CHAPTER 10
Establishing the Investigation Type and Criteria
We’ll Cover
Determining what type of investigation is required What to do when criteria causes an overlap What to do when no criteria matchesNow that you’ve studied Parts I and II of this book, you are ready to investigate your first computer forensics case. After you prove your competency as an examiner, you can look forward to a continuing stream of investigations, because there will always be employees who misuse their employers’ networks and networks that require forensic examinations. This book is meant to be a guide to walk you through time- and court-tested procedures, but we can’t cover everything you might encounter. Remember that nothing goes “by the book” when you’re dealing with human behavior!
In this chapter, you’ll read about a set of common criteria that, when presented to you at the beginning of a case, should help you determine which set of procedures you should start with in your analysis. I’ll cover the major types of cases you may encounter as a new computer forensics examiner, what to do when your case involves multiple types of criteria, and how to deal with a case that meets no established criteria.
Determining What Type of Investigation Is Required
You’ll use a basic set of criteria to determine the type of case you’re dealing with. Understanding the type of case you’ll be investigation is important, of course, when you’re deciding which forensic analysis procedures to use to find appropriate evidence. You could, for example, fully examine every artifact on every forensic image to determine everything a suspect has been doing, but then you wouldn’t be able to finish your investigation in a timely matter or provide the results your employer is actually requesting. Always remember who is requesting that you perform an investigation, as it’s rarely yourself, and try to meet their specific needs as you work.
Human Resources Cases
Chapter 11 covers common examples of HR investigations: an employee who is viewing pornography at work and an employee who is wasting and/or abusing company time and resources. These are, of course, not the only types of HR cases you will encounter—life is always stranger than fiction. Most computer forensic examiners begin their careers with HR cases, which are typically low risk and easy to solve. If your first case is an HR case, turn to Chapter 11 to read about example HR cases and how to handle the two most common types.
In Actual Practice
For many HR cases, you may not even need to use forensic tools and perform computer examinations; the logs from the company’s firewalls, proxies, and e-mail systems may provide enough evidence to prove your suspect’s activities. However, you should always try to create forensic images when it’s allowed, because doing so allows you to perform a more thorough investigation if it’s requested. Creating forensic images allows you to use traditional computer forensic techniques to recover deleted and hidden data from the disk to uncover more evidence of a suspect’s activities.
Here are some examples of typical HR cases:
Viewing pornography at work Wasting time on Facebook and other web sites instead of working Selling company property online Playing video games while at work Sexually harassing coworkers Threatening coworkers Having an affair with a coworkerGoals of an HR Case
Typically, HR cases do not end in civil litigation or criminal charges. The employee, aka suspect, may not have violated any law, but simply a company policy. The end result of a HR investigation is typically the employee’s termination. Because an employee’s job is being terminated, you need to produce enough proof and reporting to defend your work in case the employee tries to file a lawsuit against the company for improper termination.
LINGO
In an improper termination lawsuit, the plaintiff (typically the dismissed employee) alleges that the former employer fired him or her for false pretenses, in an unfair manner, or in a way inconsistent with how other employees have been treated. (This can also be used for a discrimination suit.) The employee could be suing to regain his or her position, but most often the suit involves lost wages and damages.
To defend your company from an improper termination lawsuit, we recommend that you follow all the procedures we’ve outlined in this book, when possible, and maintain your records related to the investigation until told otherwise by the company’s HR staff. If your report is solid and your records are intact, most HR cases will not make their way to the courtroom, because when faced with the evidence, a former employee might not follow through.
In Actual Practice
I’ve experienced situations in which investigators didn’t keep proper notes or didn’t keep their forensics data after the employee was terminated. If you don’t retain your notes and evidence, and an employee challenges the termination, you will at best have to re-create you work, and at worst you may be missing evidence to prove the claims. If you don’t have room on your analyst system to keep your work product, copy it to an external drive or DVD for safe-keeping until told otherwise.
Administrator Abuse
“Administrator abuse” refers to the abuse of authority or access by an IT administrator into the company’s data and/or systems. These cases can come to light via multiple sources, depending on the type of abuse that has occurred. The impact of an administrator abuse case depends on the nature of the abuse. In the best case, it involves an immature administrator who is just curious about what other employees are earning; in the worst case, someone is being malicious with the intent to harm, stalk, or blackmail another employee with the information they gather. If you believe you are entering an administrator abuse case, go to Chapter 12 to read an example of a real case and how such a case can be handled.
LINGO
Work product is a legal term that refers to documents, spreadsheets, databases, forensic files, notes, and so on that you produce during your investigation. If your investigation is being done by direction of an attorney, your work product may be excluded from being produced during litigation. To determine whether this is the case, ask your legal team for guidance.
The following are some examples of administrator abuse cases:
Reading users’ e-mail Determining the salary of other employees Spying on other users using remote access tools such as Virtual Network Computing (VNC) Placing keyloggers and other spyware on users’ computers Accessing other users’ personal files and folders Stalking employees through personal information stored on company systems Running personal or side-job–related web sites and other types of network services on corporate assets Bypassing company policy by creating special methods of unfiltered Internet access for prohibited activitiesGoals of an Administrator Abuse Case
Depending on the evidence you find, this type of case may end in civil or criminal charges. If nothing else, an administrator found to be abusing system access for personal gain will likely be terminated for these actions. The hardest part of an administrator abuse case is not to let the administrator know you are investigating them. An administrator may be reading the e-mails of the legal department as well as HR and possibly searching for mentions of his or her name to look for clues that he or she night be under investigation. It’s important to take extra care with these cases to work covertly—that means making phone calls instead of sending e-mails, avoiding corporate instant messaging systems, and photographing the desk of the administrator before seizing evidence to make sure you can replace all the items where they were.
If you learn that such a case may be referred for criminal prosecution, be sure to make a copy of the original forensic image you made to help as you work, and keep the original forensic image separated to show chain-of-custody issues when handing it over to law enforcement. You may hear your copy referred to as a “working copy” and the original as a “pristine copy.”
In Actual Practice
As your vault of evidence builds, you’ll need to develop an approved policy for disposing of evidence. In my work, I get rid of the forensic image and data collected only when either a) the case has been settled and my client no longer needs the data (sometimes this can be as much as a year later) or b) the case has run out of appeals and parties can no longer litigate, which can take as long as three to five years. Plan to keep and maintain plenty of evidence storage space and keep your images organized to prevent confusion at a later date.
Stealing Information
Other than HR cases, a case involving an employee who steals company information is the most common type of case you will encounter. These are not considered HR cases as they are usually originated by Legal and not HR. These cases normally involve a current employee who is planning to leave the company. Before leaving the company, the person takes with them some of the materials or information they may or may not believe is theirs and passes it on to their next employer. In the worst cases, the employee is bringing trade secrets requested by his or her new employer to gain an unfair advantage in the marketplace. Chapter 13 lays out an example case of stealing information and sample procedures to follow when working a common case of such employee theft.
The following are examples of cases involving stealing information:
Sales person taking business contacts to use in another business Employee taking bid details on current, future, or former projects Taking trade secret business processes to a competitor Forwarding e-mails and files to a personal e-mail account Uploading data to file sharing sites for later access Wholesale backup of all data from company systems to personal hard drives External hacking into company systemsGoals of a Stealing Information Case
Cases in which former employees have stolen information typically end in civil litigation against the former employee who took the information and possibly the company they went to work for if the company was benefitting—or, worse, requesting—the information that was stolen. I’ve included external hacking cases in this category because they fit the definition of this type of case, but they are most likely incident response cases in which the actual attacker may be out of the jurisdiction of the court, such as in another country. You’ll find many books on incident response that you can consult before embarking on an external hacking case, such as Incident Response & Computer Forensics, 2nd Ed., by Chris Prosise, Kevin Mandia, and Matt Pepe.
Internal Leaks
An internal leak case may seem similar to a stealing information case, except for one difference: the employee who is leaking the information usually is not leaving the company (unless the suspect hopes to gain a position after they are done leaking information to a competitor). If an employee is leaking information, they have to stay in their current position to continue doing so. In this kind of case, it can be more difficult to find your suspect, because you can’t simply forensically image the devices of departing employees to find the evidence; instead, you must first have some idea that a leak is occurring, and then track down the source. If a data loss prevention (DLP) system is in place, it may offer you clues if it finds information on the system that possibly relates to someone sending data outside the company. Although this book won’t go into all the ways you can find an internal leak, you will find procedures regarding how to review systems to find this kind of information in Chapter 14.
LINGO
Data loss prevention, or DLP, systems are typically network appliances that review all network traffic on your external network, looking for signs of improper data being sent outside the company. Examples of such data include credit card numbers, Social Security numbers, and other industry-specific terms. DLP products typically look for keywords or patterns of text to determine whether network traffic contains this type of data.
NoteDLP has expanded beyond the network appliance, and now the term’s meaning can be extended to endpoint protection as well. Endpoint protection involves placing additional controls on a user’s system to force full-disk encryption, limit and/or log any accesses to external storage, and so on.
The following are examples of internal leaks cases:
Sending information related to internal matters to the press Sending information to competitors Sending anonymous e-mails to the company board of directorsGoal of Internal Leaks Cases
Once you’ve identified the source of information leaks, the person will be terminated from their position. Whether the leaker is also charged in a civil or criminal matter will depend on the type of offense—and whether the company wants to draw attention to the matter.
Keyloggers and Malware
Keyloggers and malware are cases that can involve an IT professional even before he or she has considered undertaking computer forensics. Any system—whether at work or at home—can be infected with malware, and large numbers of books, blogs, and web sites are devoted to information regarding how to detect and remediate these types of cases. This book reviews some good procedures for locating and identifying malware installed on a system, but it does not go into determining the capabilities of malware other than showing you where you can go to get information about known malware.
The following are examples of keylogger and malware cases:
Keylogger employed by an employee Keylogger employed by spouse Malware that enters a system through an employee’s Internet usage Malware targeted at the companyGoals of Keylogger and Malware Cases
In the vast majority of cases, the systems of employees and possibly even family members are being infected with a wide variety of malware on a daily basis. Following are some examples of the goals of these cases:
What was infected How it got onto the system What are the capabilities of the malwareThese cases are the lowest risk, because once the malware has been identified, you can move forward to remediate the infection by removing the malware. If you can determine the capabilities of the malware (either because it is known publically or because you have the skills and knowledge to determine this through examination), you can also take the additional step of protecting your system or company data from possible theft by changing passwords to online systems or having credit cards reissued to prevent their fraudulent use, for example. Remember, however, that if the malware was found on your system, it means your private information has already been compromised.
In Actual Practice
Not all malware installed on a system can or should be taken lightly. Several malware packages aggressively attempt to steal your personal and financial information for use by third parties. In the scope of risk to you as an investigator, though, these are usually low-risk cases if something were to go wrong as there is no one to terminate, sue, or discipline within your country’s jurisdiction.
NoteMalware analysis is a dense topic, and many books are devoted to it. Two major forms of malware analysis can be performed. The first, static analysis, involves researching the malware executable and files to determine known system libraries and possible reverse engineering to determine capabilities. The second, dynamic analysis, involves running the malware itself in a safe virtualized environment disconnected from the real network, so you can observe the malware’s behavior to determine its capabilities. There is obviously much more to it; if you are interested, search for either term in your favorite search engine.
What to Do When Criteria Causes an Overlap
You’ll also encounter situations in which the type of case before you is complicated and involves more than one type of criteria. Suppose, for example, that a suspect was initially suspected of administrator abuse, but the case turned into an HR case when the suspect was caught trying to sell information to another company. In this instance, you could add analysis procedures as discussed in this book and document your findings, keeping the suspect’s actions separate. Why keep them separate? When you are reporting this information, it becomes easier to read and understand the context of what you are finding when it specifically relates to what has been done.
Because you should consider all the evidence you find when reviewing a system, keeping the evidence that relates to each type of case separate makes your job in explaining the cases much easier later on. You could, for example, create two sections (or more if appropriate) in your notes and bookmarks within your forensic tools to separate your findings for reporting reasons. Keeping them separate helps you organize your notes and/or bookmarks according to each case topic you are investigating. When you write your report, the relevant findings will naturally fit in their own sections, preventing confusion.
CautionBefore you decide to change the scope of an investigation, first inform the person who authorized your investigation of your findings and request their approval. This can prevent a lot of problems and misunderstandings moving forward.
What to Do When No Criteria Matches
So your suspect has done something outside the range of all of our typical cases? Well first, congratulations! You have an interesting case on your hands! This book was meant to assist you in handling the basics of computer forensics procedures. A complex case lets you take all the procedures and techniques you’ve learned and see how they apply to your unique scenario. The first thing to do is to step back and determine where to look for evidence.
For the criteria defined so far in this chapter, I’ve suggested where you might look for evidence; however, you should always ask yourself the following questions if you can’t find the evidence you need:
Where should the evidence be? Did this occur over the network? Did this occur on a local system?Where Should the Evidence Be?
Being able to answer this question is a sign of your proficiency and maturity as a computer forensic examiner. Think about the activity that is suspected and draw out all the systems that could be involved when that kind of activity takes place.
TipSome people find that drawing out all the possible sources helps them determine sources they didn’t think of initially. I like to write ideas on a whiteboard as I discuss a case with colleagues.
Did This Occur over the Network?
Consider all of the devices located in between the machines in question and the Internet. Which of those devices has logging capability?
Proxy logs If your network users access the Internet through proxies, look here for information about their web activity. Firewall logs Depending on the firewall logging rules, you may gain some insight into network traffic here. IDS logs The early signs of probing and known attack patterns can be helpful if you are dealing with an external breach. IPS logs Much like IDS logs, IPS logs may be useful in finding IP ranges to look for in your local system. Router logs Usually this is not a helpful source, but it’s always worth considering, depending on the logging and functions utilized, such as a VPN. Local firewall logs Most systems now also have a local firewall that keeps its own logs. Domain authentication logs The suspect may be utilizing multiple systems, so tracking their logins within the domain can help you identify those systems. Internal webmail (OWA/Outlook web access) servers Webmail is often utilized by suspects who hope to keep their activities off the company e-mail system. VPN servers Suspects’ activities often occur on remote servers. DHCP Logs Check these logs to determine which user had an IP address at the time of the offense.Did This Occur on a Local System?
Determine what software was installed on the system. Things you might not normally consider may create logs or artifacts that are out of scope for other types of defined cases.
Antivirus logs Use these logs to determine what files were on the system before and to look for any possible past infections. Desktop search indexes Both Windows and Google provide these services, which include an index of all the files that existed on a system. Event logs These can be helpful not just when you’re looking for direct evidence of the incident, but they can also show errors that may have occurred because of the incident. Flash cookies Sometimes data may exist here even if your suspect used some kind of private browsing function.These are just a few examples. Your own understanding and ability to collect information about your environment will always be more valuable than what I can suggest here. The more you know about your own systems, networks, and applications, the better equipped you are to handle the unknown.
Nothing Working? Create a Super Timeline
Consider creating a super timeline using the SIFT log2timeline tool. Often, when you can’t find any related evidence to the case you are working on, you may not be aware of everything the system is doing. While I’m not an advocate of creating a super timeline with log2timeline for every case, many cases are simple enough to be solved with the usual artifacts; in those situations where you need guidance in what else could have happened, these artifacts are a great way to see a large amount of information gathered from throughout the system. Remember that a super timeline is only as good as the information you populate it with. Make sure to utilize all the modules that your operating systems support with log2timeline to get the most complete picture.
Once you’ve constructed this timeline, you may feel overwhelmed by the amount of information and not sure where to start. You can consult a diagram that was created to help you find likely patterns in the timeline at http://computer-forensics.sans.org/blog/2011/12/16/digital-forensics-sifting-cheating-timelines-with-log2timeline.
For me, super timelines are a good way to find a new source of evidence or to double-check that I haven’t missed anything. The number of examiners who use super timelines is growing thanks to SANS, and I believe you will see more and similar intelligent tools being developed in the near future.
NoteFor more on creating a super timeline, read the SANS blog here: http://computer-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation.
What does a super timeline offer you that your forensic tool’s timeline feature does not already do? Good question! A super timeline goes beyond the traditional timeline created by a forensic tool. A super timeline lays out files and some system events in a sortable list and can break out data into timestamped events. This means that all of the following, and more, can be brought together into one large (super) timeline to help you find what you are looking for:
File system metadata Event logs Application logs Internet history Registry files Antivirus logs Exchangeable image file format (Exif) data Firewall logs .LNK files Restore points Recycle Bin entries Prefetch filesYou’ll find more uses every day as new modules are written.
NoteThis huge amount of information can be quite overwhelming if you don’t know what you are looking for. This is why I recommend starting your investigation first and then going back to the timeline to find what you might have missed.
We’ve Covered
This chapter is your first look into the breadth of investigations that await you and how to determine what to do next. The industry has come to be known as Digital Forensics Incident Response (DFIR) because the spectrum of cases an examiner could work on continues to grow. No matter what type of case we are working, we all use the same forensic artifacts to make our conclusions, so the next chapters will help you with your work regardless of what case you end up on.
Determining what type of investigation is required
Understanding the differences between the most common cases Understanding the goals of each type of common investigationWhat to do when criteria causes an overlap
How to combine your forensic methods for a case that crosses boundaries How to segregate your results for easy review and trackingWhat to do when no criteria matches
How to find out where the evidence exists When to bring in a super timeline..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.