Investigations

Computer forensics is the science of conducting a computer crime investigation to determine what has happened and who is responsible, and to collect legally admissible evidence for use in a computer crime case.

The purpose of an investigation is to determine what happened and who is responsible, and to collect evidence. Incident handling is done to determine what happened, contain and assess damage, and restore normal operations. Closely related to, but distinctly different from, investigations is incident handling (or response). Incident handling is discussed in detail later in this chapter.

Investigations and incident handling must often be conducted simultaneously in a well-coordinated and controlled manner to ensure that the initial actions of either activity don’t destroy evidence or cause further damage to the organization’s assets. For this reason, it’s important that Computer Incident (or Emergency) Response Teams (CIRT or CERT, respectively) be properly trained and qualified to secure a computer-related crime scene or incident while preserving evidence. Ideally, the CIRT includes individuals who will actually be conducting the investigation.

An analogy to this would be an example of a police patrolman who discovers a murder victim. It’s important that the patrolman quickly assesses the safety of the situation and secures the crime scene; but at the same time, he must be careful not to destroy any evidence. The homicide detective’s job is to gather and analyze the evidence. Ideally, but rarely, the homicide detective would be the individual who discovers the murder victim, allowing her to assess the safety of the situation, secure the crime scene, and begin collecting evidence. Think of yourself as a CSI-SSP!

Evidence

Evidence is information presented in a court of law to confirm or dispel a fact that’s under contention, such as the commission of a crime. A case can’t be brought to trial without sufficient evidence to support the case. Thus, properly gathering evidence is one of the most important and most difficult tasks of the investigator.

The types of evidence, rules of evidence, admissibility of evidence, chain of custody, and the evidence life cycle make up the main elements that the CISSP exam may cover in the Investigations portion of this domain.

Types of evidence

Sources of legal evidence that you can present in a court of law generally fall into one of four major categories:

Direct evidence: Oral testimony or a written statement based on information gathered through a witness’s five senses (in other words, an eyewitness account) that proves or disproves a specific fact or issue.

Real (or physical) evidence: Tangible objects from the actual crime, such as the tools or weapons used and any stolen or damaged property. May also include visual or audio surveillance tapes generated during or after the event. Physical evidence from a computer crime is rarely available.

Documentary evidence: Includes originals and copies of business records, computer-generated and computer-stored records, manuals, policies, standards, procedures, and log files. Most evidence presented in a computer crime case is documentary evidence. The hearsay rule (which we discuss in the section “Hearsay rule,” later in this chapter) is an extremely important test of documentary evidence that must be understood and applied to this type of evidence.

Demonstrative evidence: Used to aid the court’s understanding of a case. Opinions are considered demonstrative evidence and may be either expert (based on personal expertise and facts) or non-expert (based on facts only). Other examples of demonstrative evidence include models, simulations, charts, and illustrations.

Other types of evidence that may fall into one or more of the above major categories include

Best evidence: Original, unaltered evidence, which is preferred by the court over secondary evidence. Read more about this evidence in the section “Best evidence rule,” later in this chapter.

Secondary evidence: A duplicate or copy of evidence, such as a tape backup, screen capture, or photograph.

Corroborative evidence: Supports or substantiates other evidence presented in a case.

Conclusive evidence: Incontrovertible and irrefutable — you know, the smoking gun.

Circumstantial evidence: Relevant facts that you can’t directly or conclusively connect to other events, but about which a reasonable person can make a reasonable inference.

Rules of evidence

Important rules of evidence for computer crime cases include the best evidence rule and the hearsay evidence rule. The CISSP candidate must understand both of these rules and their applicability to evidence in computer crime cases.

Best evidence rule

The best evidence rule, defined in the Federal Rules of Evidence, states that “to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is [ordinarily] required.”

However, the Federal Rules of Evidence define an exception to this rule as “[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original’.”

Thus, data extracted from a computer — if that data is a fair and accurate representation of the original data — satisfies the best evidence rule and may normally be introduced into court proceedings as such.

Hearsay rule

Hearsay evidence is evidence that’s not based on personal, first-hand knowledge of a witness, but rather comes from other sources. Under the Federal Rules of Evidence, hearsay evidence is normally not admissible in court. This rule exists to prevent unreliable testimony from improperly influencing the outcome of a trial.

Business records, including computer records, have traditionally, and perhaps mistakenly, been considered hearsay evidence by most courts because these records cannot be proven accurate and reliable. One of the most significant obstacles for a prosecutor to overcome in a computer crime case is seeking the admission of computer records as evidence.

A prosecutor may be able to introduce computer records as best evidence, rather than hearsay evidence, which we discuss in the preceding section.

Several courts have acknowledged that the hearsay rules are applicable to computer-stored records containing human statements but are not applicable to computer-generated records untouched by human hands.

Perhaps the most successful and commonly applied test of admissibility for computer records, in general, has been the business records exception, established in the Federal Rules of Evidence, for records of regularly conducted activity, meeting the following criteria:

Made at or near the time that the act occurred

Made by a person who has knowledge of the business process or from information transmitted by a person who has knowledge of the business process

Made and relied on during the regular conduct of business, as verified by the custodian or other witness familiar with the records’ use

Kept for motives that tend to assure their accuracy

In the custody of the witness on a regular basis (as required by the chain of evidence)

The chain of evidence establishes accountability for the handling of evidence throughout the evidence life cycle. See the section “Chain of custody and the evidence life cycle” later in this chapter.

Admissibility of evidence

Because computer-generated evidence can sometimes be easily manipulated, altered, or tampered with, and because it’s not easily and commonly understood, this type of evidence is usually considered suspect in a court of law. In order to be admissible, evidence must be

Relevant: It must tend to prove or disprove facts that are relevant and material to the case.

Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable. This is accomplished, in part, through proper evidence handling and the chain of custody. (We discuss this in the upcoming section “Chain of custody and the evidence life cycle.”)

Legally permissible: It must be obtained through legal means. Evidence that’s not legally permissible may include evidence obtained through the following means:

• Illegal search and seizure: Law enforcement personnel must obtain a prior court order; however, non–law enforcement personnel, such as a supervisor or system administrator, may be able to conduct an authorized search under some circumstances.

• Illegal wiretaps or phone taps: Anyone conducting wiretaps or phone taps must obtain a prior court order.

• Entrapment or enticement: Entrapment encourages someone to commit a crime that the individual may have had no intention of committing. Conversely, enticement lures someone toward certain evidence (a honey pot, if you will) after that individual has already committed a crime. Enticement isn’t necessarily illegal, but it does raise certain ethical arguments and may not be admissible in court.

• Coercion: Coerced testimony or confessions are not legally permissible. Coercion involves compelling a person to involuntarily provide evidence through the use of threats, violence (torture), bribery, trickery, or intimidation.

• Unauthorized or improper monitoring: Active monitoring must be properly authorized and conducted in a standard manner; users must be notified that they may be subject to monitoring.

Chain of custody and the evidence life cycle

The chain of custody (or chain of evidence) provides accountability and protection for evidence throughout its entire life cycle and includes the following information, which is normally kept in an evidence log:

Persons involved (Who): Identify any and all individual(s) who discovered, collected, seized, analyzed, stored, preserved, transported, or otherwise controlled the evidence. Also identify any witnesses or other individuals present during any of the above actions.

Description of evidence (What): Ensure that all evidence is completely and uniquely described.

Location of evidence (Where): Provide specific information about the evidence’s location when it is discovered, analyzed, stored, or transported.

Date/Time (When): Record the date and time that evidence is discovered, collected, seized, analyzed, stored, or transported. Also, record date and time information for any evidence log entries associated with the evidence.

Methods used (How): Provide specific information about how evidence is discovered, collected, stored, preserved, or transported.

Any time that evidence changes possession or is transferred to a different media type, it must be properly recorded in the evidence log to maintain the chain of custody.

Law enforcement officials must strictly adhere to chain of custody requirements, and this adherence is highly recommended for anyone else involved in collecting or seizing evidence. Security professionals and incident response teams must fully understand and follow the chain of custody, no matter how minor or insignificant a security incident may initially appear.

Even properly trained law enforcement officials sometimes make crucial mistakes in evidence handling. Most attorneys won’t understand the technical aspects of the evidence that you may present in a case, but they will definitely know evidence-handling rules and will most certainly scrutinize your actions in this area. Improperly handled evidence, no matter how conclusive or damaging, will likely be inadmissible in a court of law.

The evidence life cycle describes the various phases of evidence, from its initial discovery to its final disposition.

The evidence life cycle has the following five stages:

Collection and identification

Analysis

Storage, preservation, and transportation

Presentation in court

Return to victim (owner)

The following sections tell you more about each stage.

Collection and identification

Collecting evidence involves taking that evidence into custody. Unfortunately, evidence can’t always be collected and must instead be seized. Many legal issues are involved in seizing computers and other electronic evidence. The publication Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (January 2001), published by the U.S. Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS), provides comprehensive guidance on this subject. Find this publication available for download at www.cybercrime.gov .

In general, law enforcement officials can search and/or seize computers and other electronic evidence under any of four circumstances:

Voluntary or consensual: The owner of the computer or electronic evidence can freely surrender the evidence.

Subpoena: A court issues a subpoena to an individual, ordering that individual to deliver the evidence to the court.

Search warrant or Writ of Possession: A search warrant is issued to a law enforcement official by the court, allowing that official to search and seize specific evidence. A Writ of Possession is a similar order issued in civil cases.

Exigent circumstances: If probable cause exists and the destruction of evidence is imminent, that evidence may be searched or seized without a warrant.

When evidence is collected, it must be properly marked and identified. This ensures that it can later be properly presented in court as actual evidence gathered from the scene or incident. The collected evidence must be recorded in an evidence log with the following information:

A description of the particular piece of evidence including any specific information, such as make, model, serial number, physical appearance, material condition, and preexisting damage.

The name(s) of the person(s) who discovered and collected the evidence

The exact date and time, specific location, and circumstances of the discovery/collection.

Additionally, the evidence must be marked, using the following guidelines:

Mark the evidence: If possible without damaging the evidence, mark the actual piece of evidence with the collecting individual’s initials, the date, and the case number (if known). Seal the evidence in an appropriate container and again mark the container with the same information.

Or use an evidence tag: If the actual evidence cannot be marked, attach an evidence tag with the same information as above, seal the evidence and tag in an appropriate container, and again mark the container with the same information.

Seal the evidence: Seal the container with evidence tape and mark the tape in a manner that will clearly indicate any tampering.

Protect the evidence: Use extreme caution when collecting and marking evidence to ensure that it’s not damaged. If you’re using plastic bags for evidence containers, be sure that they’re static free.

Always collect and mark evidence in a consistent manner so that you can easily identify evidence and describe your collection and identification techniques to an opposing attorney in court, if necessary.

Analysis

Analysis involves examining the evidence for information pertinent to the case. Analysis should be conducted with extreme caution, by properly trained and experienced personnel only, to ensure the evidence is not altered, damaged, or destroyed.

Storage, preservation, and transportation

All evidence must be properly stored in a secure facility and preserved to prevent damage or contamination from various hazards, including intense heat or cold, extreme humidity, water, magnetic fields, and vibration. Evidence that’s not properly protected may be inadmissible in court, and the party responsible for collection and storage may be liable. Care must also be exercised during transportation to ensure that evidence is not lost, temporarily misplaced, damaged, or destroyed.

Presentation in court

Evidence to be presented in court must continue to follow the chain of custody and be handled with the same care as at all other times in the evidence life cycle. This process continues throughout the trial until all testimony related to the evidence is completed and the trial is over.

Return to victim (owner)

After the conclusion of the trial or other disposition, evidence is normally returned to its proper owner. However, under some circumstances, certain evidence may be ordered destroyed, such as contraband, drugs, or drug paraphernalia. Any evidence obtained through a search warrant is legally under the control of the court, possibly requiring the original owner to petition the court for its return.

Conducting investigations

A computer crime investigation should begin immediately upon report of an alleged computer crime or incident. Any incident should be handled, at least initially, as a computer crime investigation until a preliminary investigation determines otherwise.

The CISSP candidate should be familiar with the general steps of the investigative process:

1. Detect and contain a computer crime.

Early detection is critical to a successful investigation. Unfortunately, computer crimes usually involve passive or reactive detection techniques (such as the review of audit trails and accidental discovery), which often leave a cold evidence trail. Containment minimizes further loss or damage. The CIRT, which we discuss in the following section, is the team that is normally responsible for conducting an investigation. The CIRT should be notified (or activated) as quickly as possible after a computer crime is detected or suspected.

2. Notify management.

Management must be notified of any investigations as soon as possible. Knowledge of the investigations should be limited to as few people as possible, on a need-to-know basis. Out-of-band communications methods (reporting in person) should be used to ensure that an intruder does not intercept sensitive communications about the investigation.

3. Conduct a preliminary investigation.

This preliminary investigation determines whether a crime actually occurred. Most incidents turn out to be honest mistakes rather than criminal conduct. This step includes reviewing the complaint or report, inspecting damage, interviewing witnesses, examining logs, and identifying further investigation requirements.

4. Determine whether the organization should disclose that the crime occurred.

First, and most importantly, determine whether law requires the organization to disclose the crime or incident. Next, by coordinating with a public relations or public affairs official of the organization, determine whether the organization wants to disclose this information.

5. Conduct the investigation.

Conducting the investigation involves three activities:

a. Identify potential suspects.

Potential suspects include insiders and outsiders to the organization. One standard discriminator to help determine or eliminate potential suspects is the MOM test: Did the suspect have the Motive, Opportunity, and Means? The Motive might relate to financial gain, revenge, or notoriety. A suspect had Opportunity if he or she had access, whether as an authorized user for an unauthorized purpose or as an unauthorized user — due to the existence of a security weakness or vulnerability — for an unauthorized purpose. And Means relates to whether the suspect had the necessary tools and skills to commit the crime.

b. Identify potential witnesses.

Determine whom you want interviewed and who conducts the interviews. Be careful not to alert any potential suspects to the investigation; focus on obtaining facts, not opinions, in witness statements.

c. Prepare for search and seizure.

Identify the types of systems and evidence that you plan to search or seize, designate and train the search and seizure team members (normally members of the Computer Incident Response Team, or CIRT), obtain and serve proper search warrants (if required), and determine potential risk to the system during a search and seizure effort.

6. Report your findings.

The results of the investigation, including evidence, should be reported to management and turned over to proper law enforcement officials or prosecutors, as appropriate.

MOM stands for Motive, Opportunity, and Means.

Incident handling (or response)

Incident response begins before an incident actually occurs. Preparation is the key to a quick and successful response. A well-documented and regularly practiced incident response plan ensures effective preparation. The plan should include

Response procedures: Include detailed procedures that address different contingencies and situations.

Response authority: Clearly define roles, responsibilities, and levels of authority for all members of the Computer Incident Response Team (CIRT).

Available resources: Identify people, tools, and external resources (consultants and law enforcement agents) that are available to the CIRT. Training should include use of these resources, when possible.

Legal review: The incident response plan should be evaluated by appropriate legal counsel to determine compliance with applicable laws and to determine whether they’re enforceable and defensible.

Incident response generally follows these steps:

1. Determine whether a security incident has occurred.

This process is similar to the Detection and Containment step in the investigative process (discussed in the preceding section) and includes defining what constitutes a security incident for your organization. Upon determination that an incident has occurred, it’s important to immediately begin detailed documentation of every action taken throughout the incident response process. You should also identify the appropriate alert level. (Ask “Is this an isolated incident or a system-wide event?” and “Has personal or sensitive data been compromised?” and “What laws may have been violated?”) The answers will help you determine who to notify and whether or not to activate the entire incident response team or only certain members.

2. Notify the appropriate people about the incident.

This step and the specific procedures associated with it are identical to the Notification of Management step in the investigative process, but also include the Disclosure Determination step from the investigative process. All contact information should be documented before an incident, and all notifications and contacts during an incident should be documented in the incident log.

3. Contain the incident (or damage).

Again, this step is similar to the Detection and Containment step in the investigative process. The purpose of this step is to minimize further loss or damage. You may need to eradicate a virus, deny access, and disable services.

4. Assess the damage.

This assessment includes determining the scope and cause of damage, as well as the responsible (or liable) party.

5. Recover normal operations.

This step may include rebuilding systems, repairing vulnerabilities, improving safeguards, and restoring data and services. Do this step in accordance with a Business Continuity Plan (BCP) that properly identifies priorities for recovery.

6. Evaluate incident response effectiveness.

This final phase of an incident response plan involves identifying the lessons learned — which should include not only what went wrong, but also what went right.

Investigations and incident response follow similar steps but have different purposes: The distinguishing characteristic of an investigation is the gathering of evidence for possible prosecution, whereas incident response focuses on containing the damage and returning to normal operations.