Guide to Integrating Forensic Techniques into Incident Responses

Digital forensics is the science of discovering and retrieving digital information from digital devices about an event in such a way to make it admissible in court to either prove culpability or innocent.

The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

Forensic investigators typically follow a standard set of procedures: After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy.

The National Institute of Standards and Technology "Guide to Integrating Forensic Techniques into Incident Responses" covers four phases, which are briefly summarized below. For the complete 121-page NIST publication, download draft SP 800-86 at http://csrc.nist.gov/publications/nistpubs.

1 - Collection: Identify, label, record and acquire data from possible sources, while preserving the integrity of the data.

2 - Examination: Use manual and automated methods to assess and extract data of particular interest, while preserving the integrity of the data.

3 - Analysis: Use legally justifiable methods and techniques to derive useful information.

4 - Reporting: Describe actions used, explain how tools and procedures were selected, determine what other actions need to be performed, including forensic examination of additional data sources, securing identified vulnerabilities and improving existing security controls. Recommend improvements to policies, guidelines, procedures, tools and other aspects of the forensic process.

Digital Forensics - Definitons

Digital forensics is the science of discovering and retrieving digital information from digital devices about an event in such a way to make it admissible in court to either prove culpability or innocent.

85% of All Crimes Leave a Digital Fingerprint

It has been stated that 85% of all crime leaves a digital fingerprint in electronic devices. This may occur from an internet intrusion, identity theft and traditional crime like murder. Computer forensics has aided in the investigation of these crimes. Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. The challenges facing many computer forensics examiners are an abundant of data that must be analyzed to produce a story or show correlation. Hard space are enormous and continue to grow. Hard disk space is inexpensive thus allow for more. In conjunction, RAID systems also provide additional challenges for the investigator. A simple case on a 200 GB hard drive can take weeks to review alone before any real assessment can occur. Issues such as terrorism and murder cases can prove to be fatal. By including Social network analysis (SNA), the time to locate correlation will be reduced. This will assist the examiner to focus his analysis on key area from the SNA results.

States require a license to conduct data forensics

First off, I would like to apologize to Linda Musthaler and Brian Musthaler as well as IDG for not following the proper Blog etiquette on this posting by copying and pasting a entire article without providing my comments before hand. Linda brought this matter to my attention and I have edited this posting to be in “Blog Compliance”

The reason, I choose and posted this article, about 4 years ago while taking an instructor training course for AccessData in Texas, there was a discussion that Georgia was trying to implement similar requirements to conduct forensic examinations and how more and more states are passing laws that some people interpret as a requirement for Computer Forensic examiners to be licensed Private Investigators.

As more cases are performed and botched by inexperienced examiners, I feel there will be some licensing requirements for computer forensic examiners.

I have enclosed a link to a very interesting article which discusses some current issues on this topic:

Article can be accessed at: http://www.networkworld.com/newsletters/techexec/2008/071408techexec1.html

Entire Article:

Laws in place to protect the chain of custody during any type of forensic investigation

Technology Executive Alert By Linda Musthaler and Brian Musthaler , Network World , 07/14/2008

In 2007, the state of Texas updated a law called the "Private Security Act" to insert a new clause that specifies that anyone who conducts computer data forensics that could potentially be used in a legal proceeding in the state must be a licensed PI.

The basic tenet of the new stipulation in the law is the protection of the chain of custody during any type of forensic investigation. If digital forensic data is to be used for a legal proceeding, it needs to be done by a professional who is trained and licensed in the practice of securing evidence and chain of custody. Traditionally, these people are law enforcement officials, lawyers and paralegals, and licensed private investigators.

An opinion written by the State of Texas Private Security Bureau is that “Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators. The review of computer data for the purpose of investigating potential criminal or civil matters is a regulated activity under Chapter 1702 of the Texas Occupations Code, as is offering to perform such services.”

This law has broad ramifications for many people in IT professions, including hardware and software technicians and auditors. These people routinely analyze log data and other information on computers that may eventually be used in reports that could, someday, be called into question in court.

Related Content

For example, suppose the owner of a small business suspects one of his employees is creating bogus accounts and sending payments to those accounts. The business owner might ask a computer technician to study the computer logs to see what this employee is up to. The technician finds a clear digital trail of misconduct that points to the suspect employee and provides the “evidence” to the businessman in the form of a report. The business owner uses the information to dismiss the employee, who then sues his former employer for wrongful termination.

Unless the computer technician is a licensed PI, none of the information he dug up is admissible in court. Worse, both he and the business owner who used his services face misdemeanor charges for violating the Texas Private Security Act.

Several computer technicians from Houston and Austin have filed a lawsuit against the state, alleging that the law may inadvertently harm their businesses. An attorney handling the lawsuit says the law is so vaguely worded that it could be enforced broadly by the Private Security Board, the Texas agency that oversees licensing for the private security industry. The board interprets the law to cover any data retrieval for a “potential” civil or criminal matter. For all practical purposes in our litigious society, that is virtually everything.

Computer technicians aren’t the only ones concerned about the impact of this law. Auditing firms and law firms may also be ensnared by the law that requires licensing for anyone doing data retrieval and analysis for outside companies. (Companies can use their own employees to conduct internal investigations, but they cannot hire an unlicensed outsider to perform the same work.)

Texas isn’t alone in its efforts to have licensed investigators handle digital forensics. Georgia, New York, Nevada, North Carolina, South Carolina, Virginia and Washington also are pursuing digital forensic experts operating in their states without a PI license. Given the number of states with digital forensics laws and the vast extent of interstate commerce, these laws can have broad impact on IT professionals all across the country.

We don’t mean to downplay the importance of in-depth knowledge of the chain of custody of evidence. Of course it is important that evidence be properly collected and preserved if it is intended to be used in civil or criminal matters. But laws like the one in Texas could be creating a large and sharp dual edge sword for the digital forensic community  time and legitimacy.

Related Content

In Texas, a person must earn a criminology degree or undertake a three year apprenticeship with a licensed PI to attain a PI license. To specialize in an area of computer data forensics, the person also must master the intricacies of a combined Unix / Windows environment with its plethora of tools to monitor and control traffic / data, combined with all the tools required to extract digital evidence. He also must learn to analyze and interpret the data and ultimately opine on it. It can take years to understand enough about computers to be an expert.

With the Texas law, any licensed private investigator can take a class to learn how to use EnCase, a popular computer examination tool, and then declare himself to be a forensic expert. There are no further requirements for a technology-related degree or IT certification, experience or training.

To maintain legitimacy and comply with the law, large firms involved in digital forensics (e.g., law, audit, accounting and forensic firms) will hire a licensed PI that (in theory) oversees all of the digital forensic activities, and technically these firms will be following the letter of the law. Small service providers can’t afford to take this route, however, and this is the crux of the Texas lawsuit.

There are no easy answers, and we’ll just have to see how this one plays out. Meanwhile, be aware of the laws that may cover your business so you don’t run afoul of the law.

Article can be accessed at: http://www.networkworld.com/newsletters/techexec/2008/071408techexec1.html

All contents copyright 1995-2008 Network World, Inc. http://www.networkworld.com/