A few years ago, I found myself standing outside an office building in Kazakhstan trying to bury a computer hard drive in the snow. It was night-time in the middle of the Kazakh winter and my suit was failing to insulate me from the elements.
Funnily enough, it was the cold temperature that I was after (rather than a means to conceal evidence). As I'll explain, I was attempting an old data recovery trick.
My client had suffered a leak of commercially sensitive data and, as part of the investigation, we were spending the night covertly imaging a number of computers.
I have never been a fan of the traditional covert jobs: you always need to make sure that you leave the office relatively ‘undisturbed’. This means you have to photograph every work area and leave each desk in exactly the same state you found it. That includes the computer and surrounding desktop debris such as stationary, peripherals, cables and papers.
On this particular job there was one machine covered in about 30 novelty pencil erasers. Despite much discussion and planning most of them ended up on the floor.
Dust can also cause difficulties: a dusty desktop computer can reveal finger marks where cases and monitors have been removed. Someone once told me that they used ‘dust in a can’ to help them disguise their tracks, involving a combination of talc and grey chalk. I’m not so sure I believe this, but I like the idea.
Imaging a machine over the network
These days, we prefer to use software that can image a machine over the network. These tools are quite sophisticated and can install themselves stealthily on the suspect’s machine. They are smart enough to reduce their impact upon network bandwidth and processor performance so as not to alert a suspect.
However, on this investigation the office had a very slow network and we were forced to take a more conventional approach.
We turned up at about 10.00 pm (we wanted to get in earlier, but the cleaners had started late) and began imaging an e-mail server, a file server and about 20 workstations. I was having a problem with the prime suspect’s machine: an old 486 with an archaic hard drive that was making some very unhealthy clicks. Our forensic rig could read the drive, but very slowly, and was missing whole sectors of the drive that were reported as ‘bad’.
There's a forensic data recovery trick which advises that, in some circumstances, cooling the drive by placing it in a fridge can temporarily improve things (please don’t try this at home!) In this case, I had no fridge: hence the snow. I used an evidence bag to make the drive water-tight and ventured out into the night.
Fortunately, the trick worked resulting in a full forensic image being completed within two hours. I was very pleased with myself. However, this feeling subsided when I analysed the image.
'How to forensically copy a Windows computer'
In among the suspect’s Internet history were searches that had been undertaken by a locally contracted ‘forensic and IT security’ firm. One search string read: 'How to forensically copy a Windows computer'. Data breach investigations rely upon tracking digital footprints in the snow, but they had got there first with a shovel and a plough.
By not using a defensible forensic approach these investigators had potentially lost valuable information. After some digging we uncovered that they had bungled in and used the suspect’s own machine to do the analysis. An experienced examiner will always try their best to minimise any changes to the suspect’s hard drive. This could have been achieved by imaging the machine first and using a hard-drive write-blocker that prevents any alteration to the original media. They could have then worked on the copy.
If this case had gone to court or a tribunal, any digital evidence gathered from that machine could be challenged as to its provenance, and would probably be rendered useless. Our client needed to learn more about the intellectual property (IP) theft, and wanted to be able to take legal action against the perpetrator. By failing to follow correct process, the previous investigators had compromised both of these objectives.
In our experience ‘quick and dirty’ investigations do not turn out to be any quicker (because specialist tools are often more efficient) and are actually pretty ineffective rather than just ‘dirty’.
IP theft: how it can impact on your business
Intellectual property is recognised by many businesses as one of their most valuable assets. In its broadest sense, IP can encompass any proprietary data that took cost and effort to compile or create. This can include customer relationship data, knowledge repositories, sales trends as well as more conventional assets like patents and designs.
Businesses need to be able to leverage their IP so as to be competitive and to justify the Return on Investment. They can only realise these benefits if their secrets are protected.
There are different ways that IP can be removed from your organisation and each requires slightly different forms of forensic investigation.
Competitors within specific industries have similar types of information assets (eg program source code and mathematical trading models) and, while this makes them more vulnerable to theft, it also allows industry groups to pool together their experience in combating the threat.
Unfortunately, many firms wish to uncover or seal a data leak quickly, but are unprepared for doing so. This can lead to disasters similar to the Kazakhstan example outlined above.
This can be particularly the case when the breach involves personal data. Recently, the European Commission has proposed a reform of the EU’s Data Protection rules, including the directive upon which the UK’s Data Protection Act is based. The proposal includes a requirement for companies and organisations to notify the national supervisory body (the Information Commissioner in the UK) of serious data breaches as soon as possible (and within 24 hours in some cases).
There are also proposals for penalties of up to €1 million or 2% of a company’s global turnover.
Time to review your reactions
This heightened pressure on unprepared organisations could result in increased panic when a breach is discovered. Now is the time for organisations to review how they react when data breaches occur. I would suggest that a forensic investigation of these incidents will provide valuable intelligence to help uncover the risk profile and define an appropriate security stance.
Investigators and journalists like to refer to the 'Six Ws' of an investigation: the ‘who’,’ what’, ‘where’, ‘when’, ‘why’ and ‘how’. In a data breach investigation, it's imperative to consider each of these interrogatives thoroughly.
It can be tempting to focus solely on the ‘how’. For example, you may have worked out how a ‘Structured Query Language (SQL) injection attack’ was used to access a customer database but, before you patch and rebuild the server, how much do you know about what they took, when the incident occurred and for how long?
Similarly, why did they want access? A ‘hacktivist’ may be trawling the system to retrieve as much data as possible. Alternatively, a disgruntled employee at risk of redundancy may be after the most ‘saleable’ data, or perhaps solely the data that related to their work and their relationships.
It's useful to chart what is known about the incident along these dimensions because it can help focus the investigation strategy.
Using 'data-driven' techniques: why they may be helpful
If little is known about the perpetrator, co-conspirators and victims (ie the ‘who’) then I find that ‘data-driven’ techniques can be helpful. This means scanning all available digital sources looking for red flags or patterns in the data (rather than focusing on a specific hypothesis of how the theft occurred).
For example, if you have an office with 500 computers, and you know that your intellectual property was e-mailed to a competitor via a webmail account, then a forensic scan for webmail activity, correlated with data source access, USB drive usage and other characteristics can be very revealing.
This data can draw your attention to interesting activity that warrants deeper investigation. Different behaviours, while not incriminating per se, can draw the eye. Why was this employee working late on Saturday? Why was someone in HR looking at lots of computer-aided design (CAD) documents? Why has this user been downloading executable files from the web?
This is particularly helpful with respect to emergent technologies such as cloud-based storage, where the market has yet to settle into four or five dominant players and examiners tend not to be familiar with the full gamut of providers.
Eternal vigilance and the January job hunt
Due to all the risks outlined it's often tempting to take a ‘lock down’ approach to securing data, and of course this can be a good thing. It helps accidental leakage, deters attackers and sets the correct tone within an organisation. Information on the Internet is freely available but our intellectual property is not!
The problem is that humans are highly adaptive: it’s one of our defining traits and it's not always easy to maintain business continuity with a highly rigid security stance.
Your company still needs to be able to use its IP, often on a day-to-day basis, in a manner that is efficient and flexible. In addition, IP of all different forms is constantly being created, modified and transmitted by your employees using the assets at their disposal.
Simply charting all of this data is tricky enough, but understanding how people react to changes in IT security policies is key.
If you’re going to lock down USB ports then spend some time exploring and reviewing how people might ‘adapt’. An investigation following a data breach can often be enlightening in this regard.
In IP theft investigations, we can identify ‘red flags’ by characterising typical user behaviour and scrutinising deviations. In a similar way to how a polygraph attempts to identify ‘guilty knowledge’ or fictitious statements by first analysing behavioural norms, fluctuations in regular patterns can help give the game away.
I use the word ‘attempts’ for a very good reason. The polygraph has had a very hard time in academic research, but the principle of deviations from normal behaviour can sometimes shine the spotlight on interesting activity.
For example, it's often extremely useful to plot the file access and deletion behaviours of a suspect for the three months up until they leave a company. Peaks of activity in the graphs can often be correlated with significant events such as a poor performance appraisal, the ‘January job hunt’ or resigning from the firm.
IP theft: the major trends
Overall, there have been a number of trends surrounding IP theft over the last five years. The key issues include network hacking via SQL Injection and malware, cloud-based storage, virtualisation and ‘seepage’ from corporate websites and social media.
Passwords are still the main mechanism by which we protect our IP but password cracking software is becoming ever more sophisticated. Some can take biographic data about the user (possibly harvested from social media websites) to come up with likely passwords (using well-known tricks such as replacing letters with numbers), combinations of which are then fired at an encrypted file at rapid speeds.
Of course, I still come across such ingenious passwords as Pa55w0rd and abc123 (these can be broken in seconds by the best tools).
Much otherwise ‘encrypted’ data (including passwords) resides in an unencrypted state within a computer's live memory. This makes it vulnerable to software which can access that memory wholesale. Malware is particularly scary in this respect, with the use of key-logging software that watches your Internet activity. It has now become part of standard forensic protocol to scan for these processes (in live memory as well as on a hard drive) when commencing a computer examination.
IT departments work to secure their networks from these threats, but what about your customers and employees and their home computers? This can become a problem if your employees use their home machines to access IP.
Looking at the bigger picture
The challenges around IP theft are becoming more complex with further limits on control for companies.
On my flight back from Kazakhstan, in a single carry-on I hauled enough storage to hold two copies of the entire Internet as it was back in 1997...
Intellectual property and sensitive corporate data can easily be stored on smart phones, tablets and other devices which are increasingly used as standard in workplaces. Similarly, ever-increasing bandwidth makes it very easy to transfer and replicate this data.
That said, it’s not all about technology. To a very significant degree, leveraging and protecting your intellectual property is also a process of building up a trust relationship with your employees. Locking down your IP may help, but many secrets can simply be remembered.
Understanding this relationship must not be a subordinate goal to building your 'digital fortress'.
Moreover, you can never guarantee that your IP will not leak from your organisation. 'Deep freezing' that data securely can sometimes work effectively, but the message is clear: you must also be prepared for a thaw.
Simon Placks leads the Ernst & Young IT Forensics team