The attraction of computer-based crime is obvious. Twenty years ago corporate spies would find it difficult to steal the entire contents of a filing cabinet, but today they can take far more by slipping a disc into their pocket or e-mailing data to an online electronic swag bag.
It is much easier to steal, leak, manipulate or destroy electronic data. But just as in the physical world, cyber-criminals leave their electronic fingerprints all over a digital crime scene.
Businesses have spent billions of pounds on IT security to protect their networks and reputations from outside threats such as hackers, virus writers and fraudsters, and even more on constructing disaster recovery and business continuity plans.
Yet 89% of UK businesses were the target of e-criminals last year, which resulted in a loss of more than £2.4bn, according to research conducted by the National Hi-Tech Crime Unit (NHTCU).
Despite the scale of the problem and its ever-growing prominence in the press, most businesses do not have an incident response plan in place, and those that do fail on execution or putting IT security policy and procedure into practice.
In reality, when a company is faced with a security incident they often do not know where to start, what to do, or who to turn to. For many companies the knee-jerk reaction is to sweep the problem under the carpet and hope it goes away.
About 93% to 95% of all cyber-crimes go unreported because companies rate unwanted publicity and disruption to business operations as potentially more damaging to their business than the incident itself.
But with greater connectivity, opportunity and advances in technology, exposure to security threats will continue to rise.
First, businesses must face the fact that it has become relatively easy to steal or sabotage company information and intellectual property (from mobile devices and USB storage devices to web mail). And, second, they must employ a practical policy and set of procedures to tackle incidents before they escalate.
The best line of defence is to make sure the right policies, procedures and communications are in place. Not doing so is the equivalent of a ticking time bomb.
Below is a practical guide to handling an incident and the corresponding computer forensic considerations.
It comes with a major caveat: investigations should only be undertaken by skilled computer forensic investigators. DIY attempts to gather electronic evidence will almost certainly result in the failure of an investigation. It is best to call in either the police or a commercial computer forensics firm as soon as you suspect something.
What to do: a step-by-step guide for businesses
Plan your response
The incident response plan will vary from company to company and will be dependent upon a risk assessment process. It should also fit within companies' corporate IT and governance polices.
The planned response to any given incident (including the investigation process/ methodology) must be compatible with current legislation. You will therefore need to make sure you have read and understood the Data Protection Act 1998 (which contains eight guiding principles) and the European Convention on Human Rights (specifically Article 8).
The Computer Misuse Act 1990 (the only piece of legislation that has been solely created to deal with computer crime) is useful in helping to determine what would constitute an incident and would at least be worth paraphrasing in any subsequent company documentation.
Once an incident response plan has been created and approved by key decision-makers within the company, consideration needs to be given to:
- Who will need to be informed when an incident is discovered
- Who will form/lead the response or investigation team
- The potential use of external specialist investigation skills and/or the need for police involvement.
The final and most critical step in implementing an effective incident response plan is communicating the relevant policy and procedures throughout the organisation.
Educating different business departments and selecting internal champions to ensure that policy is carried out, will ensure that everyone understands their roles and requirements for every eventuality.
It is advisable that, as a minimum requirement, the key departments are informed and involved at the earliest stages of an incident, including HR, legal, corporate/IT security, and senior management or a board member.
By involving these areas of the business at the earliest stages of an apparent incident you will ensure that there is a commitment to the process. Through that commitment, the ensuing investigation will have the buy-in from all those involved and result in a well managed incident.
On discovering an incident
Once a potential incident has been discovered, it is paramount to classify what the incident is. It is not necessary to report all or any incidents to the police unless they involve specific types of crime.
Reportable offences will be anything that is of a paedophilic nature or is believed to involve organised crime.
The classification of the incident will also help to determine the level of response and subsequent allocation of appropriate resources.
Seal off the crime scene
The biggest temptation in the corporate world when an incident has been identified is to "have a quick look". This is by far the worst mistake that could be made and could jeopardise any investigation.
Electronic evidence is fragile. It can be altered, damaged or destroyed by improper handling or examination. For this reason, special precautions should be taken to document, collect, preserve and examine this type of evidence.
Failure to use forensically sound techniques may lead to unusable evidence or an inaccurate conclusion. It is critical, therefore, that the right methodology is used to preserve the integrity of electronic evidence.
When a crime has been committed that involves a computer, the computer should be considered a crime scene like any other and sealed off to ensure evidence is not tampered with.
It is critical in the early stages that the condition of electronic devices and the immediate surroundings are not altered in any way: if the computer is off, leave it off. If it is on, leave it on. If you interact with the computer in any way you may alter its content and corrupt evidence.
Make a note of all potential witnesses at the scene and, if applicable, record details such as location, time of entry and relation to potential suspects.
Gather any information that will be helpful to an investigator such as e-mail, network and security passwords, user names and internet service providers. Also make note of any additional company property that might be with a suspect off-site, such as laptop computers, PDAs and mobile phones.
The next step is to call in a professional computer forensic investigation team - whether in-house or external professionals - who will identify and secure the potential sources of evidence.
Almost certainly, within the corporate environment the best source of evidence will be the computer that the suspect used personally day in and day out. If you have access to the suspect's and victim's computers then both of these need to be secured. If it is not possible to gain access to these, then thought will need to be given to back-up tapes and the servers through which the data would have passed and could potentially be present on.
The exact details of the computer should be recorded - make, model and serial number. If the computer is on, record what is on the screen, by photography or by description. If the computer is off, record the fact. If there are any drives present, make a note of this, including details of any media present in them.
If the computer is on, an investigator will need to pull the plug out of the wall, but remembering that there are certain operating systems this cannot be done to, such as Linux, Unix, Free-BSD, MS Windows NT/2000 Server. Once power has been removed it is preferable that the computer be sealed in a container and taken to a secure area for investigation.
Once the sources of evidence have been identified, secured and the continuity trail of each source of evidence has been started, the next stage is to begin the imaging process to make an exact copy of the evidence.
This acquisition should be performed without regard to the type or amount of data that resides on the computer's hard disc. Every last piece of information, regardless of whether it is live, deleted or historical data, should be copied.
It is good practice to take two copies, one of which can be sealed and stored to act as a back-up and may be used to verify the veracity of your imaging process and subsequent findings. This is the master copy; the other, which all subsequent work will be carried out on, is the working copy.
There are principles worth following to ensure the highest standards are met:
- Do not use your everyday computer for forensic investigations
- Where possible, use new media for imaging
- If this is not possible, then ensure a rigorous formatting process is utilised prior to reuse
- Do not use general disc or network tools as an imager
- Ensure the imaging software is forensically sound, ie it will not write to or alter the original data during the imaging process
- Ensure all investigation material is backed up.
It is always advisable to undergo training in the particular tool or tools that you have chosen, in order to not only be able to use the tool but also to obtain some form of qualification and be considered competent in its use. The original supplier usually provides this product-specific training.
In addition it is advisable to seek supplementary training in the Data Protection Act and European Convention on Human Rights, computer forensic investigation techniques and methodology, and basic law.
There are numerous consultancies and training organisations that provide this type of training. But before choosing a particular training course, ask for reference sites and find out as much information as possible about the trainers and the organisation they represent. How long have they been training in this area? Have they performed investigations themselves? If so, how many? What kind?
Drawing a conclusion
After examining all the available evidence, the final stage of the investigation is to draw a conclusion. The conclusion must be objective, unbiased and based on indisputable fact. Can you clearly connect the suspect to the computer beyond reasonable doubt? At this stage, for anything more serious than an internal caution, you should take professional legal advice on how best to proceed
Simon Janes will be among the experts attending the E-Crime Congress 2006 on 30-31 March at the Victoria Plaza Hotel, London. Sessions include selling security to the board, new threats and identity theft.
Curriculum vitae: Simon Janes
As a former Scotland Yard detective, Simon Janes headed up operations for the Computer Crime Unit. He has worked on some of the UK's most high-profile computer crime cases, including tracking virus writer "The Black Baron" and uncovering those responsible for hacking into the US Air Force Rome Labs.
Janes co-wrote the Association of Chief Police Officers' Guide to Computer Based Evidence, which has been adopted by law enforcement agencies worldwide and is considered to be the minimum standard by which investigations need to be conducted.
He was also the lead expert called by MPs for the review of the Computer Misuse Act in 2004. The All Parliamentary Internet Group put forward a private members bill to the government which was based on many recommendations from Janes.
Janes is currently international operations manager for global computer forensics and data recovery company Ibas.
This was first published in March 2006