Your company has been on the receiving end of a nasty cybercrime attack - perhaps a member of your staff has used your computers to facilitate a fraud or to defame a competitor and the company is facing legal action. Can you prove who the miscreant is? Do you know where the company's liabilities begin and end? Your e-mail has been breached and used to launch denial of service attacks or your Web site has been hijacked and replaced with some particularly offensive images. Would you know what to do?
Computer crime investigators Ed Wilding and Julian Parker, directors of Data Genetics International, are all too often greeted by ill-prepared companies with inexperienced staff and poor contingency plans when they are called in to help. When things go wrong no one can take control if no one knows who has control to start with: mistakes are made and Parker and Wilding are called in to pick up the pieces.
"People's contingency plans are usually not prepared for unexpected acts of intentional malice - whether external or internal - or for acts of stupidity," says Wilding.
Difficulties occur when untrained people get to the scene first: most IT staff do not understand computer evidence - a problem that is compounded by poor communication and co-operation between IT departments and other functions, such as the HR or legal teams.
Often employees will power up Windows-based machines immediately, changing the internals of the system. This is a particular problem when it involves impounded PCs. "It can cause huge problems in terms of admissibility [of evidence]," says Wilding. This is also true among police forces, he says. Many police officers have no real conception of how to handle computer evidence and few lawyers or police have experience of mounting prosecutions under the Computer Misuse Act, Wilding asserts.
The early stages of an investigation are crucial. "If the approach is bungled at that stage your house is built on sand," although it is still possible to work on the principle of best evidence, he says. This is where, backed by the investigators' reputation and experience, a judge may agree to treat evidence as admissible that would otherwise not be so, depending on "how hard the other side complains" and whether it is willing to "play ball". The bottom line, however, is that forensic experts would rather that computers were switched off and not interfered with until they have checked their status as evidence. Ideally they would like to have event logs covering up to eight weeks before the event being investigated - including audit trails. "Audit trails and logs are very important," Wilding says, advising companies to "assess and reassess".
Some large corporates do have response teams but they are expensive, it is difficult to make them economically viable and if something does happen those staff could be tied up for a considerable time, not to mention the cost and problem of keeping their skills up to date.
That is where using a third party to outsource your computer crime response can be useful, says Wilding. In court a third party is perceived as being more objective, he says. "If we provide the evidence it looks better. We have a good track record and that makes for a good expert witness."
An experienced, specialist third party is also less likely to make mistakes, says Wilding, who asserts, quite reasonably, "You don't want people learning on your case." He cites one recent example where the lawyers acting for the damaged party knew nothing about forensic imaging technology - the method of copying the entire contents of a computer drive to preserve a "snapshot" of its use. Without it you cannot process computer evidence. Instead of copying data and gathering evidence they took the company's computers away, effectively taking the business offline. In contrast, Wilding says, "You need to get in, get the stuff copied and get out as soon as possible."
Computer-based evidence is undervalued. "It's a hugely valuable source of evidence but, unfortunately, every day, the police and a lot of other organisations are overlooking computers as a source of evidence," says Wilding.
Parker adds that fraudsters and hackers leave big trails which experts can follow. Although e-mails, for example, can be deleted they will still be on file servers, e-mail servers and message queues as well as on other people's systems. "We've not yet found anyone who has managed to get rid of all this information," says Wilding. Another area that is a rich hunting ground for the computer crime investigator is the "slack space" on computer hard drives. Here Wilding says you can find plain text, such as letters and documents, and even password details. "Getting rid of this information is very hard," he says.
Products such as Evidence Eliminator or Windows Cleaner will aid this process but they cannot do it all, says Wilding. You would have to get everyone you have communicated with to use it as well and even then it cannot kill evidence at the ISP level, not to mention the fact that the use of such products alerts the computer crime investigator to the possibility that someone has something to hide.
Both Wilding and Parker feel that companies that are ill-prepared to tackle computer-based crime have often misdirected their resources. The ratio of resources allocated to combating the external threat is "totally out of kilter", says Wilding; 95% of Data Genetics' work involves insiders. The company deals with hacking only very occasionally - most of its work involves misdemeanours such as purchasing fraud, malicious e-mails or theft of intellectual property. Parker says that such theft is a major area of activity these days, with technical people taking property from projects they have been working on and even poaching other staff.
When it comes to investigating suspected computer crimes there is a lot of uncertainty about what you can and cannot do - largely as a result of the confusion surrounding legislation like the Human Rights, Data Protection and Regulation of Investigatory Powers Acts. For example, many companies are unsure about the legal implications of covertly monitoring staff e-mails. Parker says it is permitted to monitor staff e-mail provided you have a premise. "You can't just go fishing," he warns. The key word is "proportionate", he says, advising companies to ask themselves, "Is this response proportionate to the business problem you are trying to solve?" Parker also says that companies should warn employees beforehand that they may be monitored, otherwise you can get yourself in an awful mess.
The increasing popularity of homeworking and employees using mobile devices like personal digital assistants has introduced "all sorts of potential problems with regards to security and investigation", says Wilding.
When you suspect foul play and wish to gather evidence externally, first try to get as much evidence as you can internally, Wilding says. When this avenue dries up you should see if you have a right of audit for home PCs, and apply for a search order from the courts. It is important to be thorough in order to build a prima facie case showing that criminal damage has been done. You will have to accept responsibility for damages so if you are wrong you might be liable for a potentially huge sum.
The alternative, of course, is to go to the police. Here, again, you will need sufficient evidence to prove that there is a strong criminal case. Wilding says the police will not take on a case unless they think they have a good chance of winning it. "The police won't usually come in unless there is severe criminality," he says.
Publicity is a key consideration for many companies that may want to keep trouble out of the press. Whereas the police will not be interested in shoring up the original problems after the investigation, a third party will be able to offer advice and consultation to prevent it happening again.
Most cases never make it to court so prosecutions are rare. Wilding and Parker say that only about 2% of the cases they have dealt with over the past 10 years have gone to criminal court, with about 20% going before the civil courts. Most are settled within the organisation, albeit using legal means. A case will usually only go to court if the defendant is stubborn, says Wilding, a trait that is more common in the hacker community, he points out.
While it is all well and good to say that prevention may well be the best medicine, the point is that you can implement BS7799 and still suffer the most severe business contingency problems, Wilding says.
Fraudsters tend to go for peripherals that people have forgotten about and may not have been audited, he says. Audits miss a lot of things and often it can be that forgotten telex machine or dusty old fax that has been manipulated, he says. "It is no good just looking at computer systems when looking at fraud," says Wilding. "All standby contingencies are very risky and a lot of the frauds we see are not sophisticated computer frauds but paper frauds." Forged signatures are still a real problem as it is very difficult to validate written signatures.
The biggest risk is when data is changed before it is sent, making the fraud difficult to detect. "Standing data is always a risk," says Wilding. "A clever fraudster will get in early before [data] goes through the system." When he and his team go on site, Wilding says, they are looking for end-to-end authentication but there are usually breaks somewhere along the line.
Impersonation is another big problem, says Wilding. Just because someone has logged into a system and sent an e-mail it does not mean that it was the person who uses or owns that terminal. They often find that cleaners or temps have been misusing systems and using the Internet or sending e-mails from other people's terminals. "Most of the computer frauds that we have dealt with over the years have been very simple," he says. However, the cost of fraud is probably measured in hundreds of millions of pounds - in one case alone that Wilding and Parker worked on the sum involved was £1bn.
As a matter of best practice Wilding and Parker advise that you always work on copy data, never on originals. Copy data onto a CD-Rom, for example, and then work on that. Courts like to be presented with data in its entirety so it is no good to try to protect, or present the court with, selected bits.
Document your actions in exact detail as soon as possible, including times and dates, otherwise you could fall foul of what Parker calls "the policeman's notebook syndrome". Keeping diaries of incidents also helps to build up a profile of the hackers and fraudsters, allowing you to identify hotspots and weaknesses in your systems. You will need to account for the "custody" of the evidence to prove that it has not been altered since you took possession of it. And act discreetly: be careful not to alert suspects, only confronting them when you have sufficient information to make a case. Do not discuss the investigation via e-mail as these could be insecure.
The basic rules are stay vigilant, continually reassess security measures and be as prepared as possible for when the smelly stuff hits the fan. As Parker puts it, "People are more devious than computers and they will always find a way around security measures." Just make sure you are as prepared as possible when they do.
Body of evidence: acting upon a cyber attack
- Make sure your chain of command is clear
- Know which external bodies can help you
- Know the sources of evidence, the value of that evidence and how to protect it. The IT department, including IT directors and managers, needs a baseline knowledge of computer-based evidence and how not to screw up
- Know what you can and cannot do, especially when monitoring e-mails
- Involve all the relevant departments including IT, HR and group legal staff
- Test your defences
- Be clear about what you are trying to protect and prioritise, so that the most critical areas of the business are well protected. "Find out where your jugular veins are, where if you're cut you'll bleed to death," says Wilding
- Always work on copy data
- Document your actions in exact detail - you must account for the custody of the evidence to prove it has not been altered since you took possession of it
- Act discreetly and do not alert the suspect. Do not discuss the investigation via e-mail, which could be intercepted
- Only confront the suspect when you have sufficient information to make a case.