Forwarded From: phreak moi <hackerelite@deathsdoor.com>
Cracking cybercrime
Don't touch electronic evidence until you call in the cops or a
cyberforensics expert
October 30, 1998
Web posted at: 11:50 AM EDT
by Deborah Radcliff
http://cnn.com/TECH/computing/9810/30/cybercrime.idg/index.html
(IDG) -- Early this year, the audit manager for a financial services
company suspected a former employee of embezzling nearly a million
dollars. He took the suspect's PC to his office to analyze its hard drive,
then got called out of town. Unaware of the investigation, his trusty
assistant reissued the suspect computer to the word processing pool to
replace a broken one.
"That guy's evidence - and his case - was toast," says Michael Anderson,
former IRS investigator and founder of New Technologies (NTI), a
cyberforensics firm in Gresham, Ore. "All the ambient data was
overwritten." Earlier, the audit manager had considered outsourcing the
forensics work to NTI but decided to forego the $215-per-hour fee and do
it himself.
There's a lesson here: Thou shalt not bungle computer evidence intended
for a court of law.
Crimes committed via computer leave distinct evidence trails. If you so
much as access, download or open suspect files, you could taint the
evidence and render it inadmissible. That type of activity alters backup
files and system logs and overwrites date and time stamps, says Bill Boni,
director of IS for PriceWaterhouseCoopers in New York.
Draft a contingency plan for when cybercrime strikes and take the
proactive measures Boni suggests. Regularly print and save log files from
critical servers. Establish a tamper-proof backup system to capture
activity and audit trials.
Your policy should also include thresholds of what magnitude of loss or
crime would trigger a call to law enforcement. Not all crimes should be
reported for reasons of shareholder confidence and public image.
There are two schools of thought when it comes to actually handling the
computers. Anderson advises his clients to leave the system running. Boni
suggests shutting it down.
Warren Kruse, investigations manager for Lucent's computer and network
security department in New Jersey, laughs when he hears those options.
"The golden rule of computer evidence is there are no golden rules," he
says. "The person who tells you to keep the computer on worries about
losing everything in RAM, which could contain valuable evidence in
temporary files. The person who tells you to turn off the machine worries
about hidden processes like timed viruses destroying the hard drive."
Lucent's seven-person computer and network security department works like
a security help desk for the vendor's 136,000 employees. When users report
suspect activity on their machines, team members are dispatched to
investigate.
Don't count on your audit manager or administrator to know the correct
methodology for preserving evidence. In a recent court case, the defense
retained PriceWaterhouseCoopers' forensics experts because the victim had
badly damaged the evidence.
The aggrieved firm's management told IS to get proof that an employee had
misappropriated intellectual property. "IS copied e-mail and log files but
didn't create forensics copies - a bit-stream backup of the hard drive of
the laptop, desktop and e-mail server," Boni says. "We had to tell the
court that their copies were totally inadequate."
Forensics backups take a mirror image of the hard drive, grabbing all of
the file slack and erased space - which traditional backups miss - as well
as named files. This ambient data is often the smoking gun in cybercrime
prosecutions, Anderson says. He suggests using Sydex, Inc.'s SafeBack to
perform mirror-image backups.
The method of attack is another factor that determines what action you
should take. If the crime stems from inside the network, Boni recommends
suspending all access to the affected server or database until law
enforcement can make evidentiary copies of relevant files.
"There's evidence in the database log, activity records or the operating
system that could be affected by automated backup jobs or other routine
activities," he says.
For external attacks launched from the Internet, start by printing an
evidentiary copy of firewall logs. Then see what evidence you can gather
from your firm's ISP - perhaps the ISP could freeze records or provide
additional logs and auditing. However, Boni says most ISPs aren't too
helpful because they put the burden of security on their clients.
Finally, know when you're in over your head, Lucent's Kruse says. If
there's any question, call in the big guns: either a cyberforensics expert
or law enforcement.
Cyberforensics consultants from the com-puter security divisions of the
Big Five accounting firms charge upwards of $2,500 per day for their
services. One alternative is to teach an IT staffer or a team of
auditing, security and legal workers the appropriate methodology for
handling computer evidence. NTI offers a three-day training course for
$2,000, including software.
Most large metropolitan police forces and federal agencies have
well-trained cybercops among their rank and file.
If your company does go to the authorities, be prepared to allocate a lot
of time and resources to work with the police, Boni says. Above all, he
says, "if evidence is in the machine, leave it in the state it's in."
Radcliff is a freelance writer in Northern Calif. She can be reached at
DeRad@aol.com.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Nov 1 21:15:16 1998