4. computer security incident:
as any unlawful, unauthorized, or unacceptable
action that involves a computer system or a computer network. Such an action
can include
any of the following events:
Theft of trade secrets
Email spam or harassment
Unauthorized or unlawful intrusions into computing systems
Embezzlement
Possession or dissemination of child pornography
Denial-of-service (DoS) attacks
Tortious interference of business relations
Extortion Any unlawful action when the evidence of such action may be stored
on
computer media such as fraud, threats, and traditional crimes.
5. Computer Crime
Cybercrime, also called computer crime, the use of a computer as an instrument to further illegal
ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing
identities, or violating privacy. Cybercrime, especially through the Internet, has grown in
importance as the computer has become central to commerce, entertainment, and government.
A computer can play one of three roles in a computer crime:
A computer can be the target of the crime, it can be the instrument of the crime, or it can
serve as an evidence repository storing valuable information about the crime.
In some cases, the computer can have multiple roles. It can be the “smoking gun” serving as the
instrument the crime.
It can also serve as a file cabinet storing critical evidence.
For example, a hacker may use the computer as the tool to break into another computer and
steal files, then store them on the computer.
6. Computer Forensic Objective:
The objective in computer forensics is quite straightforward. It is to recover,
analyze,
and present computer-based material in such a way that it is useable as
evidence
in a court of law. The key phrase here is useable as evidence in a court of law. It
is essential
that none of the equipment or procedures used during the examination of
the computer obviate this.
7. COMPUTER FORENSICS SERVICES
A computer forensics professional does more than turn on a computer, make
a directory listing, and search through files. Your forensics professionals should be
able to successfully perform complex evidence recovery procedures with the skill
and expertise that lends credibility to your case. For example, they should be able
to perform the following services:
Data seizure
Data duplication and preservation
Data recovery
Document searches
Media conversion
Expert witness services
Computer evidence service options
Other miscellaneous services
8. Data Seizure
Federal rules of civil procedure let a party or their representative inspect and
copy
designated documents or data compilations that may contain evidence. Your
computer
forensics experts, following federal guidelines, should act as this representative,
using their knowledge of data storage technologies to track down evidence [3].
Your
experts should also be able to assist officials during the equipment seizure
process. See
Chapter 6, “Evidence Collection and Data Seizure,” for more detailed
information.
Data Duplication and Preservation
When one party must seize data from another, two concerns must be
addressed: the
data must not be altered in any way, and the seizure must not put an undue
burden
on the responding party. Your computer forensics experts should acknowledge
both of these concerns by making an exact duplicate of the needed data.
Because
duplication is fast, the responding party can quickly resume its normal business
functions, and, because your experts work on the duplicated data, the integrity of
the original data is maintained.
9. Data Recovery
Using proprietary tools, your computer forensics experts should
be able to safely recover and analyze otherwise inaccessible
evidence. The ability to recover lost evidence is made possible by
the expert’s advanced understanding of storage technologies.
For example, when a user deletes an email, traces of that
message may still exist on the storage device. Although the
message is inaccessible to the user, your experts should be able
to recover it and locate relevant evidence.
Document Searches
Your computer forensics experts should also be able to search
over 200,000 electronic documents in seconds rather than hours.
The speed and efficiency of these searches make the discovery
process less complicated and less intrusive to all parties involved.
10. Media Conversion
Some clients need to obtain and investigate computer data stored on old
and unreadable devices. Your computer forensics experts should extract the
relevant data from these devices, convert it into readable formats, and place
it onto new storage media for analysis.
Expert Witness Services
Computer forensics experts should be able to explain complex technical
processes in an easy-to-understand fashion. This should help judges and
juries comprehend how computer evidence is found, what it consists of, and
how it is relevant to a specific situation (see sidebar, “Provide Expert
Consultation and Expert Witness Services”).
11. Computer Evidence Service Options
Your computer forensics experts should offer various levels of
service, each designed to suit your individual investigative
needs. For example, they should be able to offer the following
services:
Standard service
On-site service
Emergency service
Priority service
Weekend service
12. Standard Service
Your computer forensics experts should be able to work on your case during normal
business hours until your critical electronic evidence is found. They must be
able to provide clean rooms and ensure that all warranties on your equipment will
still be valid following their services.
On-Site Service
Your computer forensics experts should be able to travel to your location to perform
complete computer evidence services. While on-site, the experts should
quickly be able to produce exact duplicates of the data storage media in question.
Their services should then be performed on the duplicate, minimizing the disruption
to business and the computer system. Your experts should also be able to help
federal marshals seize computer data and be very familiar with the Federal Guidelines
for Searching and Seizing Computers.
Emergency Service
After receiving the computer storage media, your computer forensics experts should
be able to give your case the highest priority in their laboratories. They should be
able to work on it without interruption until your evidence objectives are met.
Priority Service
Dedicated computer forensics experts should be able to work on your case during
normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the
evidence is found. Priority service typically cuts your turnaround time in half.
Weekend Service
Computer forensics experts should be able to work from 8:00 A.M. to 5:00 P.M.,
Saturday and Sunday, to locate the needed electronic evidence and will continue
13. TYPES OF EVIDENCE
Testimonial Evidence
Testimonial evidence is any evidence supplied by a witness. This type of evidence is
subject to the perceived reliability of the witness, but as long as the witness can be
considered reliable, testimonial evidence can be almost as powerful as real evidence.
Word processor documents written by a witness may be considered testimonial—
as long as the author is willing to state that he wrote it.
Hearsay
Hearsay is any evidence presented by a person who was not a direct witness. Word
processor documents written by someone without direct knowledge of the incident
are hearsay. Hearsay is generally inadmissible in court and should be avoided.
14. THE RULES OF EVIDENCE
There are five rules of collecting electronic evidence. These relate to five
properties
that evidence must have to be useful.
1. Admissible
2. Authentic
3. Complete
4. Reliable
5. Believable
15. Admissible
Admissible is the most basic rule. The evidence must be able to be used in court or
otherwise. Failure to comply with this rule is equivalent to not collecting the evidence
in the first place, except the cost is higher.
Authentic
If you can’t tie the evidence positively to the incident, you can’t use it to prove
anything.
You must be able to show that the evidence relates to the incident in a relevant way.
Complete
It’s not enough to collect evidence that just shows one perspective of the incident.
You collect not only evidence that can prove the attacker’s actions, but also evidence
that could prove their innocence. For instance, if you can show the attacker was
logged in at the time of the incident, you also need to show who else was logged in
and why you think they didn’t do it. This is called exculpatory evidence and is an
important part of proving a case.
Reliable
The evidence you collect must be reliable. Your evidence collection and analysis
procedures must not cast doubt on the evidence’s authenticity and veracity.
Believable
The evidence you present should be clearly understandable and believable to a
jury.There’s no point presenting a binary dump of process memory if the jury has no
idea what it all means. Similarly, if you present them with a formatted, human
understandable version, you must be able to show the relationship to the original
binary, otherwise there’s no way for the jury to know whether you’ve faked it. Using
16. Evidence collection
Minimize handling and corruption of original data.
Account for any changes and keep detailed logs of your actions.
Comply with the five rules of evidence.
Do not exceed your knowledge.
Follow your local security policy.
Capture as accurate an image of the system as possible.
Be prepared to testify.
Work fast.
Proceed from volatile to persistent evidence.
Don’t shutdown before collecting evidence.
Don’t run any programs on the affected system.
17. Minimize Handling and Corruption of Original Data
Once you’ve created a master copy of the original data, don’t touch it or the original.
Always handle secondary copies. Any changes made to the originals will affect
the outcomes of any analysis later done to copies. You should make sure you don’t
run any programs that modify the access times of all files (such as tar and xcopy).
You should also remove any external avenues for change and, in general, analyze
the evidence after it has been collected.
Account for Any Changes and Keep Detailed Logs of Your Actions
Sometimes evidence alteration is unavoidable. In these cases, it is absolutely essential
that the nature, extent, and reasons for the changes be documented. Any
changes at all should be accounted for—not only data alteration but also physical
alteration of the originals (the removal of hardware components).
Comply with the Five Rules of Evidence
The five rules are there for a reason. If you don’t follow them, you are probably
wasting your time and money. Following these rules is essential to guaranteeing
successful evidence collection.
Do Not Exceed Your Knowledge
If you don’t understand what you are doing, you can’t account for any changes you
make and you can’t describe what exactly you did. If you ever find yourself “out of
your depth,” either go and learn more before continuing (if time is available) or
find someone who knows the territory. Never soldier on regardless. You’ll just
damage your case.
18. Follow Your Local Security Policy
If you fail to comply with your company’s security policy, you may find yourself
with some difficulties. Not only may you end up in trouble (and possibly fired
if you’ve done something really against policy), but you may not be able to use the
evidence you’ve gathered. If in doubt, talk to those who know.
Capture as Accurate an Image of the System as Possible
Capturing an accurate image of the system is related to minimizing the handling or
corruption of original data. Differences between the original system and the master
copy count as a change to the data. You must be able to account for the differences.
Be Prepared to Testify
If you’re not willing to testify to the evidence you have collected, you might as well
stop before you start. Without the collector of the evidence being there to validate
the documents created during the evidence-collection process, the evidence becomes
hearsay, which is inadmissible. Remember that you may need to testify at a
later time. No one is going to believe you if they can’t replicate your actions and
reach the same results. This also means that your plan of action shouldn’t be based
on trial-and-error.
19. Work Fast
The faster you work, the less likely the data is going to change. Volatile evidence may
vanish entirely if you don’t collect it in time. This is not to say that you should rush.
You must still collect accurate data. If multiple systems are involved, work on them
in parallel (a team of investigators would be handy here), but each single system
should still be worked on methodically. Automation of certain tasks makes collection
proceed even faster.
Proceed from Volatile to Persistent Evidence
Some electronic evidence (discussed later) is more volatile than others are. Because
of this, you should always try to collect the most volatile evidence first.
Don’t Shutdown Before Collecting Evidence
You should never, ever shutdown a system before you collect the evidence. Not
only do you lose any volatile evidence, but also the attacker may have trojaned (via
a trojan horse) the startup and shutdown scripts, plug-and-play devices may alter
the system configuration, and temporary file systems may be wiped out. Rebooting