Wednesday, September 30, 2009

How Is Computer Forensics Different from Incident Response?

In response to my last post, All Computer Forensics Professionals Are Not Created Equal:

Christa M. Miller said...
Larry, if you keep computer forensics distinct from IR, doesn't that in some ways throw the baby out with the bathwater? There is really not all that much that forensic practitioners could learn from IR practitioners, compared to other "pure" forensic sources?
I was going to respond to that in a comment, but decided it would be too long to do it justice.

There is a significant difference between incident response and computer (digital forensics).  However, it only becomes apparent when you analyze the different uses for the two disciplines and how they are applied.

Incident response encompasses a wide range of specialties as does digital forensics.  Do they have overlap, yes.  But the more specialized one becomes in one field, the more they diverge.

Incident response is actually a discipline within traditional information support services.  If you look at the different jobs in information security, you begin to see how the specialization occurs and is needed:

Information Support
     Network Administration
         Server administration
             Domain, DHCP, DNS, Mail, File, Application, Database, Collaboration and Terminal servers.
         Network infrastructure
             Switches, Routers, Endpoint Security, Cabling, WAN, Internet, VPN, Wireless etc.
         Disaster recovery
             Backup and Recovery
          Telephone, VOIP
         Network Security
             Malware detection and prevention
             Perimeter protection (firewalls, etc.)
             Data leakage protection
             Intrusion detection and prevention
Everything up to this point are the parts you need to administer a network and to prevent a need for incident response.  When all of that is defeated and you have a breach, you call for the incident response person or team.

An incident response professional should have a strong foundation in all of the above since their job is to find where the breach occurred, plug the hole, get the affected server or servers back into service, and then if possible, gather evidence on the intruder for further action.  Where the incident response professional differs is that they need to truly understand the low level working of a network, how breaches occur, how to locate the method of the breach, and how to mitigate the breach, i.e. kill it and close the hole.

This requires a deep understanding of hacking techniques, log analysis, malware, root kits, social engineering, hooking, terminate and stay resident (TSR) programs, port scanning, service profiling, packet forensics, routers and firewalls, daemons, hidden services, etc.

The objective of most intrusions or malware attacks on a network are to:

  1. Steal data (intellectual property, operating or financial information)
  2. Steal systems (Subvert control by gaining root or administrator access)
  3. Steal storage and bandwidth (rogue FTP servers, spammers)
  4. Steal identity information (credit card numbers, client information...)
  5. Disrupt operations (DoS attacks, sabotage, destroy data, logic bombs, prevent access to the system by users)
  6. Just be a nuisance by vandalizing systems.
In any event, attacks on networks are serious and have to be dealt with immediately to protect the enterprise and its clients.  The larger and more complex the network, the more difficult this is to do. This is the role of the incident response professional.

Digital forensics as a discipline is more concerned in finding and documenting the actions of a person or persons in relation to other people or places or activities.

A digital forensic professional must have a strong understanding of where and how data is stored, how data is created, how to recover that data in a forensically sound manner and how to analyze the recovered data.

Acquiring Data:  Where data is stored and how to get it.

There are basically two types of data that a digital forensics examiner must collect:  Data from a physical device and data from other sources.

Physical Devices (Short list)

  1. Computer Hard Drives
  2. Solid State Devices (USB Sticks, Memory Cards, Digital Cameras, DV Cameras, etc.)
  3. Cell Phones
  4. Back up devices (Tapes, etc.)
  5. GPS Devices
Other sources of data (not inclusive)

  1. ISP records
  2. Cell phone records
  3. Network activity records
  4. Off-site storage
  5. Email databases
  6. Email providers
  7. Social networking sites.
The other sources of data are places where data may be stored that the examiner does not have direct access to the devices for collection, but must rely on others to provide that data.

How data is created

  1. User created data (documents, spreadsheets, pictures, text messages, chats, web pages, social network pages, financial information...)
  2. Program created data (software logs, registry entries, activity databases (i.e. Kazaa,  Limewire, Internet browsers, VOIP programs, application software...)
  3. User received data (email, internet downloads including pictures, programs, etc.)
  4. Activity records (call logs, IP accesses, social networking activity, hosted email account creations, cell carrier records, GPS...)

User created data is by far the easiest to recover and analyze since it is normally the least obscured.  Documents, pictures, spreadsheets, etc.

Program created data becomes more difficult to recover and analyze because most programs store information in several places, use non-human naming for data storage, and use many different formats for the data that is stored.

However those very characteristics make it very difficult for a person to completely eliminate all the artifacts that a program will leave on a system's hard drive.

What triggers a need for a digital forensic examination is typically the result of something someone has been accused of doing to someone else.  It is very much a people to people examination.  While incident response is mostly concerned with stopping and clearing an action, digital forensics is primarily concerned with finding out if a person committed an action.  In the world of digital forensics, user attribution is the end goal.  Did the person do this and can I prove that it was this person who did it?  While incident response can be successful without ever identifying a person, without user attribution, digital evidence has little to no value.

To simplify it, the digital evidence trail looks like this:

This artifact (email, chat, picture) was created by this person and is connected to that person.  Remember, we are looking for evidence that connects people to other people or actions.

To successfully do this kind of work, a digital forensic examiner must understand not only the technical side of the process, they must also be able to work within the legal system to ensure that the data they recover was legally obtained and can stand up to the scrutiny of a court of law, whether it is civil or criminal.

The more people and devices and evidence, the more complex the process becomes.

Hopefully this post illustrates why, as you get deeper into each of these disciplines the knowledge needed diverges significantly.

Reblog this post [with Zemanta]

Sunday, September 27, 2009

All Computer Forensics Professionals Are Not Created Equal

All Forensic Investigators Are Not Created Equal is the title of a blog post over at Dark Reading by John Sawyer.

I have to say that I take issue with several of Mr. Sawyer's statements in the article. First of all, he displays a complete lack of knowledge about complex forensic investigations that are conducted by law enforcement and other investigators. I suppose that trying to link together evidence from dozens of cell phones and computers in a fraud, drug trafficking or child pornography ring don't count as being as "difficult" as doing an incident response investigation.

While I am not a law enforcement examiner nor have I ever been a member of law enforcement, statements like the one below show a complete disrespect for the people who do that job:
"There are forensic "experts" who have a narrow specialization in investigating individuals. Some examples off the top of my head are law enforcement forensic examiners looking at a computer to see if it was used to send threatening e-mails, search for information on making bombs, or view child pornography. The primary, and often only, source of evidence is the suspect's computer that is sometimes accompanied with some corroborating information from the suspect's ISP or a Web/mail hosting provider.
On the extreme opposite end of the spectrum, you have those who work on a much larger scale, taking into consideration many sources of information. I'm not sure there's a good term for them -- security investigator or enterprise incident responder or similar title -- but they go far beyond looking at just one system. Logs from routers, firewalls, and a numerous other types of systems all come into play in order for the investigator to crack the case."

Mr. Sawyer got his inspiration for writing this after reading another blog post:

"So why do I mention the distinction? It's something I've believed for a while but was reminded of it again while reading "The Black Art of Digital Forensics" over at The article makes several interesting statements. The one that stuck out is that forensic investigators can't rely only on GUI tools to perform task for them (which is usually only against one system or one type of system and not ALL systems), they must understand what's going on behind the scenes for the GUI. While that's true, I'm just not sure that's going on in the real world."
While I agree that forensic investigators cannot completely rely on GUI (Graphical User Interface) forensic tools, I think the statement needs some clarification.

GUI based forensic tools like Encase, FTK, and others are fine tools and extremely powerful in the hands of a well trained and experienced examiner. The problem is that they can give a false sense of completeness if all the examiner does is run the standard scripts and review the collected data.

The statement above from the Infosecurity article smacks of the recurring theme of, "I can run command line tools. That makes me smarter than you." Something that seems to be cropping up more and more.

Should the examiner know what the graphical tool is doing to get at the data? Absolutely. Should the examiner have a good foundational knowledge of how these tools work at a low level? Yes. Does it matter if he can explain what FAT 12 is to a jury? Probably not. But if he does and he does not do his homework prior to testifying, shame on him.

The article over at Infosecurity reads more like an advertisement for a couple of new software releases than much else.

It starts off good with some discussion of the problem with relying on the MAC times (Modified, Accessed and Created) that are recorded by a computer operating system.

However it drifts away from that topic without giving any detail as to how to deal with MAC times and goes on to discuss software and civil data collection.

Hopefully it is pretty common knowledge among examiners these days that you have to verify things like MAC times before you rely on them as evidence.

In civil cases it is acceptable in many cases to only collect data that is relevant to a case without doing a full forensic copy. However, in criminal cases, it would be problematic to not have a full forensic copy of a hard drive that is going to be used in a criminal trial as that would be a major point of attack for the defense:

"Would be fair to say Mr. Examiner that the court cannot know what data you decided not to collect?"

"Mr. Examiner, given that you decided what evidence this court would be allowed to see, how can you assure the court that you did not intentionally exclude data that would prove my client's innocence?"

There is a wide difference between requirements in civil and criminal investigations. What is allowable in a civil case relies on a very different standard than that of a criminal proceeding.

Lumping incident response in with computer forensics is a mistake. They are not the same disciplines, do not have the same focus and do not have similar requirements for the investigator in either training or expertise.

While having expertise in both is an asset, to say that having expertise in one automatically qualifies an investigator in the other is simply wrong.

Getting back to law enforcement forensic experts; Working in the criminal system is much more difficult than many people in our profession give credit. Law enforcement forensic examiners must not only know how to properly conduct a computer forensic examination, they also need to understand how to do it in such as way that it will stand in up criminal court. To get to the point where a computer can be examined requires taking careful steps through a legal minefield of probable cause affidavits, search warrants, investigative reports and fourth amendment protections.

Then their work may very well be scrutinized by an opposing expert who is going to pick apart every aspect of what they did through that entire process.

While I have great respect for the professionals in the incident response area and value the contributions of folks like Harlan Carvey, I think we would all be better served if we keep the distinction between computer forensics and incident response clear.

Thursday, September 24, 2009

Guardian Digital Forensics Releases Drive Prophet Professional - Forensic Edition

Several months ago I signed a software publishing agreement with Mark McKinnon of Red Wolf Forensics to publish Drive Prophet.

In my opinion, Drive Prophet is an outstanding tool for digital investigations, incident response, hacking cases and digital triage.

Working with Mark to bring this newest release to market has been a real pleasure. Not only is Mark an excellent developer, but he is a really nice guy to work with as well.

We have three additional versions of Drive Prophet in the works, (more about those at a later date).

You can take a look at the user manual here if you want more details on Drive Prophet.

Or you can visit Drive Prophet on the web.

Wednesday, September 9, 2009

New Twist On An Old Scam

Two small cans of Spam. One is closed and the ...Image via Wikipedia
I received an email the other day from the US Marines (supposedly).

"Dear Friend,
Please take some time off your busy schedule to read and respond to this email as soon as possible. I am a US MARINE serving in Iraq (Mosul) and require your help to take care of some personal financial matters for me and of course you will be adequately compensated with sum of three million dollars (USD) as your share for rendering this assistance.
You will have to give me some assurances that you will keep my identity and other information's regarding this project to yourself and will also try to adhere to the terms we will agree on, especially the safety of the part of resources that I will call my share, after you have taken the figures we will agree on as your share and how to preserve that belonging for me until I complete my service here.
I will send you more details when I have a mail from you.
Sgt. Andrews Veach.

Sounds a lot like the old "I have millions of dollars I need to get out of the country" scam I have seen for years where you have a prince or a high ranking official, etc that needs for you to help them by accepting money on their behalf. Of course you would get a lot of money for providing the service. All you have to do is give them your bank account or other personal information.

In this case, outside of the obvious similar wording in the email, the fact that it came through a Japanese mail server is a dead giveaway.


Notice that it is signed Sgt. Andrews Veach. Odd first name since it is plural. However, if you look in the header information, the reply address is: Reply-To:

Apparently the idea is to make this one sound legitimate by saying it is from a US Marine serving in Iraq. I hope that no one takes this seriously.

Reblog this post [with Zemanta]

Tuesday, September 1, 2009

9th Circuit Court of Appeals - Plain View Opinion On Digital Evidence

Seal of the United States Court of Appeals for...Image via Wikipedia
Over on the SANS blog, Rob Lee posted a piece that he got from, "From Greg Haverkamp from the GIAC Certified Forensic Analysts [GCFA] Mailing list."

Sweeping 9th Circuit Decision Regarding Law Enforcement Officer Computer Forensics

It is a good summary of the opinion.

Before I get to what I have to say about this, you should also read John Barbara's article in Forensic Magazine about the Plain View Doctrine: Digital Insider: To Search or Not to Search…. the Search Continues

Also, if you are interested, here is a link to the full opinion form the 9th Circuit Court of Appeals:


This ruling could put a real pinch on the current practice of "find it, then get a warrant for it" approach to examining electronic media.

Basically what the court is saying is that the "plain view" doctrine isn't going to fly when law enforcement is examining a hard drive for one thing and discovers something unrelated to the investigation, then goes and gets a warrant for the new evidence."

As a new form of protection, the court is suggesting that a neutral 3rd party segregate the evidence and provide only the evidence named in the search warrant to law enforcement.

One of the dissenters in the opinion said that this was going to severely damage the ability of small police forces to do computer forensics since they cannot afford dedicated, non-investigative personnel to perform this work.

I have long held that I thought it was problematic for the investigator on a case to also be the forensic examiner, (in spite of what you see on CSI), since the investigator cannot separate what they see from what they are allowed to see.  The nature of forensic examinations makes it virtually impossible to limit what the examiner sees.  Only by having a third party perform the examination can evidence be properly segregated to protect the privacy of the individual, prior to the evidence being given over to law enforcement.

The burning question is will this court decision force law enforcement labs to start using third party labs, or at least, non-investigative personnel for forensic examinations?

In the example John Barbara gives in his excellent article on the plain view doctrine, he talks about how when the examiner sees the first child porn picture, they should stop and go get a warrant.  Prior to this ruling, that has been the normal way of handling the discovery of new, unrelated evidence under the theory that since the examiner cannot look for pictures of one thing without looking at all the pictures, the contraband pictures are in "plain view."

That is a lot like saying that since you can't look for tax documents in a file cabinet without looking at all the documents, if you discover a document that details drug transactions that the document is in plain view once the examiner takes it out and looks at it.

This ruling changes the interpretation of what plain view is when it comes to over-seizing and examination evidence.

Bear in mind that this ruling is about government searches of digital evidence and not about private searches.  Private searches are not covered by the 4th amendment and are subject to a different set of rules.

Of course, I am not an attorney and my writing is just my opinion on the matter. (My disclaimer.)

Reblog this post [with Zemanta]