In the UK, I often think that if you stand somewhere long enough you will eventually become part of a queue. Try it the next time you’re in a shopping centre. People, it would seem, believe that if you’re standing still when everybody else is running around then there simply must be a pretty good reason for it.
Standing still and not ‘moving with the times’ is generally discouraged in the security world. In the field of computer forensics, practitioners are in a continuous technological ‘arms race’ with wrongdoers while software and devices are constantly changing.
There’s a need to be able to find evidence on whatever technology is out there – including the latest gadgets, satellite navigation tools, tablets or cloud services.
Yet, at the same time, it can be surprising how hesitant practitioners feel as the discipline evolves. In the world of proof and evidence, tried-and-tested technologies and procedures are hard-earned and valued. Despite this discomfort, we’re now seeing the emergence of ‘a new forensics’: a discipline that’s reinventing itself year-by-year, but that remains rooted in stable scientific principles.
In this new monthly column, I’d like to share with you a commentary on this exciting field. Forensic experts seek to explain computer evidence in plain language, but often this discipline remains inaccessible to the legal, risk and investigations professionals who desperately need it. What’s clear is that, in our rapidly evolving technological environment, computer forensics has an important part to play across the gamut of corporate investigations. That state of affairs is unlikely to change anytime soon.
Excavating the digital dig site
Computer forensics used to be thought of as ‘anything to do with getting evidence from computers’, and it’s fair to say that defining computer forensics as a discipline has become harder over the years.
For example, the process of searching and reviewing user-generated e-mails and documents has spawned the field of ‘electronic discovery’. While related to computer forensics, this process alone doesn’t do justice to the search for the provenance of those documents (or analysing the more general way in which a computer has been used).
In fact, computer forensics has been most successful in proving how technology was employed either as a tool to commit – or support – a crime. Your computer can be your closest companion, and it knows all your secrets, but it will ‘kiss and tell’ to a forensic expert.
Computer forensic practitioners excel at reconstructing the past into a timeline. Like archaeologists, they excavate digital media and find the artefacts to evidence how that computer was used.
We’re very good at finding out how things occur and when (such as when a suspect downloaded pirated software, when sensitive data was copied to a USB stick or how a secure company database was compromised).
Web history: a timeline of searches
Take web search history as an example. You may not be aware that, even when periodically ‘flushed’, fragments of your Internet searches remain littered over the surface of your computer hard disk. Experts can ‘harvest’ these deleted fragments and produce a timeline of searches.
What does your Google search history reveal about you? What ailments are you afflicted with, where are you going on holiday – or perhaps more relevantly, how are you spending the proceeds of a crime? My favourite Internet search found on a suspect’s computer is: ‘How do I permanently delete stuff from my hard drive’.
The first thing an expert must do is preserve the ‘crime scene’ in accordance with Best Practice (such as the ACPO Good Practice Guide for Computer-Based Electronic Evidence). Experts will take a forensic ‘image’ of a computer hard drive, live memory, network traffic or other data in a manner which is complete (ie every byte of the media is captured), defensible and traceable. Once captured, data is treated like any other evidence: it’s bagged, tagged and secured with each step in its physical transfer being recorded in a ‘chain-of-custody’ document.
However, as with any crime scene the danger of destruction or contamination of evidence is very real and could collapse your case. Experts are very wary about executing any action that could result in changes to the media being imaged: something as simple as turning on a computer can cause thousands of potentially useful artefacts to be overwritten and destroyed.
I often find myself commencing an investigation after a client has undertaken a ‘quick and dirty’ review of the suspect’s computer before sending it to the forensic team. If you’re burgled, most of us know not to have a good ‘clean-and-tidy up’ before reporting the incident to the police. It would seem that the perishability of the ‘virtual crime scene’ has yet to enter the public consciousness.
By piecing their way through a forensic image, investigators can uncover the ‘tracks in the sand’ that reveal a suspect’s activities. A fragment of Google search history, a recently used document list or a record of copying data to an iPhone can all be pieced together into a timeline of events.
In the specific case of cyber crimes, such as network intrusion and intellectual property theft, this sort of evidence is absolutely essential.
Too much data, too many devices
Like all IT practitioners, computer forensics experts have to deal with the problem of ‘big data’. I investigate many intellectual property thefts where the client doesn’t have a clear idea of who the suspects are or how the data left the corporate network.
Traditional ‘one machine at a time’ forensic approaches can often fall short where it’s not clear which machine to look at first. It can feel a bit like wrestling an octopus - you never seem to have enough hands.
The number of wireless devices continues to grow into a large ‘Internet of things’. When searching a desk, we now have to grab the desktop computer but also look out for USB drives disguised as pens, digital cameras disguised as tissue boxes and a myriad of MP3 players, smart phones and other devices. Never has there been so much data and so many different ways to hide it.
Over the next year, I predict that vendors and professionals will discover new ways to preserve and analyse digital data en masse. We are increasingly using tools to ‘triage’ the data landscape before conducting deeper investigations – a simple example would be to review USB device activity over the network before focusing on a smaller number of machines.
Effective project management: often the decider
Scale often demands a new way of doing things. The field of electronic discovery grew out of the need to review the vast number of e-mails and user documents that are relevant to a civil dispute. In my experience, effective project management can make or break this exercise, and this is probably more important than the particular technologies used. Similarly, I believe that the ‘Internet of things’ will demand the same type of approach from computer forensic experts.
Fortunately, during the last decade corporate and law enforcement professionals have had to adapt to ever-increasing case loads and developed techniques to ‘triage’ cases. Demands presented by the high case load has driven the advent of new technologies, among them picture analysers that automatically detect ‘flesh tones’ or mobile phone analysis tools that can be used in the field by ‘first responders’.
The widespread proliferation of devices and data can also be awkward for users. The increasing popularisation of cloud-based services is a way of centralising data (and evidence).
Forensic experts have often had to deal with third parties ISPs, e-mail providers and data warehouses, and so it would seem that cloud-based technologies may not bring any significant technical challenge. I suspect the challenges presented by the cloud will be more logistical and, in some cases, the widespread replication of data may even make our jobs easier.
Good defence: it’s all about preparation
As with many areas of corporate security, a good defence is all in the preparation.
I have spoken to incident response teams who do not incorporate a forensic approach because they either don’t have the skills in-house, or they believe that a ‘forensic approach’ is not required for those cases that will never go in front of a judge.
I often say that 90% of these ‘onerous’ forensic processes and principles are simply good project management.
Often, the real value in forensics for a corporate investigator is less about legal admissibility and more about the intelligence that forensics can provide. By helping an investigator more fully understand the ‘who, what, when, how and why’ of an incident it will be easier to understand the controls that have been circumvented and to identify trends.
This is particularly the case with network intrusions where, in the rush to secure the perimeter, rash decisions are made and important evidence is lost that could help prevent further attacks.
The computer forensics community in the UK is a closely networked group with members constituting law enforcement, consultancies, corporations, vendors and independent expert witnesses. It’s this tight community - networked around groups such as the First Forensic Forum (F3), online forums like Forensic Focus and international conferences including the Access Data Users Conference and Guidance Software’s Computer Enterprise and Investigations Conference (CEIC) - that really boosts knowledge transfer within the field.
In 2012, this community will need to concern itself with ubiquitous computing, clouds, smart phones and new wireless applications. Put simply, it’s not a time to be standing still.
Simon Placks leads the Ernst & Young IT Forensics team