The attraction of computer-based crime is obvious.
Twenty years ago corporate spies would find it difficult to steal
the entire contents of a filing cabinet, but today they can take
far more by slipping a disc into their pocket or e-mailing data to
an online electronic swag bag.
It is much easier to steal, leak, manipulate or destroy
electronic data. But just as in the physical world, cyber-criminals
leave their electronic fingerprints all over a digital crime
scene.
Businesses have spent billions of pounds on IT security to
protect their networks and reputations from outside threats such as
hackers, virus writers and fraudsters, and even more on
constructing disaster recovery and business continuity plans.
Yet 89% of UK businesses were the target of e-criminals last
year, which resulted in a loss of more than £2.4bn, according to
research conducted by the National Hi-Tech Crime Unit (NHTCU).
Despite the scale of the problem and its ever-growing prominence
in the press, most businesses do not have an incident response plan
in place, and those that do fail on execution or putting IT
security policy and procedure into practice.
In reality, when a company is faced with a security incident
they often do not know where to start, what to do, or who to turn
to. For many companies the knee-jerk reaction is to sweep the
problem under the carpet and hope it goes away.
About 93% to 95% of all cyber-crimes go unreported because
companies rate unwanted publicity and disruption to business
operations as potentially more damaging to their business than the
incident itself.
But with greater connectivity, opportunity and advances in
technology, exposure to security threats will continue to rise.
First, businesses must face the fact that it has become
relatively easy to steal or sabotage company information and
intellectual property (from mobile devices and USB storage devices
to web mail). And, second, they must employ a practical policy and
set of procedures to tackle incidents before they escalate.
The best line of defence is to make sure the right policies,
procedures and communications are in place. Not doing so is the
equivalent of a ticking time bomb.
Below is a practical guide to handling an incident and the
corresponding computer forensic considerations.
It comes with a major caveat: investigations should only be
undertaken by skilled computer forensic investigators. DIY attempts
to gather electronic evidence will almost certainly result in the
failure of an investigation. It is best to call in either the
police or a commercial computer forensics firm as soon as you
suspect something.
What to do: a step-by-step guide for
businesses
Plan your response
The incident response plan will vary from company to company and
will be dependent upon a risk assessment process. It should also
fit within companies' corporate IT and governance polices.
The planned response to any given incident (including the
investigation process/ methodology) must be compatible with current
legislation. You will therefore need to make sure you have read and
understood the Data Protection Act 1998 (which contains eight
guiding principles) and the European Convention on Human Rights
(specifically Article 8).
The Computer Misuse Act 1990 (the only piece of legislation that
has been solely created to deal with computer crime) is useful in
helping to determine what would constitute an incident and would at
least be worth paraphrasing in any subsequent company
documentation.
Once an incident response plan has been created and approved by
key decision-makers within the company, consideration needs to be
given to:
- Who will need to be informed when an incident is
discovered
- Who will form/lead the response or investigation team
- The potential use of external specialist investigation skills
and/or the need for police involvement.
The final and most critical step in implementing an effective
incident response plan is communicating the relevant policy and
procedures throughout the organisation.
Educating different business departments and selecting internal
champions to ensure that policy is carried out, will ensure that
everyone understands their roles and requirements for every
eventuality.
It is advisable that, as a minimum requirement, the key
departments are informed and involved at the earliest stages of an
incident, including HR, legal, corporate/IT security, and senior
management or a board member.
By involving these areas of the business at the earliest stages
of an apparent incident you will ensure that there is a commitment
to the process. Through that commitment, the ensuing investigation
will have the buy-in from all those involved and result in a well
managed incident.
On discovering an incident
Once a potential incident has been discovered, it is paramount
to classify what the incident is. It is not necessary to report all
or any incidents to the police unless they involve specific types
of crime.
Reportable offences will be anything that is of a paedophilic
nature or is believed to involve organised crime.
The classification of the incident will also help to determine
the level of response and subsequent allocation of appropriate
resources.
Seal off the crime scene
The biggest temptation in the corporate world when an incident
has been identified is to "have a quick look". This is by far the
worst mistake that could be made and could jeopardise any
investigation.
Electronic evidence is fragile. It can be altered, damaged or
destroyed by improper handling or examination. For this reason,
special precautions should be taken to document, collect, preserve
and examine this type of evidence.
Failure to use forensically sound techniques may lead to
unusable evidence or an inaccurate conclusion. It is critical,
therefore, that the right methodology is used to preserve the
integrity of electronic evidence.
When a crime has been committed that involves a computer, the
computer should be considered a crime scene like any other and
sealed off to ensure evidence is not tampered with.
It is critical in the early stages that the condition of
electronic devices and the immediate surroundings are not altered
in any way: if the computer is off, leave it off. If it is on,
leave it on. If you interact with the computer in any way you may
alter its content and corrupt evidence.
Preliminary interviews
Make a note of all potential witnesses at the scene and, if
applicable, record details such as location, time of entry and
relation to potential suspects.
Gather any information that will be helpful to an investigator
such as e-mail, network and security passwords, user names and
internet service providers. Also make note of any additional
company property that might be with a suspect off-site, such as
laptop computers, PDAs and mobile phones.
Gathering evidence
The next step is to call in a professional computer forensic
investigation team - whether in-house or external professionals -
who will identify and secure the potential sources of evidence.
Almost certainly, within the corporate environment the best
source of evidence will be the computer that the suspect used
personally day in and day out. If you have access to the suspect's
and victim's computers then both of these need to be secured. If it
is not possible to gain access to these, then thought will need to
be given to back-up tapes and the servers through which the data
would have passed and could potentially be present on.
The exact details of the computer should be recorded - make,
model and serial number. If the computer is on, record what is on
the screen, by photography or by description. If the computer is
off, record the fact. If there are any drives present, make a note
of this, including details of any media present in them.
If the computer is on, an investigator will need to pull the
plug out of the wall, but remembering that there are certain
operating systems this cannot be done to, such as Linux, Unix,
Free-BSD, MS Windows NT/2000 Server. Once power has been removed it
is preferable that the computer be sealed in a container and taken
to a secure area for investigation.
Once the sources of evidence have been identified, secured and
the continuity trail of each source of evidence has been started,
the next stage is to begin the imaging process to make an exact
copy of the evidence.
This acquisition should be performed without regard to the type
or amount of data that resides on the computer's hard disc. Every
last piece of information, regardless of whether it is live,
deleted or historical data, should be copied.
It is good practice to take two copies, one of which can be
sealed and stored to act as a back-up and may be used to verify the
veracity of your imaging process and subsequent findings. This is
the master copy; the other, which all subsequent work will be
carried out on, is the working copy.
There are principles worth following to ensure the highest
standards are met:
- Do not use your everyday computer for forensic
investigations
- Where possible, use new media for imaging
- If this is not possible, then ensure a rigorous formatting
process is utilised prior to reuse
- Do not use general disc or network tools as an imager
- Ensure the imaging software is forensically sound, ie it will
not write to or alter the original data during the imaging
process
- Ensure all investigation material is backed up.
It is always advisable to undergo training in the particular
tool or tools that you have chosen, in order to not only be able to
use the tool but also to obtain some form of qualification and be
considered competent in its use. The original supplier usually
provides this product-specific training.
In addition it is advisable to seek supplementary training in
the Data Protection Act and European Convention on Human Rights,
computer forensic investigation techniques and methodology, and
basic law.
There are numerous consultancies and training organisations that
provide this type of training. But before choosing a particular
training course, ask for reference sites and find out as much
information as possible about the trainers and the organisation
they represent. How long have they been training in this area? Have
they performed investigations themselves? If so, how many? What
kind?
Drawing a conclusion
After examining all the available evidence, the final stage of
the investigation is to draw a conclusion. The conclusion must be
objective, unbiased and based on indisputable fact. Can you clearly
connect the suspect to the computer beyond reasonable doubt? At
this stage, for anything more serious than an internal caution, you
should take professional legal advice on how best to proceed
E-Crime Congress
Simon Janes will be among the experts attending the E-Crime
Congress 2006 on 30-31 March at the Victoria Plaza Hotel, London.
Sessions include selling security to the board, new threats and
identity theft.
www.e-crimecongress.org
Curriculum vitae: Simon Janes
As a former Scotland Yard detective, Simon Janes headed up
operations for the Computer Crime Unit. He has worked on some of
the UK's most high-profile computer crime cases, including tracking
virus writer "The Black Baron" and uncovering those responsible for
hacking into the US Air Force Rome Labs.
Janes co-wrote the Association of Chief Police Officers' Guide
to Computer Based Evidence, which has been adopted by law
enforcement agencies worldwide and is considered to be the minimum
standard by which investigations need to be conducted.
He was also the lead expert called by MPs for the review of the
Computer Misuse Act in 2004. The All Parliamentary Internet Group
put forward a private members bill to the government which was
based on many recommendations from Janes.
Janes is currently international operations manager for global
computer forensics and data recovery company Ibas.