There may be trouble ahead:

Life really isn't fair.

You're confident you've thought of every possible eventuality and that your security strategy is finally watertight. Your IPS and IDS are installed, configured, and ready for anything; your AV software is state-of-the-art and bang up to date; your endpoint security processes are right on the money; your remote access policies are as tight as the proverbial, and you've got more firewalls, PKI systems, and biometrics than you can shake a stick at. Yep, this time you've really done your homework...

...And then some oik with an imagination and a grudge goes and invents an all new, all-singing, all-dancing nasty that circumvents the lot. So you end up back at square one sounding like Yosemite Sam: of all the sneaky, cotton-pickin', sassin', frassin', $@?%*!...

Frustrating it may be, but sadly that's today's threat landscape for you: ever evolving, ever changing and ever more onerous. And faced with such changeable terrain, the only certainty is that it's going to keep getting more difficult, if not impossible, to police all of the entry points against all of the threats, all of the time. Mind you, it would make life easier if you only knew what the future holds. If you could just get a look at the horizon then you could at least try and prepare.

So here goes with iQ's special report on some of the security ghosts of Christmas present and Christmas yet to come...

100% Proof

If, like most people, your knowledge of Forensics is limited to the odd episode of Silent Witness or Quincy M.E., you're maybe a trifle disappointed when you realise that this feature doesn't involve Jack Klugman battling with botulism and institutional injustice.

Indeed there's barely a corpse or a fainting police cadet in the entire piece. Because the fact is that, 1970s US coroners notwithstanding, TV often gets things horribly wrong where the finer points of forensic investigation are concerned; especially when it comes to the latest tool in the box - Computer Forensics.

(For the record, even CSI: Crime Scene Investigation - from which you might expect a degree of authenticity - recently ran a storyline that saw a tech crime 'expert' switching on a machine he was supposed to be scrutinising. Schoolboy error. Lesson 1: you never boot from a suspect hard drive.)

That's a worry because back in the real world, Computer Forensics - the art of tracking down digital evidence after a computer security incident has taken place - is becoming an increasingly important aspect of computer security.

And small wonder. For one thing, just as computers and communications continue to evolve, so too do the techniques and wiles of the cyber criminal. Security therefore has little choice but to follow suit.

For another, with compliance - and the consequences of non-compliance - becoming ever more onerous and costly, the need for corporate vigilance and accountability is still on the rise. Traditional notions of security and vigilance are no longer enough. Businesses today must not only be aware of the implications of their actions, but of the procedures they should be following should any kind of investigation become necessary.

Accordingly, from tracing and tracking staff email use, to cooperating with law enforcement, to adhering with legislation such as the US Patriot Act, computer-based investigation and methods of detecting and gathering electronic evidence are evolving rapidly in both importance and complexity.

From a criminal perspective, IT forensics focuses around two main areas. The first is when a computer is used to commit a crime - identity theft, hacking, intrusion and so on - the second when a person or organisation falls victim to such a crime. But it should be noted that forensic investigations can also be initiated for a variety of reasons beyond the strictly "criminal" - regulatory compliance, breaches of commercial confidence, even email abuse, (See box out) and that's when things can get complicated.

In short though, Computer Forensics is about conducting a structured investigation that allows the business to learn exactly what has happened on a digital system at particular time, and who was responsible:

The theory being that computer crime (and even just everyday activity) always leaves tracks, and that it's simply a matter of finding them. From a hardware perspective this might involve investigating, searching, and retrieving evidence from pretty much any kind of physical or digital entity - servers, PCs, laptops, PDAs, mobile phones, even USB keys - from which every variety of information including data, files, and processes may be pulled and examined.

In software terms every source from databases and applications to email and ISP logs may come under scrutiny.

By reviewing everyday operational data such as a person's SatNav history, it's even possible to verify the physical locations of workers or equipment. The process essentially involves three phases for recovering evidence from the computer system or storage medium in question: acquire, analyse, and report - and preparation is the key.

The first question Computer Forensics will likely ask of the business is whether it has shown sufficient and due diligence in protecting its systems.

Do you have up to date anti-virus protection, firewalls, and content filtering? Does your software include all the latest updates? Have contractors and staff been properly identity screened? Do you have clear security procedures and policies? Are your staff trained in security awareness? Do you record access and authorisation rules? Do you use sufficiently strong password authentication?

To this end a robust security policy and the latest prevention technologies are vital.

Specific to the Computer Forensics process itself, there are already several popular tools of the trade available for both proprietary and open source environments. Proprietary solutions include EnVision from RSA security (which is now part of EMC), Encase from Guidance Software, and FTK from Accessdata while the main open source tools include Filehound, Sleuthkit, Winhex, and Snort.

Other useful tools include Honeypots - monitored network decoys that serve the dual purpose of distracting cyber criminals and leading them away from the more valuable machines on the network, and that provide an early warning about new attack and exploitation trends. They also allow in-depth examination of the adversary both during and after the time the Honeypot is being accessed. Where an organisation falls victim to computer crime or becomes implicated in one in some way, there are certain steps it must take from a Forensics point
of view.

Questions to ask your Certified Forensic Expert

• What do you specialise in? Some recommend that forensic experts are best dedicated between FAT and NFTS Windows file systems - as an investigation into either would take a radically different approach.
  

• What will the courts need?
  

• How to ensure business continuity?

• What will they be checking: Flow logs, ISP logs, file system, volatile data, network device logs, database logs?
  

First, unless there are exceptional circumstances or you happen to be a certified Computer Forensic expert, it isn't a good idea to attempt to begin the investigation yourself. Without proper procedures you risk jeopardising the identity, capture, analysis, preservation and processing of evidence. Instead, as with any crime scene the best option is to quickly seal the area; ensure that no-one has access to the machine or machines in question, and to generally try to preserve the integrity of the scene without changing or touching anything.

Thereafter you should seek qualified, expert help, which generally means finding a suitable ISO9001 certified supplier. Be sure to ask about their incident response procedures, how they can guarantee data protection, and how they will assess your forensic readiness. The immediate priority - particularly where there's no detailed incident response procedure in place - is then containment and the preservation of vital trails of evidence before they can be destroyed. There are then several definite do's and don'ts that you and your supplier should adhere to according to computerforensicsworld.com

"Very broadly, the main phases are to secure the subject system (from tampering during the operation); take a copy of the hard drive (if applicable); identify and recover all files (including any that have been deleted); access/copy hidden, protected, and temporary files; look at any 'special' areas on the drive (such as residue from previously deleted files); investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; and then create a detailed report." It's also vital to maintain a full audit log of all investigative activities.

The "don't" factors tend to relate to the nature of the systems under investigation. It is important to avoid changing file date/time stamps for example, or any of the data itself. The same applies to the overwriting of unallocated space (which can happen on re-boot for example - which is why our 'expert' in CSI clearly wasn't an expert at all).
Is Computer Forensics likely to be as complex and costly a nuisance as this long, involved process would seem to suggest? 'Fraid so. It's an unfortunate and inescapable fact that the more computers exist in the world, the more crime will be committed with them. And unlike in Hollywood, your business can't afford to get it wrong.


Source: www.computer-forensic.com.
More info: http://www.computerforensicsworld.com/
www.forensics.nl