Slashdot Mirror
Computer Forensics
How do you get the evidence off of a computer, ensuring that it's capable of withstanding a defense lawyer's scrutiny? Maybe you would just unplug the machine and put it in storage awaiting a detective's arrival, but is that what we should do? What if the evidence is on a production server that can't be simply unplugged and put into storage? What if that evidence is slowly being erased as files are created and deleted on that server? How do you help build the case against a computer criminal? Hopefully you'll never have to worry about computer crime in your home or workplace but if you do have to worry, Computer Forensics will be an asset to your part of the investigation.
Who is this book for? Computer crime isn't simple -- it can range from damage done by simple script kiddies to corporate espionage by disgruntled employees, as well as sophisticated, multi-homed attacks by skilled crackers. Computer Forensics tries hard to cover a lot of these areas. The book includes a chapter dealing with laptop hardware, as well as ones on data hiding and encryption, and further chapters on putting evidence together and dealing with law enforcement. While these topics may be of interest to the Slashdot crowd, Computer Forensics focuses more on broad topics of interest to computer detectives faced with getting up to speed quickly with computer crimes and computer evidence gathering.Several chapters are downright boring for anyone who has a modicum of computer experience. Finding out where e-mail is stored on Windows and Linux machines, or understanding what a root-kit is and what it does will be pedestrian for many readers. Nestled away between the necessary-but-pedestrian topics, though, are some very useful tools. The authors use netcat with tar to copy files between machines without disturbing the modification times (something I would never have thought to use). Novice users will find a wealth of tools and examples in these chapters. The tools used in the book tend toward open source and free tools, and rely heavily on Linux as the Swiss Army knife for handling file systems and files without disturbing them. Any reader should be able to put together a decent set of tools from this book.
Making it all workPutting together a good forensic kit is all fine and good, but making sure your evidence holds up to the scrutiny of some high-powered, high-priced defense lawyer is much more important. The last chapter of Computer Forensics gives a brief introduction to the criminal justice system. The authors touch on notifying law enforcement agencies, search warrants, probable cause, interviews, subpoenas, dollar loss guidelines, and testifying as an expert witness, among other legal topics. The appendices of the book have checklists, flowcharts, and an incident report form to aid investigation and evidence gathering. These are invaluable resources for the system administrator of any public machine who needs to deal with law enforcement.
Conclusion Thinking about dealing with courts and law enforcement may not be at the forefront of any administrator's job, but it is a reality any administrator needs to think of and be aware of. Computer Forensics will at least make administrators more aware of what their legal options are, and of the form in which gathered forensic data needs to be presented as evidence. Computer detectives will find a good, if not rudimentary example of what to look for when investigating a computer crime scene. This may not be the most comprehensive book on the subject of computer crime, but it will point you in the right direction to help investigate it should it ever happen to you.You can purchase Computer Forensics from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The security focus mailing list dedicated to forensics is also good lurking, for those interested...
c s/
http://archives.neohapsis.com/archives/sf/forensi
Video Phone Blogs send video messages straight to the web.
We use Dynacomm i:scan in our enterprise and it basically does all the forensic work for us. Kinda spooky the things it can report and notify on.
In other countries, this book is titled, How to Avoid a Forensic Data Trail on Computers You Compromise.
taken! (by Davidleeroth) Thanks Bingo Foo!
OS level Forensics are much easier if all your computers are set to the same time.
There is no (good) exuse for not at least NTP'ing all your servers.
...yup...
might have to buy that... who knows someone could crack into my network... oh wait, i dont have a network....damm
when a crime has been committed on a computer?
Must be old mainframes then.
CC.
TaijiQuan (Huang, 5 loosenings)
...any advice on how to make a computer resistant to computer forensics? I.e. how to be sure that any sensitive data will remain unrecoverable without a password etc. in the case of my PC being stolen?
Many financial firms including the one where I work, have instituted internal forensic security policies to help limit corporate liability. In our case, we have caught and successfully prosecuted employees for pornography on corporate assets (including child pornography in one case.)
There are designated employees on the forensic team in each department who are responisble for witnessing the process and documenting the chain of custody for data and items.
We've invested in specific equipment, including network sniffers (other then those used by the network group), hard drive replicators, log books, and materials for collection and storage of evidence.
Everything has a chain of custody and is then turned over to the proper authorities.
As far as the law is concerned since the employee does not have a right or expectation of privacy when working on a corporate asset, everything we take is completely legal. As long as we mantain an effective chain of custody it will likely hold up on court.
Just my two cents. Your mileage may vary.
What if the evidence is on a production server that can't be simply unplugged and put into storage?
In my company, once a machine is compromised, it's offline and ghost image taken, no questions asked, even it's a live ecommerce site. You would rather putting up a "Unscheduled Outage" notice than inflicting more damages to the server/data.
It's like a 777 pilot asking if he should make an emergency landing due to a fire alarm, because there are 350 passengers onboard and we don't want to spoil their holiday.
Actually I think pilots do that, that's why we get to read blackbox transcript like
GPWS: "Whoop, whoop. Pull up. Whoop whoop. Pull up."
CA: "Don't worry we can make it."
GPWS: "Whoop, whoop. Pull -."
Rock that crushes, Paper & Scissors that don't matter.
Recently, I was contacted by the local PD in regards to a huge number of stolen CCs being used from our IP-range (Internet Café).
After getting a list of specific timestamps (along with IP-addresses), I was able to figure out who the culprit was.
That said, the man-hours I put into the whole thing seem to have been for nothing.
The PD won't do jack shit - too little resources, they say - which is why I find it funny that they can't even send a unit to pick up the frauders when they're actually on-site (yet they can be seen parading the streets, looking for minors consuming alcohol).
Just because law enforcement want your help doesn't mean they'll do anything - even if you virtually hand them the crooks on a silver platter.
Then again, things might be different elsewhere.
The publication date on the book linked is 2001. That makes this book three to four years old. While some of the information may be the same, there are quite a number of new tools and techniques out there. So some of this may be pretty outdated. I have yet to find a great book on system forensics. The best so far is the book "Know Your Enemy" buy contributors to the HoneyNey Project.
Step 1 - append record of a security breach to the last invoice from Microsoft. Send to MS happy CTO filed under - extra features we didn't even know we paid for...
I work at a large semiconductor company (not to name names, but a really big, US, SC-based one) that had a recently fired employee wreak havoc on one of the factories' databases as a result of his termination. Basically he used his not-yet-cancelled remote access, and deleted a critical DB. Now this isn't hacking in the sense of rooting a remote exploit, but it's malicious intent nonetheless on computer systems. It was obvious what happened (the factory stopped running), and very quickly we were able to track down the last few commands logged, where they came from, etc., etc. How it was handled was actually an FBI case. We turned it over to the security department at our company, and they worked with the FBI; we were asked questions by the men in black, and this person was eventually arrested and put away in a dark, dank hole.
Not sure if this is the norm, but I'd figure when corporations and expensive IP is involved, government-sanctioned agencies will be in the forefront of people investigating, IMHO.
The problem with computer crimes is that they are not easy to track. On a regular PC, a cracker could break in and remove any evidence (on that PC) that the computer was ever hacked. You might catch him if you happen to be looking while he is busy, but after he is finished, there is not much you can do.
There are, however, some hardware solutions, namely, to keep track of everything that happens (this is expensive!). Software could also do that, so long at it cannot be hacked. Overall, I think the best thing to do is to keep a backup inaccessible from the network, and hope no sensitive information gets stolen.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Whenever you do work like this on computers, it's important to know that the computer is ultimately the victim here. Don't be too rough with it in trying to get information. It's important to get information back, but it's also very important to maintain the computer's well-being. Always ask before taking a look at the computer's hard drives. If the computer refuses, back off and try again another day. After being so traumatized, many computers will not feel comfortable letting you in right away. In some cases, gender may be an issue, so always use female-to-female or male-to-male data cables when attempting to access the computer's internal ports, as recently attacked computers may have more hostility toward opposite-gender pairings in interrogations.
Please, always make the computer your first priority, and be mindful that you do not damage it further in your rush to make an arrest.
Step 1: Turn off the machine.
Step 2: Make a bit for bit copy of the drive (there are special devices that will ensure that NONE of the bits are changed).
Step 3: You can now run whatever forensics tools you want *on the copy*. The original has to be kept unchanged for it to be worth anything in court.
Make sure to never boot up the drive in question, a good criminal will have the drive auto-erase if it doesn't get a password in a certain amount of time, etc.
Aint privacy protection closely linked with forensics ? I believe there's a very thin line seperating the two. We all know hostile computer forensics does exist -- how to prevent that from happening should be an equally important issue...
Rsync will do this simply and efficiently, plus it can resume transfers and also tunnel through ssh.
Also you can pipe dd through gzip/bzip2 and netcat to give you a loopback mountable, unmodifiable image that you can look at in case you want to grab the whole drive before putting it in the evidence locker.
I am, and always will be, an idiot. Karma: Coma (mostly effected by
and if i you can find them. Call the A-team.
In the case of HL2 code theft, Valve got lucky; they just had to wait for the hacker's ego to blow out of proportion due to the massive coverage. He emailed them. Several times. He went to a meeting for an 'interview' for a 'job'. Thank god, most hackers(as in illicit network infiltration) / criminals eventually make mistakes. In this particular case, it was pure dumbness, however. Imagine the scene :
Heh.past
Eureka Science News - automatically updated
Wouldn't that depend on your role in the crime, and your lawyer's advice?
See what I've been reading.
I would do whatever the nice people with the guns told me to. Nothing more, and nothing less.
The guys with the guns are not my friends, but they're pretty nice to people who help them. The most helpful thing you can do for these people is to sit the fuck down, shut the fuck up, and to do what you're told.
Unless you're being paid to perform an investigation, getting good forensic data off that drive is not your responsibility. That's the responsibility of the friends of the guys with the guns. (Are you a friend? Easy to check! Is your paycheck signed by a big guy with a really big gun? If not, you are not one of their friends!)
Going further, getting data off the drive isn't your responsibility -- but not fucking up the chain of custody is your responsibility. If you fuck up the chain of custody, the guys with the guns will be very, very, very angry with you. (You do not want this to happen.)
So:
1) Do not make the people with guns angry.
2) Do not "help" the people with guns (even if you want to), because anything you do to "help" them runs the risk of making them angry.
3) STFD. STFU. DWYT.
Y'know how we geeks have hundreds of words to express the concept of "nontechnical person who is too clueless to be allowed anywhere near a computer"?
I'll bet cops have hundreds of words that translate to "civilian who is too clueless to be allowed anywhere near an ongoing investigation".
The Sluth Kit.
Never ascribe to malice what can be adequately attributed to ignorance. -Napoleon
It's all here.
t _1 20604.pdf
http://www.rawstory.com/images/pdfs/CC_Affidavi
>>>> ... a good criminal will have the drive auto-erase if it doesn't get a password in a certain amount of time, etc.
A good criminal will have the machine be sure to delete every trace of evidence if it reboots or power cycles.
Secure the machine to avoid further damage, but don't just yank the power cord out of the wall.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
It says my constant fingerpoking is unwelcome!
(If at first you don't succeed, do it different next time!)
why the review now?
I always wondered what this FP-thingy means. "Fine Print" or "Foreskin Peeling"?
--
Luv, Jane.
(PS: niggers are so cute!!!)
netcat isn't the only networking tool capable of routing tars across the network.
There is also ucspi-tcp by Dan Bernstein
http://cr.yp.to/ucspi-tcp.html
and Netpipes, by me
http://web.purplefrog.com/~thoth/netpipes/
> All software is broken.
http://www.ncjrs.org/pdffiles1/nij/199408.pdf
Assuming there are drunk drivers on the road, that's a better use of their time than spending hours on your stolen CC. Odds ore your CC was stolen overseas anyway.
But in the little Texas town where my Mom lives, and had her identity stolen, the local PD took her case seriously and tracked down the perp in another state, and issued warrants. Not too many drunks and speeders in that little town, and since they got audited by the Dept of Justice and can't spend their time pulling over black and hispanic drivers for no reason like they used to in the good old days, they've retrained (or just fired all the good ol boys) and I guess they have the resources to check our cybercrime.
If you have had a breach, and its going to involve *anything* legal:
.. not 3rd.. do it even before you even call the cops....( well after you plug the hole... )
TALK TO YOUR ATTORNEY.. first.. not 2nd
---- Booth was a patriot ----
With all these tactics to make sure the compromised systems remain unchanged, don't you think criminals could use the same information? For example, a criminal steals a laptop with sensitive information on it. He doesn't start up the computer and uses a bit-by-bit copier to make an exact duplicate of the previous hard drive. Then the computer is returned, or found. When you investigate the computer, you won't be able to tell if the information was compromised, while the criminals have their own copy of the hard drive where they can throw anything at it to get information.
So why would a Fed performing a forensic analysis be packing? You seem to be glorifying the roll a bit. It isn't sexy work, but rather slow, thorough, deliberate and methodical (read: tedius, dull, boring, lots of protocol busywork).
Never ascribe to malice what can be adequately attributed to ignorance. -Napoleon
While I enjoy reading these books...I can't help but cringe at the thought of the people that read one of these books and think they're a forensics expert now. There's a hell of a lot that goes into being a security guru, let alone dealing with compromised systems in a way that taint the evidence.
:)
There's pretty much always a way to compromise a machine and likewise, a way to counter.
Obligatory: Microsoft just gives us more choices.
I found a US government web site on "How to Report Internet-Related Crime". Unfortunately, the site is not as informative as I had hoped. For the most part, you are advised to contact the FBI.
Also, Here is the US Department of Justice's web page on computer crime.
I'll bet cops have hundreds of words that translate to "civilian who is too clueless to be allowed anywhere near an ongoing investigation".
Yes.
But what's even worse is a civilian who has watched too many TV shows about forensic science.
I wish I still had mod points!
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
1. your whole philosophy of "just do what you are told" is the best philosophy for making sure the guys with the guns stay on top for as long as possible... in other words, you're attitude is part of the problem: "i'm just a slave, i don't think"
2. for a treatise which draws a line between yourself and the guys with the guns, you come across as pretty passive aggressive
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
He might not be, but he has a lot of friends who are!
Before you start handing out information it is always best to wait for a subpoena. Make sure it's signed by a judge and not a clerk. There is a reason for due process and law enforcement understands this even though they don't always want to follow it!
No kidding, what if you accidently wiped out some evidence while copying the drive (like the last command in the log file)? I'd just turn off the system, remove the HD and replace it with another (imaged with the latest backup). Seems like that would be a lot easier and safer than trying to copy the data off the original drive, and you wouldn't have to worry about getting rid of a root kit or whatever was used to comprimise the system.
OK, I get:
WWYD - What Would You Do?
STFU - Shut the fuck up
DWYT - Do what you're told
But what is STFD?
www.eFax.com are spammers
I'm going to school for this and network security, so I'll be sure to read further into this book.
Dr. Peter Gutmann of the University of Aukland knows a thing or two about data recovery.
Way back in '96 he wrote a paper on recoving information from both disk and solid-state memory.
He did a followup paper in 2001.
L33t haxx0rs beware: If your victims has an ice chest and an FBI forensics team standing by, he just might be able to get at the RAM after pulling the plug.
Billy, all you need to do is clear the cache and history. Now your mom wont ever know what kinds of sick pr0n you read after school.
That's the wrong question. How would I cooperate isn't a concern because I wouldn't.
If your cooperation leads to evidence that you didn't do everything that you could have possibly done to prevent the security breach, that could expose you to financial liability. I'm not going to be the one to gathers the evidence to be used against me.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
"intel"
e l_gun_ man/
the ex-employee is David Dugan.
the case you're talking about is this one:
http://www.theregister.co.uk/2004/11/11/int
If it turns out you failed to cooperate when asked, it can lead to criminal liability, especially if people hijacked your computers to commit another crime, like trading bank account numbers or plotting political assasinations.
Hmm, Choice A:
High chance of civil suits and possible bankruptcy.
Choice B:
Slightly lower risk of civil suits and possible bankruptcy but a real risk of jail.
Tough choice.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
the oldest I know involving a 9v battery and 5 minutes identifying the proper pins on the chip...
...
No soldering involved either
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
I'm sure theo de raadt would disagree with you.
Not that any sensible person thinks theo is correct...
(sorry for the language)
You'd be surprised - I attended (as a 3rd-party observer) a software presentation at an FBI data center once, and _all_ of the attendees were packing. (Made the presentation a little surreal.)
From the Windows encryption link, "encrypt data directly on volumes that use the NTFS file system so that the data cannot be used by any other user."
A couple of years ago, I tested this out and was able to circumvent it by resetting the admin password on the system (Google for a variety of tools to do this), logging in as admin and resetting the user's password with the encrypted information, then logging in as that user.
Voila! I had full access to all of the encrypted files. To truly protect your data, you need a better implementation of encryption than the default Windows encryption. I didn't test this but if you have PKI setup with windows and use your certificate to encrypt files or directories, I believe it is more difficult to circumvent.
If you are a novice sysadmin and you are getting started in data forensics (maybe just figuring out who pwn'd your phpBB install or something basic like that), I recommend learning the following habit ASAP:
DOCUMENT EVERYTHING YOU DO
From the moment you learn of the break-in to the moment you boot up the re-imaged machine, make a detailed log with dates and times, names, screen dumps, data, whatever. Even just a text file on your laptop.
Even if you fuck up the evidence (like, shutting the machine off before getting all the evidence in RAM), you at least have a *record* of exactly how you fucked up.
I really enjoyed the book myself when I read it this summer. As a compilation detailing computer law it was pretty good. Most of the tools I found to be aging or at a very low level. If you add in "Cybercrime" by Ralph D. Clifford an excellent book on computer law it opens a much broader picture. "Software Forensics" by Robert M. Slade is my current read and gets an interesting rating for now. "Computer Forensics" unfortunately is only part of the picture. With so much of the net existing in RAM and the traffic in between nodes "Network Forensics" should be the next big topic. There has to be a way of taking dynamic bits and making static evidence. There are a few other things that are going to hold back the field of forensics. The fact that the commercial forensic tool vendors have been refusing to teach the defense attorneys or experts is very scary. This is a rapidly expanding field very similar to how DNA expanding in the 70's and 80's.
--- Location Unknown
In some environments, your attorney will say "unplug the sucker."
In others, he'll say "don't touch it."
In others, he'll say "log every bit that goes in and out of that unit 24x7 then unplug the unit if there's a breach. The log will hold up in court."
The last option doesn't come cheap.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
After reading that, all i can hear in my head is: "HACK THE GIBSON" :P
Currently, Windows does not encrypt files shown to the Administrator. Don't know why, but it's a bad practice and you can pretty easily get Admin rights in Windows even if you don't have physical access.
Slashdot is proof that Sturgeon's Law applies to mankind.
This caused some problems recently when John Ashcroft made the keynote speach at a conference recently in D.C. They had to tell everyone to leave their guns elsewhere because Ashcroft's security people would not like people with guns in the same room.
These days if you have the entire drive encrypted, you can't just reset the password using Linux or whathaveyou. Look for the word "Caution"
There are ways around it, but it's non-trivial for Joe Random computer thief. So if I'm just worried about some personal data getting found while poking around on the hard drive, I'm good. The thief would have to get my personal password somehow (I use long, random passwords, so a dictionary attack would fail) and then use a specialized tool to read the drive. Very few thieves would go to that trouble unless they knew there was something _really_ worth looking for.
If I were hiding my Swiss Bank account with millions of dollars in it, I might consider using something stronger. But for most cases it's fine.
I'll bet cops have hundreds of words that translate to "civilian who is too clueless to be allowed anywhere near an ongoing investigation".
:)
Yea, it's called the Slashdot Community.
Throw in your typical IT staff and anyone who uses the word forensics to refer to actions such as unerasing your own files, running an IDS as part of your normal business practices or running GREP on a co-worker's computer.
The security focus mailing list dedicated to forensics is also good lurking
I am the moderator of the SecurityFocus.com forensics list, and agree that it is a great resource. (Al Huger is listed in the info page as the moderator; he is actually the list owner.) The list is dedicated to discussion of technical forensics topics.
The SF forensics list archives are here. A general listing of SF mailing list archives is here. Those interested in subscribing to the forensics list (or other lists @SecurityFocus) can do so from the archive page.
Cheers!
Scott C. Zimmerman, CISSP
I want to drag this out as long as possible. Bring me my protractor.
"Many Slashdot readers know how to secure a network, and many know how to determine if a security breach has taken place."
You're new here, huh? This student gossip board has more clueless wonders than any other I have come across. Even the Gentoo forums have more "genuine" geeks than these sorry fanboys.
C'mon, you can tell us... is there a word for 'em? :)
Sit The Fuck Down? Shut The Fucker Down (referring to the comprimised machine?
There's mischief and malarkies but no queers or yids or darkies within this bastard's carnival, this vicious cabaret.
The most helpful thing you can do for these people is to sit the fuck down, shut the fuck up, and to do what you're told.
This is true, but not useful. It is the most helpful thing you can do for "these people", however, the most helpful thing you can do for yourself is to wait for the advice of your lawyer and do nothing and say nothing until then.
If they are asking you for help, then you are a syadmin of some sort. As such (pay attention now) YOU ARE HIGH ON THE LIST OF POSSIBLE SUSPECTS. Don't make things worse for yourself by inadvertently saying or doing something to incriminate yourself
It's simple: I demand prosecution for torture.
A recent research paper from University of Michigan, Backtracking Intrusions, presents a tool for identifying and visualizing the cause of suspicious behaviors (e.g., "where did the file /tmp/rootkit come from?"). A very nice paper and a significant contribution to intrusion forensics.
Actually, believe it or not, but that is indeed technically true in the United States that by viewing the illegal content, you are in turn committing a crime. Especially in a home or corporate setting. However, if you can prove that it was as a part of a regular investigation, it would not seem that you would be brought up on charges for it. I mean technically, opening a coke bottle without the supervision of a licensed engineer is illegal in the state of Oklahoma, but you won't find many people in jail for it.
Some of our cybercrime units were discussing that, under the current poorly-drafted laws, it is technically illegal for them to possess that content as a result of a forensics investigation. But then again, most reasonable courts wouldn't prosecute such a case. But I do remember this coming up in conversation with a cybercrime unit in the past, but this is second-hand information that has not been confirmed by evidence, so take it with a grain of salt.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Ideally, something like EnCase Enterprise would already be installed on the machine. The Enterprise edition of EnCase allows for network security analysis and creates a rather nice report and image of what is going on.
The problem with this (thus making it ideal is):
1) most corporations do not have programs like EnCase Enterprise installed prior to the attack
2) EnCase is prohibitively expensive.
You can make an image of the server in the case that it is warranted, but that requires you to have an equal or larger storage medium to which to make the image.
In the case of a police matter where a crime has been committed and your system is being investigated, however, it is basically: Tough.
They generally avoid unplugging and bagging and tagging when they can, but if you are being investigated and they have the proper paperwork, they can seize the server.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
When corporations merge with government, that is called fascism. Given that George Bush put corporate executives in all the major posts of his government (EPA, FDA, Treasury, etc) it follows that logically, the USA is now a fascist government with only democratic window dressing. Indeed, it is only window dressing since there have been 57000 formal complaints to the House Judiciary Committee of voting irregularities since Nov 2nd (see votersunite.org for about 400 o f them), probably more than you saw in the Ukraine.
Given this, it is worth asking why on earth any ethically-minded person would want to protect corporate assets, unless he were a fascist.
Sadly, not every police department has a cybercrime unit and thus do not actually have the resources or expertise to pursue the matter. Unfortunately, although you might have tracked the information down, it may not be prosecutable because of the manner by which you discovered it. While I am sure you did a fine job, the problem is that for things to be admissible in court, there are certain procedures that much first be followed to ensure forensic integrity. That is there to protect the accused from tampering. That might not even be an issue here, but it's something to consider.
In the case of our local cybercrime unit, they indeed had the resources and expertise to track down the culprit in one cyberstalking case and did so in a sound manner, but one of the district bigwigs decided to drop the case (after months of hard work) because it was "too technical" and that "an average jury wouldn't be able to understand the case." So, it might not be your PD as much as the other district entities over them.
However, everyone has a right to their day in court and if the individuals affected wanted to pursue the matter themselves in court, they would be within their rights to.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
As a rule, forensic investigators try to do a cold boot (including yanking the cord or just turning off the machine)
Actually, a good forensic's examiner would not "just turn off the machine." You are correct about yanking the cord. The cord, however, must be pulled from the back of the machine, not the wall.
Never go through the regular shut down process and do not pull the cord from the wall. The industry standard (and best practice) is to pull the cord from the back of the machine.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
> many know how to determine if a security breach has taken place.
The way I find out is by reading about it on slashdot.
Old people fall. Young people spring. Rich people summer and winter.
Well, the benefit is that people become more aware of what is possible, what they can do to stop it, and what needs to be maintained/protected for a proper investigation. But yes, it is true that some people fancy themselves experts after reading a single book. Hopefully, though, their lack of credientials will hinder them from being hired or placed into a true forensics position, and will only serve to help them track down the culprit on their server in the case that they do not wish to prosecute the case but wish to track down the source of the intrusion for future monitoring reasons.
If anything else, it will hopefully make system admins in a corporate setting realise that if they wish to pursue the case in a court, they can't go stomping through the system like a bull in a china shop. Perhaps it will afford them an option to minimize the impact and liability caused by a system compromise, while preserving the system in a way that the real forensic experts can examine the system.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Unless their mom is a savvy forensics analyst and happens to have FTK laying around and recovers those deleted files. FTK does a nice job of recovering deleted files.
Poor Billy.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I was aghast, needless to say.
$0.02,
ptd
I'm an animal lover -- they're delicious!
Given this, it is worth asking why on earth any ethically-minded person would want to protect corporate assets, unless he were a fascist.
I know this is a troll, but I will bite.
You do realize that many corporations list their database that contains customer names, addresses, credit card numbers, etc. as an asset, right?
So, in the case of Information Security, when you are helping corporations protect their "assets," many times you are helping protect consumer privacy.
When this information is compromised, it is extremely important to be able to investigate that breach in a forensically-sound manner in the case that prosecution becomes necessary, and also to limit the further exposure of this "private" information.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Make sure that you have appropriate equipment on-hand so that you can -document- that you have taken appropriate steps. Make sure that you have appropriate gear to record and playback every operation that you take, and the system's responses. Test it out. Do scan-lines destroy your video image ?
Yes - an adversary can challenge everything you do in court - but, this is the only effective way to assert that you have not damaged or tainted the evidence. You can prove that you've maintained the chain-of-custody.
http://www.iamsam.com
/Simpsons quote
I know that this is not an authoratative source, and I would prefer to find a copy of the actual law for you, but until I do, here is a link:
http://www.ahajokes.com/laws036.html
If you check out most of the "Stupid Law" collections online, under Tulsa, Oklahoma, you will find this oddity.
The google search can be found here.
I will see if I can track down a copy of the actual law, though.
Oklahoma has many of these laws and do not prosecute. I don't know why they would prosecute a cybercrime division for confiscating child porn as long as it is done as done as a matter of law enforcement. However, a corporate entity might have more to worry about, although unlikely.
Of course, they have prosecuted people in the past for having a few child pornography images in a cache that was planting there unknowingly because of their visiting a joke site or something that uses those pay-per-popup advertising schemes. Generally these people are let off the hook because the evidence does not show intent, but it is technically still illegal to posess those images.
I think that these ineffective laws make a mockery of important laws and should be revised or removed from the books. (Revised referring to the child porn law, to allow law enforcement and forensic/corporate investigation, and removed referring to our funny yet ridiculous soda bottle law.)
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
and if you can find them, maybe you can hire - the freakbots!
this weeks episode: Wheels of Thunderdoom.
next weeks episode: Search for jumper cables.
My impression from the replies is that what you should do depends on the situation.
Against a theoretical very sophisticated non-bot attacker you'd just do nothing with the machine and instead watch the network traffic for clues.
So think first, about ways to stealthily collect more information, then follow the parents advice to make a bit-by-bit copy of the harddrive after turning off the machine.
I'm still trying to figure out what people mean by 'social skills' here.
And following on from your sig, I like feminists. I think they're cute.
He actually referred to people like "systems administrators", "security analysts", and various other IT positions as if they were little creatures that you might find out in the wild. He basically said that these people are tools for the police to help find the evidence they need and not to let them tamper with the evidence and try to do the investigation themselves.
When it comes down to it, many companies avoid contacting police instead preferring to handle the investigation internally. You open up your corporate secrets and data to the public basically and police aren't exactly known for their discretion. Moreover, depending on how overzealous they are, they could get a warrant to search your premises and confiscate computers with sensitive customer and internal emails and things like that. Technically they aren't supposed to look at anything that isn't relevant to the case, but I'm sure it happens all the time.
Digital Forensics and the Art of Anti-forensics
The Grugq The rise in prominence of incident response and digital forensic analysis has prompted a reaction from the underground community. Increasingly, attacks against forensic tools and methodologies are being used in the wild to hamper investigations.
This talk will: familiarize the audience with Unix file system structures; examine the forensic tools commonly used, and explore the theories behind file system anti-forensic attacks. In addition, several implementations of new anti-forensic techniques will be released during the talk.
www.buresund.se
In my opinion, there exists other (better) books.
Regards
Roland Buresund
-- Roland Buresund MBA, MCMI, CISSP
Are you a relative of Phil Zimmerman the creator of PGP???
"Evil thrives when good men do nothing"
In Korea, only old people hack web server.
Logicube Forensics' products do the trick for getting a copy of the drive. We use a Forensic MD5 to copy the source without changing it, and then an OmniClone to dupe the destination drive to send out to be analyzed by experts who hold up in court. Most of the experts use one of their own software packages. Commercially: Encase, FTK and ILook are all pretty good.
Marketing mumbo-jumbo from their site: "Logicube is the world leader in hard drive duplication, back up and computer forensics systems. Our hard drive duplicators offer hardware solutions for copying hard drives, data recovery, and disaster recovery."