Those investigating crime have long understood the value of evidence. In its most literal sense, evidence is "that which demonstrates that a fact is so". By acquiring evidence we build a picture of what happened, how it came to be and, hopefully, who did it. The digital world is no different to the physical world in that every event leaves a trace. This digital evidence can be gathered and pieced together to help develop our understanding of the what, how and who of an incident. Over time, this process has come to be referred to as Computer Forensics.
The term "forensic" is associated, by definition, with legal process. That is, the methods used to gather evidence during an investigation would allow it to be used in a court of law. Therefore, the most influential factor in the Court's decision whether or not to accept evidence is the way in which it was obtained and, in particular, consideration as to whether such methods may have affected the original data or its subsequent interpretation.
Every good incident response plan will have some form of investigative foundation. The core of computer forensic best practice can be defined by three generally accepted principles;
I. No action taken should change the data held on a computer or other storage media which may be subsequently relied upon.
II. Where original data must be accessed, the person doing so should be suitably qualified and able to explain the relevance and implications of their actions.
III. An audit trail or other record of all processes should be created and preserved such that a third party might examine such processes and achieve the same result.
While these principles are not part of any specific legislation, they are generally accepted as the fundamental "rules" by which an investigation can be measured and, as such, they should be considered to be forensic best practice. With these principles in mind, the forensic process could be summarised as Preservation, Documentation and Justification.
Understanding the Problem
When responding to an incident, it is important to identify the circumstances in which it has occurred and the objectives of any subsequent investigation. This puts the Investigator in a position to both assess the risks that the situation may present to the Business and to form a strategy for the conduct of the investigation itself.
What if an investigation is not expected to end in tribunal or litigation? Can we relax the standards that would normally be applied? Quite simply, what initially appears to be a simple, straightforward incident can quickly escalate into something far more serious. For example, an investigation into a denial-of-service attack on an e-commerce server suddenly and unexpectedly turns out to be attempted extortion by organised criminals. Nothing should be taken purely on face value. If we apply best practice from the outset, we avoid any possibility of compromising the investigation at a later stage or the integrity of the evidence we may want to rely on.
We can begin to define the scope of the investigation by forming an idea of what we think has happened. This, in turn, will help to identify where we should be looking for evidence and what needs to be done in order to acquire it. This also allows us to assess the potential impact on the Business. Will we need to isolate and quarantine workstations, PDAs and mobile phones? Will we need to take servers off-line and for how long? As the investigation progresses we may find information that identifies further potential sources of evidence that will need to be considered. Throughout the investigation it is necessary to constantly assess our understanding of what has happened and consider adapting the chosen strategy if necessary.
We should be mindful that the methods employed in the investigation are proportional to the seriousness of the incident. For example, it would be reasonable to consider examining the email of an employee suspected of sending threatening or abusive messages to a colleague or customer, but it would probably be considered unreasonable to place twenty-four hour surveillance on him and install a keystroke logger in his home computer!
It is vital that an investigator possesses a clear understanding of the legislation that affects the way in which an investigation is conducted. Such legislation includes, but is by no means limited to, The Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000 and the Data Protection Act 1998. The quantity and complexity of such legislation means that it may often be appropriate to seek advice from a lawyer to allow legal strategy to be developed for the investigation that is to take place.
Ultimately, any investigative process will consist of both operational and strategic considerations such as;
- Preservation of data for subsequent analysis
- Forensic recovery of data
- Presentation of evidence (written reports and orally)
- Acting lawfully
- Working within a business (or disciplined) environment
Preserving the evidence
The first principle of digital evidence defines the need to preserve the original data on which the investigation is based. Typically, a forensic investigator will take a low-level, or bit-stream image of the media containing the data.
However, it may not always be possible or practical to take a system out of service in order to capture the data it holds. In these cases we may revert to the second principle of digital evidence that makes provision for such access and defines the restrictions and obligations with which the investigator must comply. Key to this compliance is ensuring that the way in which access may affect the data is clearly understood. The mere act of starting a computer can cause numerous modifications to be made to the data it holds. If such modifications affect the evidence that we wish to produce we must be able to identify what changes have occurred and the effect they may have on its interpretation. We might consider creating copies of the data we consider to be relevant, such as a Microsoft Exchange Message Store in an email investigation, or generating reports, such as User Activity Audit Logs in an investigation into misuse of Bank administration systems.
It is at this point that the importance of maintaining an accurate and detailed record of the actions that are taken and the reasons for taking them becomes evident. Such a record acts as an audit trail for the investigation. It allows an assessment of the methods used and the decisions made in order to establish the admissibility of the evidence and, in so doing, allows the investigator to demonstrate compliance with the third principle of gathering digital evidence.
After the data has been acquired, it is vital to maintain its evidential integrity. This can be achieved through strict control of access to evidence and by maintaining a record of its movements and the identity of those in whose custody it has been. By doing this we are creating a "chain of custody" for the evidence with which we can demonstrate its provenance.
Building the picture
Building the picture
Having identified and acquired the data, the next phase of the investigation involves its examination and analysis. The objective is to identify evidence of what has happened with a view to establishing how the incident occurred and, if possible, who was involved. The quantity of material that can be produced by apparently trivial actions on a computer can be quite staggering. This information can present a vivid picture of the various events that have taken place in relation to an incident. The downside to such rich potential sources of evidence is that a detailed and proper analysis can be both complicated and time consuming. There is a risk that a vital piece of evidence may be overlooked or misinterpreted. Consequently it is necessary to ensure that the investigator is properly trained in forensic methodology and techniques and possess an appropriate degree of knowledge about the systems and software they are examining.
The results from the analysis should be produced as a report describing the investigation and its findings. Typically, such findings will be restricted to statements of fact such as the presence of specific items of data. However, at times it may be appropriate for the investigator to offer an opinion on the meaning of these facts. However, such an opinion must be based on significant knowledge and experience for it to be considered reliable. An opinion should be an appropriately educated interpretation of the facts at hand and not a best guess.
If an investigation ends in legal proceedings then the investigator may be required to present their findings orally in court and face cross-examination as to content and reliability. This is not something to be undertaken lightly and can be a daunting experience. Accordingly, investigators should seek to gain experience of court proceedings and preferably, undertake training to act in the capacity of a professional or expert witness.
The end result of this entire process should be a clear understanding of the events associated with the incident under investigation. In other words, answers to the original questions of what, how and, perhaps most importantly, who.
By adopting a "best practice" approach to the acquisition and examination of digital evidence we can ensure that our investigation remains forensically sound and will stand up to the most rigorous scrutiny. While we do our best to prevent such incidents, it is vital that we have the ability to act effectively and lawfully when it eventually happens and, ultimately, bring accountability to those responsible.
The author is Technical Director, DataSec Ltd