space, advises Sealey. Another benefit is that the collection of digital evidence can make a difference in helping companies comply with governance regulations. "There is a lot in Sarbanes-Oxley, which can be covered by computer forensics both proactively and reactively," he says. (See box, ‘Sarbanes-Oxley’). Robert Rowlingson, principal information security consultant at Qinetiq says companies should be in a state of ‘forensic readiness’. He defines this as "the ability of an organization to maxmise its potential to use digital evidence whilst minimising the costs of an investigation." (See box, ‘Benefits of forensic readiness’). Tools A key factor when choosing forensic analysis tools is that they maintain evidential integrity and that the tools stands up in court. Guidance Software's Encase product, Access Data's Forensic Toolkit, and Vogon's tools are the most widely used, say experts. Part of the function of forensic tools is to create an identical image of the media that is being examined. Some tools create a digital fingerprint (MD5 hash) of the image to ensure the copy matches the information on the original disk. If any changes are made to the image, the fingerprint changes radically. This helps to verify that the evidence hasn't been tampered with.It is also possible to create a digital fingerprint using alternative, free Linux tools, but this is not as straightforward. Linux in the courtroom is still a relatively unknown phenomenon, says Sealey. However, the capabilities of Linux tools are increasing rapidly, says O'Connor. But even using established tools is not always straightforward, warns Sealey. "When I go offsite to conduct an investigation, I always carry three different methods of imaging a computer because I never know if a particular method is going to fail for whatever reason." But it is not just the technical side of computer forensics that investigators need to grapple with. Keen investigation skills with a grounding in law enforcement evidence procedures are critical. Be very careful
It is all too easy to damage electronic evidence. Andrew Sheldon, at Evidence Talks, says that 99% of the time, where he is called in to do an investigation, the evidence has been already damaged. If the evidence hasn't been collected properly from the disk a good defence lawyer can get the evidence ruled inadmissible. One of the principles of forensics is that you must never write any information to the source hard disk. An electronic write blocker will ensure this doesn't happen. And always make an image of the evidence to analyse. Avoid the blunder of working on the original disk. Data protection is another pitfall to be avoided. Countries have different legislation with regards to monitoring. For example, if a disk has to be sent to the US office within a company for examination you could run into data protection issues when transferring the data to the US, warns ISSA’s O’Connor. To avoid falling into the pits of disparate legal trenches in Europe, the CTOSE Foundation, an EU-funded project, has formalised guidelines for standardizing evidence collection in Europe. Robin Urry, at the Joint Research Centre, who heads the project, says a demo of the standard ran successfully in the UK, Belgium, France, Italy and Germany, and it is currently been used in a major bank. With so much confusion, it is no surprise that finding certified experts in digital forensics investigation is not easy. Vendors accredit professionals on certain tools. But currently "there is an absence of standards and competencies in the field of cybercrime”, says Nigel Jones, who is contracted as head of training at the UK National Specialist Law Enforcement Centre. Private investigation
So where does computer forensics fit into a company? Qinetiq’s Rowlingson believes that "forensic readiness is complementary to, and an enhancement of, many existing information security activities." In fact many IT security professionals see forensics as a good career move, says O’Connor. There is a staunch belief that digital investigation will play a bigger and more influential part in private corporation policing as time progresses. "Most big businesses, which are buying and selling commodities and have IP to protect have a valid case for setting up these services," says Deloitte’s Sealey. He adds that, currently, computer forensics is mostly outsourced, but this is changing. So where does law enforcement fit in? After all, forensic science, including bloodstain analysis and toxicology, are all practised with the sole purpose of bringing a legal judgement to a crime. Computer forensics has its own rules within the corporate sphere. If the company wants to go to court and face external law, then the police are summoned. But if not, then all misbehaviour in offices amid computers and exotic plants is handled discreetly, with minimum fuss. After all, who wants a fuss when there is money to be made? Some see this as a shortsighted approach to the fight against computer-based crime. Eoghan Casey, editor-in-chief of Elsevier’s Digital Investigation said, in an editorial this year, ‘Sweeping problems under the rug and hoping nobody will notice is the strategy that failed Enron, with serious repercussions for its employees and investors.’
|
|
