Computer Forensics

Craig Maloney writes "Many Slashdot readers know how to secure a network, and many know how to determine if a security breach has taken place. Fewer readers, though, would know how to handle a security breach if corporate assets were involved. How would you cooperate with law enforcement when a crime has been committed on a computer?" For more questions, and the rest of Maloney's review of Warren G. Kruse II and Jay G. Heiser's Computer Forensics, read on below. Computer Forensics author Warren G. Kruse II and Jay G. Heiser pages 392 publisher Addison Wesley rating 8/10 reviewer Craig Maloney ISBN 0201707195 summary A good reference for what to do when computer crime happens

How do you get the evidence off of a computer, ensuring that it's capable of withstanding a defense lawyer's scrutiny? Maybe you would just unplug the machine and put it in storage awaiting a detective's arrival, but is that what we should do? What if the evidence is on a production server that can't be simply unplugged and put into storage? What if that evidence is slowly being erased as files are created and deleted on that server? How do you help build the case against a computer criminal? Hopefully you'll never have to worry about computer crime in your home or workplace but if you do have to worry, Computer Forensics will be an asset to your part of the investigation.

Who is this book for? Computer crime isn't simple -- it can range from damage done by simple script kiddies to corporate espionage by disgruntled employees, as well as sophisticated, multi-homed attacks by skilled crackers. Computer Forensics tries hard to cover a lot of these areas. The book includes a chapter dealing with laptop hardware, as well as ones on data hiding and encryption, and further chapters on putting evidence together and dealing with law enforcement. While these topics may be of interest to the Slashdot crowd, Computer Forensics focuses more on broad topics of interest to computer detectives faced with getting up to speed quickly with computer crimes and computer evidence gathering.

Several chapters are downright boring for anyone who has a modicum of computer experience. Finding out where e-mail is stored on Windows and Linux machines, or understanding what a root-kit is and what it does will be pedestrian for many readers. Nestled away between the necessary-but-pedestrian topics, though, are some very useful tools. The authors use netcat with tar to copy files between machines without disturbing the modification times (something I would never have thought to use). Novice users will find a wealth of tools and examples in these chapters. The tools used in the book tend toward open source and free tools, and rely heavily on Linux as the Swiss Army knife for handling file systems and files without disturbing them. Any reader should be able to put together a decent set of tools from this book.

Making it all work

Putting together a good forensic kit is all fine and good, but making sure your evidence holds up to the scrutiny of some high-powered, high-priced defense lawyer is much more important. The last chapter of Computer Forensics gives a brief introduction to the criminal justice system. The authors touch on notifying law enforcement agencies, search warrants, probable cause, interviews, subpoenas, dollar loss guidelines, and testifying as an expert witness, among other legal topics. The appendices of the book have checklists, flowcharts, and an incident report form to aid investigation and evidence gathering. These are invaluable resources for the system administrator of any public machine who needs to deal with law enforcement.

Conclusion Thinking about dealing with courts and law enforcement may not be at the forefront of any administrator's job, but it is a reality any administrator needs to think of and be aware of. Computer Forensics will at least make administrators more aware of what their legal options are, and of the form in which gathered forensic data needs to be presented as evidence. Computer detectives will find a good, if not rudimentary example of what to look for when investigating a computer crime scene. This may not be the most comprehensive book on the subject of computer crime, but it will point you in the right direction to help investigate it should it ever happen to you.

You can purchase Computer Forensics from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Cutting Loses

[fembots]

What if the evidence is on a production server that can't be simply unplugged and put into storage?

In my company, once a machine is compromised, it's offline and ghost image taken, no questions asked, even it's a live ecommerce site. You would rather putting up a "Unscheduled Outage" notice than inflicting more damages to the server/data.

It's like a 777 pilot asking if he should make an emergency landing due to a fire alarm, because there are 350 passengers onboard and we don't want to spoil their holiday.

Actually I think pilots do that, that's why we get to read blackbox transcript like

GPWS: "Whoop, whoop. Pull up. Whoop whoop. Pull up."
CA: "Don't worry we can make it."
GPWS: "Whoop, whoop. Pull -."

Re:Cutting Loses

[GigsVT]

On the other hand, pulling it down immediately is bad forensic practice. You may very well be destroying evidence contained in RAM.

Ideally you would take it off the network, but keep it running. Ideals rarely get practiced when it comes to security though.

outdated?

[Boolio]

The publication date on the book linked is 2001. That makes this book three to four years old. While some of the information may be the same, there are quite a number of new tools and techniques out there. So some of this may be pretty outdated. I have yet to find a great book on system forensics. The best so far is the book "Know Your Enemy" buy contributors to the HoneyNey Project.

This is dangerous stuff to mess around with...

[Pacifix]

... like security, forensics is best left to those who really know what they're doing. The results of a forensics investigation can very often end up being part of a civil or criminal case and amature mistakes can get the case thrown out. Contaminating the data by not properly imaging it, not knowing where to find hidden data, or misinterpreting what is found are all very easy to do. Be very sure you have all your bases covered before selling yourself as a forensic investigator.

Re:Sounds good

[penguinoid]

You don't have a networked machine? Does that mean that you are posting to Slashdot from an internet cafe? Or are you posting from a spam server that you call "my computer"?

Just because you won't loose your job if you get hacked, doesn't mean you should ignore the possibility.

Step 1

[Kallahar]

Step 1: Turn off the machine.
Step 2: Make a bit for bit copy of the drive (there are special devices that will ensure that NONE of the bits are changed).
Step 3: You can now run whatever forensics tools you want *on the copy*. The original has to be kept unchanged for it to be worth anything in court.

Make sure to never boot up the drive in question, a good criminal will have the drive auto-erase if it doesn't get a password in a certain amount of time, etc.

Re:Step 1

[r2q2]

According to other posts and common sence because you are accessing the computer the hard disk is being modified. Using dd and other tools on the running computer will possibly modify the drive and make your evidence invalid.

Re:Time sync all your computers

[Nonesuch]

There is no (good) exuse for not at least NTP'ing all your servers.

There used to be a good excuse -- recurring root holes in all common NTP implementations.

With OpenNTPD, this is no longer a valid excuse.

Re:Been there, done that.

[wwest4]

In that case, (honest question) wouldn't it make more sense to contact the fraud dept. of CC and let them take care of steps to prosecution? Or are they equally unresponsive?

Re:Been there, done that.

[HarveyBirdman]

Well, someone jacks my CC number, I'm on the hook for a max of $50.

A drunken minor behind the wheel of mom's Ford Excursion costs me far, far more than that should I encounter the illbred little monster on the road.

Hey, just presenting a contrarian view. Was it at least an interesting learning experience?

WWYD? STFD, STFU, and DWYT.

[Tackhead]

> How would you cooperate with law enforcement when a crime has been committed on a computer?

I would do whatever the nice people with the guns told me to. Nothing more, and nothing less.

The guys with the guns are not my friends, but they're pretty nice to people who help them. The most helpful thing you can do for these people is to sit the fuck down, shut the fuck up, and to do what you're told.

Unless you're being paid to perform an investigation, getting good forensic data off that drive is not your responsibility. That's the responsibility of the friends of the guys with the guns. (Are you a friend? Easy to check! Is your paycheck signed by a big guy with a really big gun? If not, you are not one of their friends!)

Going further, getting data off the drive isn't your responsibility -- but not fucking up the chain of custody is your responsibility. If you fuck up the chain of custody, the guys with the guns will be very, very, very angry with you. (You do not want this to happen.)

So:
1) Do not make the people with guns angry.
2) Do not "help" the people with guns (even if you want to), because anything you do to "help" them runs the risk of making them angry.
3) STFD. STFU. DWYT.

Y'know how we geeks have hundreds of words to express the concept of "nontechnical person who is too clueless to be allowed anywhere near a computer"?

I'll bet cops have hundreds of words that translate to "civilian who is too clueless to be allowed anywhere near an ongoing investigation".

Step One:

[nurb432]

If you have had a breach, and its going to involve *anything* legal:

TALK TO YOUR ATTORNEY.. first.. not 2nd .. not 3rd.. do it even before you even call the cops....( well after you plug the hole... )

Re:Forensic Security

[GigsVT]

Sued by who?

It'd be a hard case to prove it created a "hostile work environment" if no one knew you had porn until an admin found it.

All this crap is just another case of moral busy-bodies hiding behind the guise of legal liability.

2 things

[circletimessquare]

1. your whole philosophy of "just do what you are told" is the best philosophy for making sure the guys with the guns stay on top for as long as possible... in other words, you're attitude is part of the problem: "i'm just a slave, i don't think"

2. for a treatise which draws a line between yourself and the guys with the guns, you come across as pretty passive aggressive

Wait for a Subpoena

[jchawk]

Before you start handing out information it is always best to wait for a subpoena. Make sure it's signed by a judge and not a clerk. There is a reason for due process and law enforcement understands this even though they don't always want to follow it!

Best possible advice

If you are a novice sysadmin and you are getting started in data forensics (maybe just figuring out who pwn'd your phpBB install or something basic like that), I recommend learning the following habit ASAP:

DOCUMENT EVERYTHING YOU DO

From the moment you learn of the break-in to the moment you boot up the re-imaged machine, make a detailed log with dates and times, names, screen dumps, data, whatever. Even just a text file on your laptop.

Even if you fuck up the evidence (like, shutting the machine off before getting all the evidence in RAM), you at least have a *record* of exactly how you fucked up.

Re:WWYD? STFD, STFU, and DWYT.

[sfjoe]

The most helpful thing you can do for these people is to sit the fuck down, shut the fuck up, and to do what you're told.


This is true, but not useful. It is the most helpful thing you can do for "these people", however, the most helpful thing you can do for yourself is to wait for the advice of your lawyer and do nothing and say nothing until then.
If they are asking you for help, then you are a syadmin of some sort. As such (pay attention now) YOU ARE HIGH ON THE LIST OF POSSIBLE SUSPECTS. Don't make things worse for yourself by inadvertently saying or doing something to incriminate yourself

Washington DC FBI Bureau

[powdered+toast+dude]

The only time I've ever had a box rooted was a few years ago in DC (I was careless with WU-ftpd; lesson learned). I was able to trace back through this particular attacker's sloppiness, and gathered a lot of useful info. When I called the Washington DC bureau of the FBI to report the incident and share what I had learned, I was told, "um, our computer guy's not here right now. Can you call back tomorrow?"

I was aghast, needless to say.

$0.02,
ptd