Virtual evidence

The scene of a cybercrime needs to be secured just like the scene of any other crime. Karl Cushing finds out what you should and...

The scene of a cybercrime needs to be secured just like the scene of any other crime. Karl Cushing finds out what you should and should not do to protect vital evidence

Clifford May, computer forensic investigator at IT security specialist Integralis, says that prosecuting someone responsible for an IT security breach is difficult but not impossible. All too often, though, the reason for failing to secure a prosecution stems from inexperienced people getting to the scene of the crime first and inadvertently compromising evidence by not following correct procedures.

A common error is rebooting computers before an image file has been taken, which changes the dates recorded on the machine showing when systems or files were last accessed. "You want them to do absolutely nothing unless they're competent to do so," May says.

A fundamental problem is that most companies still do not have proper incident response teams and procedures, so when something goes wrong staff "run around like headless chickens", not knowing who to report incidents to or even what to report, he says.

Incident response

Every company should have an incident response team, preferably lead by an information security officer, with involvement from human resources and the staff of the legal department. In cases such as complex fraud more than one department - even more than one site - may be involved.

"The key thing is to have definite procedures, advertise those procedures to everyone and keep them under constant review," says May. He advises companies to set up a central incident response number.

  • The response team should be led by an information security officer or technical person, with input from the legal and HR departments
  • Allocate a central phone number and/or an e-mail address where people can report incidents or suspicions
  • Make sure that any calls to this number are logged, followed up and any patterns identified
  • Publicise this service on the staff intranet and make sure that it is highly visible
  • Arrange for a computer forensic investigation body, either external of internal, to be on standby in case an incident occurs
  • Include your incident response procedures in staff inductions and training for all employees, including all contractors and even the cleaners
  • Provide your staff with BS7799 user awareness training.

The reality is that most companies are still too myopic - content to be reactive instead of proactive. They wait for a problem to occur, stop it, and then rebuild the system. They fail to either eliminate the original flaw or identify why a breach occurred in order to prevent it happening again.

Responding to incidents is far from straightforward, however, even for the professionals. A key dilemma is whether or not to shut down systems when an attack occurs. If you do you could destroy valuable evidence relating to the processes running at the time. The cost of downtime will also be a major consideration and care has to be taken about exactly how you shut down systems and PCs.

Pulling the plug

One school of thought advocates simply pulling the plug. This will lead to any information that has not been backed up being lost, but if you turn off the PC properly you could trigger a trojan attack. May says the important thing, whatever you decide to do, is to take down as much information as possible in an event log.

Once you have shut down, the forensics team will take an "image" copy of the systems, on which they will work. Although May says you should never work on original data he acknowledges that sometimes it is unavoidable as it is not always possible to copy systems. It may depend, for example, on how much data you are dealing with.

Guidelines from the Association of Chief Police Officers advise that in cases where original data is used you make sure that people working on the evidence are experts and that they log everything they do.

"You have no way of knowing where this will go - you need to take it seriously right from the beginning," says May. He prefers to examine machines in their natural environments as this can yield valuable clues and can help to create a profile of the attacker.

"It all gives you valuable information," says May. "You cannot rule out any sources of information as long as they are legal."

Only after the image file is taken should the company start to rebuild its systems. Ideally, May says, the investigation should be completed before the systems are rebuilt to prevent any flaws being reinstated, although he concedes that in a world where downtime must be kept to a minimum, this is not always possible.

An unlikely helping hand for the computer forensic investigator comes from computing giant Microsoft. "The great thing about the Windows platforms is that many programs have a lot of metadata," says May. "All sorts of data gets strewn around and it is hard to keep track of it." This information can help investigators to find out if and when packages have been installed or uninstalled and documents printed.

Hidden information

Another good source of information is the "temp" files created every time you open a file in Microsoft Word. Although they seem to disappear when you close that document, records of these files remain in the free space of the computer.

Free space also holds history files from internet browsers, images, HTML, spreadsheets and copies of e-mails. "It is quite limitless really," says May. Wiping this data in the free space each time you use the PC is a possibility, but it takes time and people are generally too lazy, he says.

Another rich hunting ground for the forensic investigator is the so-called "slack space" not taken up on discs. Although people often try to cover their tracks by copying off information or deleting it using products such as Windows Cleaner they rarely succeed in destroying everything.

"All the products I have looked at in the past have been flawed and do not delete everything - they all have their quirks," says May. "The only safe way of getting rid of all this evidence is to smash up the hard disc."

May warns that the rise in remote access technology and increasingly faster ADSL connections have aided the criminal. They make it easier to perpetrate a crime and harder for the forensic team to investigate it. It is also an area often left out of security policies.

He talks of hackers breaking into users' home systems, connected to their offices, and entering the corporate systems that way. Then there is the increasing problem of intellectual property theft using mobile devices like personal digital assistants and laptops - even e-mail.

While May feels that computer forensic information has been undervalued in the past he believes the situation is changing. "People are becoming increasingly aware of the importance of computer-based forensic evidence," he explains.

In fact, people are thinking far more carefully about their security in its entirety and that can only be a good thing.

Clifford May is a BS7799-qualified lead auditor and manager of IT security firm Integralis' system security services team which has responsibility for security vulnerability testing, audits and systems hardening. Before joining the firm in 2001 he developed a new forensic investigation service for a UK company that specialised in computer forensics and data recovery.

For computer forensic services:

Information on BS7799

What to do after an incident

  • Secure machines so that no one can tamper with them
  • Leave PCs in position, especially if it is a covert operation
  • Gather and record as much evidence as you can, including security camera footage, historical incident reports, in event logs
  • Do not jump to conclusions and accuse staff 
  • Do not touch machines unless you have had forensic training.

Read more on IT legislation and regulation