Computer forensics investigators attend Fraud Advisory Panel conference
10th June 2011
The following is taken from a presentation that one of our computer forensics investigators gave at a recent Fraud Advisory Panel conference…..
Traditionally, a computer forensics investigation is conducted on a forensic copy or ‘image’ of an item of media which was captured using the methodology previously described.
In the days when networks were smaller and servers did not have the capacity they do now, to remove each drive and image it separately was a perfectly acceptable way of conducting business.
Of course we haven’t given up on these methods but, in today’s world of large, extended networks, high capacity data storage and even cloud computing, it has been necessary to adopt new and different approaches to the subject of computer forensic examination. New tools and methodologies have been developed and are constantly being reviewed.
Live forensics can be described as that methodology which is used to capture data into a forensic image whilst the target system is still running normally. It has to be understood that dealing with live forensics is going to alter some parts of the original media but, we are aware of this and can ensure that disruption is kept to a minimum. The ACPO Guidelines state, ‘Computer forensic investigators may be able to, in certain circumstances, glean further evidence from a machine whilst it is still in its running or ‘live’, state. Information available includes network connectivity details and volatile (non-persistent) memory-resident data. Caution must be taken to avoid unnecessary changes to evidence’.
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
It is possible to capture an image of what is in a computers memory. Available tools will analyse this image, allow the investigator to conduct searches and produce the results in a format that can be read by the investigator in the same manner as the image of a hard drive or other media. Much valuable information can be found in the memory. It is good to remember that the memory will contain information which is the most up to date to be processed.
Capturing Live Data
There are a number of occasions when this technique may come in useful. Quite often it is impractical to close a server down, owing to the loss of business potential or the whole configuration.
The use of live forensic methodology can also be an important asset when smaller amounts of data are required from prohibitively large capacity storage mediums. The copying (or imaging) of a single user area (or share) from a network can cut down, not only the time required to capture the data, but also that time required for processing and analysis as the amount of non relevant data that needs to be trawled through is greatly reduced. This has an obvious saving in terms of cost.
Another situation where the use of live forensic methodology can be of benefit is when a drive or other form of media is encrypted. If the encrypted drive is imaged in the traditional manner, the contents will not be visible to the examiner in their true form when viewed using forensic tools. Examiners may find indications that the data is encrypted by looking at file or volume headers where clues may be found such as a file signature of an encryption application program.
This is a word that is often banded about in medical circles. In forensic terms, it has a similar meaning, an early assessment can enable a decision to be made as to whether or not a full forensic procedure is required.
Generally, this involves gaining access to a network (or sometimes even just a standalone machine) by connecting up an investigator’s laptop system. Once access is gained, the investigator can see what is on the target machine without having to get physical access. Running processes, contents of physical memory and data that is stored on the computer can be viewed. Generally, an image can be captured but this methodology would typically not be used to conduct a full in-depth examination.
eDisclosure or eDiscovery is one of the current buzzwords within the computer forensics industry today. What does it mean? Well if we trust the good old ‘Wikipedia’, it means, ‘The discovery of information in civil litigation which deals with the exchange of information in electronic format colloquially known as ESI.’
Is it the same as computer forensic investigation? No, not really. Whilst both disciplines are concerned with the presentation of evidence for judicial proceedings, eDiscovery has greater scope and can deal with larger amounts of data over a shorter period. Whereas, computer forensics is a more channelled field of evidence recovery.
Monitoring and Analysing Network Traffic
In order to conduct computer based fraudulent activity, a would be fraudster would need to gain access to an establishments IT systems. On the surface of it, one might think that this is not possible as most buildings have fairly robust protective measures, reception/security staff on the main entrance, patrols that monitor the building through the night, alarms, CCTV, movement sensors and these are just a few. However, it is amazing how poorly protected some IT infrastructure systems are. Whilst an intruder may be deterred from a physical attack on an organisations IT assets, a logical attack may be considered a much more appetizing prospect.
Security costs money and, in this day and age ,there may not be too much of that going around. Out of date equipment, software this isn’t being updated, subscriptions to security services that are being allowed to lapse. All these things are exemplar of money being tight and priorities changing. Whilst cutting back on security, however, may seem an attractive proposal, it is a dangerous one and it is a situation which could have disastrous consequences for an organisation.
So, how can we ensure to the best of our ability that our assets are protected and the risk of a logical attack is properly minimised?
Firstly, we must ensure that currency of equipment is maintained as well as is possible. Software, such as operating systems and applications should be properly patched and kept up to date. Policies should be in place to ensure that staff act in a responsible manner regarding IT systems. Barriers and monitoring must be part of the establishment’s defence strategy against attacks relating to fraud and other crimes. Primarily, this should include firewalls, intrusion detection systems, malware detection software etc.
I’m sure we are all familiar with the term firewall. I tend to liken it to a logical non return valve where the user can reach the outside world but nothing can get in. The firewall needs to be updated regularly to keep it current and efficient. Firewalls can be positioned on individual machines, on servers or freestanding, to protect both internally within a network and to assist with the protection against threats from the outside.
A firewall is a barrier and, typically, will protect against head on threats as they attempt to break through. Intrusion detection systems (IDS), however, will ‘scan’ the logical approaches to the network and by watching for malicious activities or policy violations can alert an organisation to a potential attack. IDS is only a monitoring system so it is important that methodologies are in place to deal with the attack.
Network monitoring tools are important and there are many available. These tools have a dual purpose, to help provide information from a security angle, but also to provide network administration with a means of keeping check on how the system is running. The methodology of network monitoring tools ranges from simple programs which record IP addresses to sophisticated packet sniffing/monitoring tools.