Handbook of Information Security Management:Law, Investigation, and Ethics

Other Investigative Information Sources

When conducting an internal investigation, it is important to remember that the witness statements and computer-related evidence are not the only sources of information useful to the investigation. Personnel files provide a wealth of information related to an employee’s employment history. It may show past infractions by the employee or disciplinary action by the company. Telephone logs can possibly identify any accomplices or associates of the subject. At a minimum, they will identify the suspect’s most recent contacts. Finally, security logs, time cards, and check-in sheets will determine when a suspected insider had physical access to a particular system.

Investigative Reporting

The goal of the investigation is to identify all available facts related to the case. The investigative report should provide a detailed account of the incident, highlighting any discrepancies in witness statements. The report should be a well-organized document that contains a description of the incident, all witness statements, references to all evidentiary articles, pictures of the crime scene, drawings and schematics of the computer and the computer network (if applicable), and finally, a written description of the forensic analysis. The report should state final conclusions, based solely on the facts. It should not include the investigator’s opinions. The investigator should keep in mind that all documentation related to the investigation is subject to discovery by the defense, so that he or she should exercise caution in any writings associated with the investigation.

COMPUTER FORENSICS

Computer forensics is the study of computer technology as it relates to the law. The objective of the forensic process is to learn as much about the suspect system as possible. This generally means analyzing the system by using a variety of forensic tools and processes, and that the examination of the suspect system may lead to other victims and other suspects. The actual forensic process is different for each system analyzed, but the guidelines in Exhibit 4 should help the investigator or analyst conduct the forensic process.

Exhibit 4. Guidelines for Forensic Analysis

Forensics Analysis

1. Conduct a Disk Image Backup of Suspect System

Remove the internal hard disks from suspect machine and label:

•  Which disk is being removed (checking the cables C and D)?
•  What type of disk is it? IDE or SCSI?
•  What is the capacity of the disk, making a note of cylinders, heads, and sectors?

Place each disk in a clean forensic examination machine as the next available drive, beware that the suspect disk may have a virus (keep only the minimal amount of software on the forensic examination machine and log all applications).
Backup (i.e., disk image) the suspect disks to tape:

•  Make at least four copies of the affected disk.
•  Put the original disk into evidence along with a backup tape.
•  Return a copy back to the victim.
•  Use the other two copies for the investigation (one is used for new utilities).

Pack the original suspect disks, along with one of the backup tapes in the appropriate containers, seal, mark, and log into evidence.
Restore one of the backup tapes to a disk equal in capacity (identical drive, if possible).
Analyze the data (in a controlled environment) on the restored disk.

2. System Analysis and Investigation (Forensic System)

Everything on the system must be checked.
If files or disk are encrypted:

•  Try to locate or obtain the suspect’s password (which may be part of evidence collected).
•  Attempt to obtain the encryption algorithm and key.
•  Attempt to crack the password by using brute force or cracking tools.
•  Compel the suspect to provide the password or key.

If the disk is formatted:

•  Attempt to use the unformat commands.

Check for viruses.
Create an organization chart of the disk:

•  Use the commands from the primary forensic host disk.

Chkdsk — displays the number of hidden files on the DOS system.
Search for hidden and deleted files with Norton Utilities:

•  Change the attributes of hidden files.
•  Un-erase deleted files.

If necessary, use data recovery techniques to recover:

•  Hidden files (hidden by attributes or steganography).
•  Erased files.
•  Reformatted media.
•  Overwritten files.
•  Review slack space. (The amount of slack space for each file will vary from system to system based on cluster size that expands as hard disk capacity increases. The cluster, the basic allocation unit, is the smallest unit of space that DOS uses for a file.)

Inventory all files on the disk.
Review selected files and directories with Outside/In:

•  Conduct a keyword search with a utility program or custom search program.
•  Check word processing documents (*.doc), text files ( *.txt), spreadsheets ( *.xls), and databases (keep in mind that the file names may be camouflaged and may not relate to the content).

Review communications programs to ascertain if any numbers are stored in the application.
Search for electronic pen pals and target systems:

•  Communications software setup.
•  Caller ID files.
•  War dialer logs.

Review the slack space on the suspect disk:

•  Amount of slack space is dependent on disk capacity.

3. Reassemble the Suspect System (exact configuration)

Re-install a copy of the suspect disk onto the suspect system.
Check the CMOS to make sure that the boot sequence is floppy first, hard disk second.
If the system is password protected at the CMOS level, remove or reinstall or short out the CMOS battery.
Boot the system from a clean copy of the operating system (i.e., from floppy disk).
Pay particular attention to the boot-up process:

•  Modified BIOS or EPROM.
•  Possibly during the self test or boot-up process.

At first, do not use the affected systems operating system (OS) utilities on the original disks:

•  Many times these utilities contain a Trojan Horse or logic bomb that will do ther than what is intended (i.e., conducting a delete with the Dir command).
•  If necessary to boot from the suspect system, check to ensure that the system boots from the floppy drive and not the suspect drive. This may mean using a clean DOS operating system floppy and then using the command.com file from that floppy.

Check the system time:

•  Always check to see if the clock was reset on the system.

Run a complete systems analysis report:

•  System summary, which a contains basic system configuration.
•  Disk summary.
•  Memory usage with task list.
•  Display summary.
•  Printer summary.
•  TSR summary.
•  DOS driver summary.
•  System interrupts.
•  CMOS summary.
•  List all environment variables as set by autoexec.bat, config.sys, win.ini, and system.ini.

Check system logs for account activity:

•  Print out an audit trail, if available.
•  Is the audit trail used in the normal course of business?
•  What steps are taken to ensure the integrity of the audit trail?
•  Has the audit trail been tampered with? If so, when?

4. Reassemble the suspect system (exact configuration)

Use the affected system’s OS utilities on the original disks:

• Let the system install all background programs (set by autoexec.bat and config.sys).

What has been done to the system? Any Trojan Horses?
What rogue programs were left on the system?

• Check the system interrupts and TSRs for rouge programs (i.e., keystroke monitoring).

5. Restore and review all data on PCMCIA flash disks, floppy disk, optical disk, ditto tapes, zip drives, kangaroo drives, and all backup media.

Repeat procedures one through four for all data.

6. Notes and reminders

The investigator must use a anti-static wrist-band and mat before conducting any forensic analysis.
The investigator must make notes for each step in the process, especially when restoring hidden or deleted files or modifying the suspect system (i.e., repairing a corrupted disk sector with Norton Utilities).
The investigator must note that what has happened on the system may have resulted from error or incompetence rather than a malicious user.
The investigator must remember the byte ordering sequence when conducting a system dump.
The investigator must write-protect all floppies before analyzing.
When analyzing databases, the data structures must be compared. The data may have been changed or the structure itself, which would totally invalidate the data.
The investigator should remember, even if the data is not on the hard disk, that it may be on backup tapes or some other form of backup media.

Previous Table of Contents Next

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.