Computer Forensics

Craig Maloney writes "Many Slashdot readers know how to secure a network, and many know how to determine if a security breach has taken place. Fewer readers, though, would know how to handle a security breach if corporate assets were involved. How would you cooperate with law enforcement when a crime has been committed on a computer?" For more questions, and the rest of Maloney's review of Warren G. Kruse II and Jay G. Heiser's Computer Forensics, read on below. Computer Forensics author Warren G. Kruse II and Jay G. Heiser pages 392 publisher Addison Wesley rating 8/10 reviewer Craig Maloney ISBN 0201707195 summary A good reference for what to do when computer crime happens

How do you get the evidence off of a computer, ensuring that it's capable of withstanding a defense lawyer's scrutiny? Maybe you would just unplug the machine and put it in storage awaiting a detective's arrival, but is that what we should do? What if the evidence is on a production server that can't be simply unplugged and put into storage? What if that evidence is slowly being erased as files are created and deleted on that server? How do you help build the case against a computer criminal? Hopefully you'll never have to worry about computer crime in your home or workplace but if you do have to worry, Computer Forensics will be an asset to your part of the investigation.

Who is this book for? Computer crime isn't simple -- it can range from damage done by simple script kiddies to corporate espionage by disgruntled employees, as well as sophisticated, multi-homed attacks by skilled crackers. Computer Forensics tries hard to cover a lot of these areas. The book includes a chapter dealing with laptop hardware, as well as ones on data hiding and encryption, and further chapters on putting evidence together and dealing with law enforcement. While these topics may be of interest to the Slashdot crowd, Computer Forensics focuses more on broad topics of interest to computer detectives faced with getting up to speed quickly with computer crimes and computer evidence gathering.

Several chapters are downright boring for anyone who has a modicum of computer experience. Finding out where e-mail is stored on Windows and Linux machines, or understanding what a root-kit is and what it does will be pedestrian for many readers. Nestled away between the necessary-but-pedestrian topics, though, are some very useful tools. The authors use netcat with tar to copy files between machines without disturbing the modification times (something I would never have thought to use). Novice users will find a wealth of tools and examples in these chapters. The tools used in the book tend toward open source and free tools, and rely heavily on Linux as the Swiss Army knife for handling file systems and files without disturbing them. Any reader should be able to put together a decent set of tools from this book.

Making it all work

Putting together a good forensic kit is all fine and good, but making sure your evidence holds up to the scrutiny of some high-powered, high-priced defense lawyer is much more important. The last chapter of Computer Forensics gives a brief introduction to the criminal justice system. The authors touch on notifying law enforcement agencies, search warrants, probable cause, interviews, subpoenas, dollar loss guidelines, and testifying as an expert witness, among other legal topics. The appendices of the book have checklists, flowcharts, and an incident report form to aid investigation and evidence gathering. These are invaluable resources for the system administrator of any public machine who needs to deal with law enforcement.

Conclusion Thinking about dealing with courts and law enforcement may not be at the forefront of any administrator's job, but it is a reality any administrator needs to think of and be aware of. Computer Forensics will at least make administrators more aware of what their legal options are, and of the form in which gathered forensic data needs to be presented as evidence. Computer detectives will find a good, if not rudimentary example of what to look for when investigating a computer crime scene. This may not be the most comprehensive book on the subject of computer crime, but it will point you in the right direction to help investigate it should it ever happen to you.

You can purchase Computer Forensics from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

SecurityFocus

[ProfaneBaby]

The security focus mailing list dedicated to forensics is also good lurking, for those interested...

http://archives.neohapsis.com/archives/sf/forensic s/

Enterprise file forensics

We use Dynacomm i:scan in our enterprise and it basically does all the forensic work for us. Kinda spooky the things it can report and notify on.

Re:Enterprise file forensics

[ikewillis]

For the rest of us there's always Wietse Venema's tool, The Coroner's Toolkit

On FreeBSD, it's all about mtree...

Re:Enterprise file forensics

[anomalous+cohort]

There is a folder full of forensics tool on the knoppix security tools distro. There are tools like sleuthkit 1.66 which is supposed to be an extension to the coroner's toolkit. Has anyone here used these tools? If so, do you know if the results from these forensics tools are useful and/or admissible in court?

Re:Enterprise file forensics

[LordDracula]

If so, do you know if the results from these forensics tools are useful and/or admissible in court?

Admissibility is not so much tied to the specific tools (though this can be an issue; more on this later) used, but the methodology used.

DISCLAIMER: I am not by any means a forensics expert, but I am doing an independent study in computer forensics in college.

That said, many of the standard *nix tools are, in fact, acceptable for court use. For example, it is extremely unlikely that you will have a challenge presented in a courtroom questioning the integrity of your forensic duplications if you used 'dd' to make the images. At least, not on technical grounds--failure to document everything correctly and completely could wind up causing inadmissibility.

I'd strongly recommend Incident Response & Computer Forensics by Mandia and Prosise (of Foundstone, Inc.). This book has a LOT of technical information, and covers the aspects of evidence handling, documentation, etc. very well.

Looking at some of the tools listed in the Knoppix STD, I can say that many of them (like fatback, foremost, dcfldd, and cryptcat) are recommended tools in the Mandia/Prosise book. I've used each of these, and they are all definitely useful. If you're doing work that must stand up in court, however, make sure you document everything you do, and never, never write anything to your suspect drive! Doing so will not only risk losing evidence, but also invalidate the entire drive as evidence. All forensic analysis should be done on either a qualified forensic duplicate or full forensic duplicate.

Outside the U.S.

[Bingo+Foo]

In other countries, this book is titled, How to Avoid a Forensic Data Trail on Computers You Compromise.

Re:Outside the U.S.

[Umbral+Blot]

Many books on security are a double edged sword. For example a tutorial on creating protection mechanisms in your programs against disassembly at the same time tells you how to break those protections. A book on how to detect and remove virii gives you insight on how to make them. I could go on... I think the point is that the "bad guys" will leard this information anyways, so we might as well give the "good guys" the same information, especially since the "good guys" don't spend all of their time trying to compromise security.

Re:Outside the U.S.

[donscarletti]

Many mods will moderate funny things as one of the catagories starting with 'I' because funny doesn't give any karma. If something is moderated as funny and is later moderated back down again, the poster could actually loose karma because of it so many mods think it is unfair.

Time sync all your computers

[uid100]

OS level Forensics are much easier if all your computers are set to the same time.

There is no (good) exuse for not at least NTP'ing all your servers.

Re:Time sync all your computers

[Nonesuch]

There is no (good) exuse for not at least NTP'ing all your servers.

There used to be a good excuse -- recurring root holes in all common NTP implementations.

With OpenNTPD, this is no longer a valid excuse.

Re:Time sync all your computers

[Panaflex]

That's totally true.. in fact have every maching on your network NTP'ing. I've worked on a few compromised servers. Of course the first step is to NOT GET COMPROMISED. Use tripwire, honeypots, and protect yourself.

One thing people forget about is getting the STATE of the server before you off-line it. I'd suggest getting packet dumps, network routes and connections.

REMEMBER:
1. Load up a live CD with some KNOWN GOOD utilities, set the path to $CD_PATH:$PATH so it searches off the cd first or specify the full path of the utility on cd.
2. Capture processes & threads, routes, sockets, and adapter info, and perhaps a packet dump if things are active into a text file and store somewhere safe.

YMMV

Panaflex

Crime On Computer ...

[foobsr]

when a crime has been committed on a computer?

Must be old mainframes then.

CC.

Forensic Security

[djrok212]

Many financial firms including the one where I work, have instituted internal forensic security policies to help limit corporate liability. In our case, we have caught and successfully prosecuted employees for pornography on corporate assets (including child pornography in one case.)

There are designated employees on the forensic team in each department who are responisble for witnessing the process and documenting the chain of custody for data and items.

We've invested in specific equipment, including network sniffers (other then those used by the network group), hard drive replicators, log books, and materials for collection and storage of evidence.

Everything has a chain of custody and is then turned over to the proper authorities.

As far as the law is concerned since the employee does not have a right or expectation of privacy when working on a corporate asset, everything we take is completely legal. As long as we mantain an effective chain of custody it will likely hold up on court.

Just my two cents. Your mileage may vary.

Re:Forensic Security

[GigsVT]

Sued by who?

It'd be a hard case to prove it created a "hostile work environment" if no one knew you had porn until an admin found it.

All this crap is just another case of moral busy-bodies hiding behind the guise of legal liability.

Re:Forensic Security

[arnie_apesacrappin]

do you mean in court or just fired their ass?

The two times I've had to provide evidence to HR of people using company assets to view porn, both employees were fired.

but what exactly are the legal reprecussions for looking at juicyhoes.com for example?

In the above instances (at two different companies) viewing adult content at work was against a written policy. Employees were required to acknowledge the policy when hired

Were you ever actually challenged in court?

We weren't. Both people basically gave up when presented with the proxy logs.

Cutting Loses

[fembots]

What if the evidence is on a production server that can't be simply unplugged and put into storage?

In my company, once a machine is compromised, it's offline and ghost image taken, no questions asked, even it's a live ecommerce site. You would rather putting up a "Unscheduled Outage" notice than inflicting more damages to the server/data.

It's like a 777 pilot asking if he should make an emergency landing due to a fire alarm, because there are 350 passengers onboard and we don't want to spoil their holiday.

Actually I think pilots do that, that's why we get to read blackbox transcript like

GPWS: "Whoop, whoop. Pull up. Whoop whoop. Pull up."
CA: "Don't worry we can make it."
GPWS: "Whoop, whoop. Pull -."

Re:Cutting Loses

[GigsVT]

On the other hand, pulling it down immediately is bad forensic practice. You may very well be destroying evidence contained in RAM.

Ideally you would take it off the network, but keep it running. Ideals rarely get practiced when it comes to security though.

Been there, done that.

[rylin]

Recently, I was contacted by the local PD in regards to a huge number of stolen CCs being used from our IP-range (Internet Café).
After getting a list of specific timestamps (along with IP-addresses), I was able to figure out who the culprit was.
That said, the man-hours I put into the whole thing seem to have been for nothing.
The PD won't do jack shit - too little resources, they say - which is why I find it funny that they can't even send a unit to pick up the frauders when they're actually on-site (yet they can be seen parading the streets, looking for minors consuming alcohol).

Just because law enforcement want your help doesn't mean they'll do anything - even if you virtually hand them the crooks on a silver platter.
Then again, things might be different elsewhere.

Re:Been there, done that.

[wwest4]

In that case, (honest question) wouldn't it make more sense to contact the fraud dept. of CC and let them take care of steps to prosecution? Or are they equally unresponsive?

Re:Been there, done that.

[HarveyBirdman]

Well, someone jacks my CC number, I'm on the hook for a max of $50.

A drunken minor behind the wheel of mom's Ford Excursion costs me far, far more than that should I encounter the illbred little monster on the road.

Hey, just presenting a contrarian view. Was it at least an interesting learning experience?

outdated?

[Boolio]

The publication date on the book linked is 2001. That makes this book three to four years old. While some of the information may be the same, there are quite a number of new tools and techniques out there. So some of this may be pretty outdated. I have yet to find a great book on system forensics. The best so far is the book "Know Your Enemy" buy contributors to the HoneyNey Project.

This is dangerous stuff to mess around with...

[Pacifix]

... like security, forensics is best left to those who really know what they're doing. The results of a forensics investigation can very often end up being part of a civil or criminal case and amature mistakes can get the case thrown out. Contaminating the data by not properly imaging it, not knowing where to find hidden data, or misinterpreting what is found are all very easy to do. Be very sure you have all your bases covered before selling yourself as a forensic investigator.

Re:This is dangerous stuff to mess around with...

[-strix-]

thats true. I tooke a computer forensics class at my school about a year and a half ago, it was a great class and this book was one of the ones we used. One of the main points our professor drove home was properly maintiaing a chain of evidence. This is something that would be second nature to a criminal justice major but is pretty foreign to someone in computer science. As far as being a forensic investigator, i would look for a GIAC Certified Forensic Analyst certifcation. I know that alot of people are dubious about how much stock they put in certifications but this is really a good one. To date there are only 124 people who have obtained this certification. more info about it here: http://www.giac.org/GCFA.php

An actual example of corporate breaches.

[pjbass]

I work at a large semiconductor company (not to name names, but a really big, US, SC-based one) that had a recently fired employee wreak havoc on one of the factories' databases as a result of his termination. Basically he used his not-yet-cancelled remote access, and deleted a critical DB. Now this isn't hacking in the sense of rooting a remote exploit, but it's malicious intent nonetheless on computer systems. It was obvious what happened (the factory stopped running), and very quickly we were able to track down the last few commands logged, where they came from, etc., etc. How it was handled was actually an FBI case. We turned it over to the security department at our company, and they worked with the FBI; we were asked questions by the men in black, and this person was eventually arrested and put away in a dark, dank hole.

Not sure if this is the norm, but I'd figure when corporations and expensive IP is involved, government-sanctioned agencies will be in the forefront of people investigating, IMHO.

It's not easy

[penguinoid]

The problem with computer crimes is that they are not easy to track. On a regular PC, a cracker could break in and remove any evidence (on that PC) that the computer was ever hacked. You might catch him if you happen to be looking while he is busy, but after he is finished, there is not much you can do.

There are, however, some hardware solutions, namely, to keep track of everything that happens (this is expensive!). Software could also do that, so long at it cannot be hacked. Overall, I think the best thing to do is to keep a backup inaccessible from the network, and hope no sensitive information gets stolen.

The computer is the victim.

[eln]

Whenever you do work like this on computers, it's important to know that the computer is ultimately the victim here. Don't be too rough with it in trying to get information. It's important to get information back, but it's also very important to maintain the computer's well-being. Always ask before taking a look at the computer's hard drives. If the computer refuses, back off and try again another day. After being so traumatized, many computers will not feel comfortable letting you in right away. In some cases, gender may be an issue, so always use female-to-female or male-to-male data cables when attempting to access the computer's internal ports, as recently attacked computers may have more hostility toward opposite-gender pairings in interrogations.

Please, always make the computer your first priority, and be mindful that you do not damage it further in your rush to make an arrest.

Re:Sounds good

[penguinoid]

You don't have a networked machine? Does that mean that you are posting to Slashdot from an internet cafe? Or are you posting from a spam server that you call "my computer"?

Just because you won't loose your job if you get hacked, doesn't mean you should ignore the possibility.

Step 1

[Kallahar]

Step 1: Turn off the machine.
Step 2: Make a bit for bit copy of the drive (there are special devices that will ensure that NONE of the bits are changed).
Step 3: You can now run whatever forensics tools you want *on the copy*. The original has to be kept unchanged for it to be worth anything in court.

Make sure to never boot up the drive in question, a good criminal will have the drive auto-erase if it doesn't get a password in a certain amount of time, etc.

Re:Step 1

[towaz]

I would not just kill the machine yet either. As long as you document your findings and what you do to the system (with witnesses) you can do a few things first.

On the live system you can not trust anything so a cd or other media containing your tools statically compiled to investigate are needed.

you can use dd to make a bit for bit copy of ram, pipe this through netcat to your forensics box, or cryptcat is sensitive info is on the compromised machine.
A good idea would also be to calculate an md5 checksum for the image either side of the netcat pipe to verify its not messed up.

then run lsof to check what ports are open and by what applications and pull the plug out the wall on the compromised host.

then make sure boot priority in the bios does not boot the hdd in question and run knoppix or something like F.I.R.E and run md5 on the drive, pipe it to your machine with nc and then md5 that image.

I know i missed something but am on the phone so i guess will wait to get flammed :)

Re:Step 1

[r2q2]

According to other posts and common sence because you are accessing the computer the hard disk is being modified. Using dd and other tools on the running computer will possibly modify the drive and make your evidence invalid.

Transfering for forensics

[Kalak]

Rsync will do this simply and efficiently, plus it can resume transfers and also tunnel through ssh.

Also you can pipe dd through gzip/bzip2 and netcat to give you a loopback mountable, unmodifiable image that you can look at in case you want to grab the whole drive before putting it in the evidence locker.

If you've got a problem, if no one else can help,

[Ingolfke]

and if i you can find them. Call the A-team.

Valve

[FiReaNGeL]

In the case of HL2 code theft, Valve got lucky; they just had to wait for the hacker's ego to blow out of proportion due to the massive coverage. He emailed them. Several times. He went to a meeting for an 'interview' for a 'job'. Thank god, most hackers(as in illicit network infiltration) / criminals eventually make mistakes. In this particular case, it was pure dumbness, however. Imagine the scene :

"Honey, you know the company that I (big F word, past tense) over, well, they're offering me a JOB!" "Great! When are we moving?"

Heh.
past /. coverage

How would you cooperate with law enforcement?

[RealAlaskan]

How would you cooperate with law enforcement when a crime has been committed on a computer?

Wouldn't that depend on your role in the crime, and your lawyer's advice?

WWYD? STFD, STFU, and DWYT.

[Tackhead]

> How would you cooperate with law enforcement when a crime has been committed on a computer?

I would do whatever the nice people with the guns told me to. Nothing more, and nothing less.

The guys with the guns are not my friends, but they're pretty nice to people who help them. The most helpful thing you can do for these people is to sit the fuck down, shut the fuck up, and to do what you're told.

Unless you're being paid to perform an investigation, getting good forensic data off that drive is not your responsibility. That's the responsibility of the friends of the guys with the guns. (Are you a friend? Easy to check! Is your paycheck signed by a big guy with a really big gun? If not, you are not one of their friends!)

Going further, getting data off the drive isn't your responsibility -- but not fucking up the chain of custody is your responsibility. If you fuck up the chain of custody, the guys with the guns will be very, very, very angry with you. (You do not want this to happen.)

So:
1) Do not make the people with guns angry.
2) Do not "help" the people with guns (even if you want to), because anything you do to "help" them runs the risk of making them angry.
3) STFD. STFU. DWYT.

Y'know how we geeks have hundreds of words to express the concept of "nontechnical person who is too clueless to be allowed anywhere near a computer"?

I'll bet cops have hundreds of words that translate to "civilian who is too clueless to be allowed anywhere near an ongoing investigation".

Very popular toolkit

[jgercken]

The Sluth Kit.

this is an old ass book..

why the review now?

Department of Justice Forensic Guide

[greyfeld]

Here's a link to the Department of Justice's Forensic Guide for Law Enforcement if you are interested.

http://www.ncjrs.org/pdffiles1/nij/199408.pdf

Re:More importantly...

[Pompatus]

1) Put a password on your bios. Someone will have to do some fancy soldering to replace it if they want to boot your machine without your password.

Unless you did some REALLY fancy soldering to set that password, simply removing the battery from the motherboard for about 10 minutes resets a bios password.

2) Store all sensitive data on an encrypted medium. Just hope no one puts a key logger on your keyboard.

That all depends on the strength of the encryption you use and the strength of the computers trying to break it. (to give you credit, this is probably the best idea you propose, if it is properly implemented.)

While being quite secure is as simple as installing *nix, .....

This is the one that really bothers me. You have to actually CONFIGURE your *nix to be secure! It doesn't just magically happen. And after you have it configured, you have to stay up to date with the programs you run in order to avoid the latest exploits.

It's important to understand that you can't just do some work on a computer and then sit back and say, "there, now it's secure forever". It's also important to understand that given the proper amount of time, nothing you do will secure your computer if someone has physical access to your machine.

Step One:

[nurb432]

If you have had a breach, and its going to involve *anything* legal:

TALK TO YOUR ATTORNEY.. first.. not 2nd .. not 3rd.. do it even before you even call the cops....( well after you plug the hole... )

Re:More importantly...

[loadquo]

A mercury switch and an emp device Or perhaps an encrypted file system. Just be sure to remember the 1024 bit number.

2 things

[circletimessquare]

1. your whole philosophy of "just do what you are told" is the best philosophy for making sure the guys with the guns stay on top for as long as possible... in other words, you're attitude is part of the problem: "i'm just a slave, i don't think"

2. for a treatise which draws a line between yourself and the guys with the guns, you come across as pretty passive aggressive

Wait for a Subpoena

[jchawk]

Before you start handing out information it is always best to wait for a subpoena. Make sure it's signed by a judge and not a clerk. There is a reason for due process and law enforcement understands this even though they don't always want to follow it!

Re:Forensics used the other way

[networkBoy]

Lock the hard drive. The ATA and SCSI spec both have provisions for locking the drive's electronics to dis-allow writes or reads for the disk's data. your copy utility or machine will not work without these keys.
HOW HDD LOCKING WORKS
The above is a quick little write-up I did to explain to all the Xbox people who want to use/access the drive that ships with the Xbox (after they've ruined their MB or sold it on e-bay) why they are really quite screwed. This is not definitive, but it is fairly accurate in what it says.
-nB

not to name names

[bani]

"intel"

the ex-employee is David Dugan.

the case you're talking about is this one:
http://www.theregister.co.uk/2004/11/11/inte l_gun_ man/

FWIW2

[selil]

I really enjoyed the book myself when I read it this summer. As a compilation detailing computer law it was pretty good. Most of the tools I found to be aging or at a very low level. If you add in "Cybercrime" by Ralph D. Clifford an excellent book on computer law it opens a much broader picture. "Software Forensics" by Robert M. Slade is my current read and gets an interesting rating for now. "Computer Forensics" unfortunately is only part of the picture. With so much of the net existing in RAM and the traffic in between nodes "Network Forensics" should be the next big topic. There has to be a way of taking dynamic bits and making static evidence. There are a few other things that are going to hold back the field of forensics. The fact that the commercial forensic tool vendors have been refusing to teach the defense attorneys or experts is very scary. This is a rapidly expanding field very similar to how DNA expanding in the 70's and 80's.

A 'thank you' from the SF forensics moderator...

[sczimme]

The security focus mailing list dedicated to forensics is also good lurking

I am the moderator of the SecurityFocus.com forensics list, and agree that it is a great resource. (Al Huger is listed in the info page as the moderator; he is actually the list owner.) The list is dedicated to discussion of technical forensics topics.

The SF forensics list archives are here. A general listing of SF mailing list archives is here. Those interested in subscribing to the forensics list (or other lists @SecurityFocus) can do so from the archive page.

Cheers!

Scott C. Zimmerman, CISSP

Re:WWYD? STFD, STFU, and DWYT.

[sfjoe]

The most helpful thing you can do for these people is to sit the fuck down, shut the fuck up, and to do what you're told.


This is true, but not useful. It is the most helpful thing you can do for "these people", however, the most helpful thing you can do for yourself is to wait for the advice of your lawyer and do nothing and say nothing until then.
If they are asking you for help, then you are a syadmin of some sort. As such (pay attention now) YOU ARE HIGH ON THE LIST OF POSSIBLE SUSPECTS. Don't make things worse for yourself by inadvertently saying or doing something to incriminate yourself

Washington DC FBI Bureau

[powdered+toast+dude]

The only time I've ever had a box rooted was a few years ago in DC (I was careless with WU-ftpd; lesson learned). I was able to trace back through this particular attacker's sloppiness, and gathered a lot of useful info. When I called the Washington DC bureau of the FBI to report the incident and share what I had learned, I was told, "um, our computer guy's not here right now. Can you call back tomorrow?"

I was aghast, needless to say.

$0.02,
ptd