Security+ Certification: Computer Forensics and Incident Reponse
Computer forensics involves conducting an investigation to determine what has happened, to find out who is responsible and to collect legally admissible evidence for use in a computer crime case.
Closely related to, but distinctly different from investigations, is incident response. The purpose of an investigation is to determine what happened, to determine who is responsible, and to collect evidence. Incident response determines what happened, contains and assesses damage, and restores normal operations.
Investigations and incident response must often be conducted simultaneously in a well-coordinated and controlled manner to ensure that the initial actions of either activity don't destroy evidence or cause further damage to the organization's assets. For this reason, Computer Incident (or Emergency) Response Teams (CIRT or CERT, respectively) need to be properly trained and qualified to secure a crime scene or incident while preserving evidence. Ideally, the CIRT includes individuals who conduct the investigation.
A computer crime investigation should begin immediately upon report of an alleged computer crime or incident. Initially, any incident should be handled as a computer crime investigation until a preliminary investigation determines otherwise. The general steps to be followed in the investigative process are the following:
- Detect and contain: Early detection is critical to a successful investigation. Unfortunately, passive or reactive detection techniques (such as the review of audit trails and accidental discovery) are usually the norm in computer crimes and often leave a cold evidence trail. Containment is essential to minimize further loss or damage.
- Notify management: Management must be notified of any investigation as soon as possible. Knowledge of the investigation should be limited to as few people as possible and should be on a need-to-know basis. Out-of-band communications methods (reporting in person) should be used to ensure that sensitive communications about the investigation are not intercepted.
- Begin preliminary investigation: This is necessary to determine whether a crime has actually occurred. Most incidents are honest mistakes, not criminal conduct. This step includes
• Reviewing the complaint or report
• Inspecting damage
• Interviewing witnesses
• Examining logs
• Identifying further investigation requirements
- Initiate disclosure determination: The first and most important thing to determine is whether disclosure of the crime or incident is required by law. Next, determine whether disclosure is desired. This should be coordinated with a public relations or public affairs official of the organization.
- Conduct the investigation:
• Identify potential suspects. This includes insiders and outsiders to the organization. One standard discriminator to help determine or eliminate potential suspects is the MOM test: Did the suspect have the motive, opportunity, and means to commit the crime?
• Identify potential witnesses.Determine who is to be interviewed and who will conduct the interviews. Be careful not to alert any potential suspects to the investigation; focus on obtaining facts, not opinions, in witness statements.
• Prepare for search and seizure. This includes identifying the types of systems and evidence to be searched for or seized, designating and training the search and seizure team members (CIRT), obtaining and serving proper search warrants (if required), and determining potential risk to the system during a search and seizure effort.
- Report findings: The results of the investigation, including evidence, should be reported to management and turned over to appropriate law enforcement officials or prosecutors.
Evidence is information presented in a court of law to confirm or dispel a fact that's under contention. A case can't be brought to trial without sufficient evidence to support the case. Thus, properly gathering evidence is one of the most important and most difficult tasks of the investigator.
Types of evidence
Sources of legal evidence that can be presented in a court of law generally fall into one of four major categories:
- Direct evidence: This is oral testimony or a written statement based on information gathered through the witness's five senses (an eyewitness account) that proves or disproves a specific fact or issue.
- Real (or physical) evidence: These are tangible objects from the actual crime, such as these:
• Tools and weapons
• Stolen or damaged property
• Visual or audio surveillance tapes
- Physical evidence from a computer crime is rarely available.
- Documentary evidence: Most evidence presented in a computer crime case is documentary evidence, such as the following;
• Originals and copies of business records
• Computer-generated and computer-stored records
• Log files
- Business records, including computer records, are traditionally considered hearsay evidence by most courts because these records cannot be proven accurate and reliable. One of the most significant obstacles for a prosecutor to overcome in a computer crime case is seeking the admission of computer records as evidence.
- Demonstrative evidence. Used to aid the court's understanding of a case. Opinions are considered demonstrative evidence and may be either
• Expert: Based on personal expertise and facts
• Nonexpert:Based on facts only
- Other examples of demonstrative evidence include models, simulations, charts, and illustrations.
Other types of evidence that may fall into at least one the preceding major categories include
- Best evidence:Original, unaltered evidence. In court, this is preferred over secondary evidence.
- Data extracted from a computer satisfies the best evidence rule and may normally be introduced into court proceedings as such.
- Secondary evidence: A duplicate or copy of evidence, such as
• Tape backup
• Screen capture
- Corroborative evidence: Supports or substantiates other evidence presented in a case.
- Conclusive evidence: Incontrovertible and irrefutable: the smoking gun.
- Circumstantial evidence: Relevant facts that can't be directly or conclusively connected to other events but about which a reasonable inference can be made.
Admissibility of evidence
Because computer-generated evidence can often be easily manipulated, altered, or tampered, and because it's not easily and commonly understood, this type of evidence is usually considered suspect in a court of law.
In order to be admissible, evidence must be:
- Relevant: It must tend to prove or disprove facts that are relevant and material to the case.
- Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable. This is accomplished, in part, through proper evidence handling and the chain of custody.
- Legally permissible: It must be obtained through legal means. Evidence that's not legally permissible may include evidence obtained through these means:
• Illegal search and seizure: Law enforcement personnel must obtain a prior court order; however, non-law enforcement personnel, such as a supervisor or system administrator, may be able to conduct an authorized search under some circumstances.
• Illegal wiretaps or phone taps: Anyone conducting wiretaps or phone taps must obtain a prior court order.
• Entrapment or enticement: Entrapment encourages someone to commit a crime that the individual may have had no intention of committing. Conversely, enticement lures someone toward some evidence (a honey pot, if you will) after that individual has already committed a crime. Enticement is not necessarily illegal but does raise ethical arguments and may not be admissible in court.
• Coercion:Coerced testimony or confessions are not legally permissible.
• Unauthorized or improper monitoring: Active monitoring must be properly authorized and conducted in a standard manner; users must be notified that they may be subject to monitoring.