Forensics By Choice, Not Chance

Forensics By Choice, Not Chance
In this article, I talk briefly about security incident investigators, their training and their role within an organization. Some regulations and standards require proper training of security incident investigators. ISO/IEC 17799 clarifies the need for trained security investigators when it states "When an information security event is first detected, it may not be obvious whether or not the event will result in court action."

Let's talk for a moment about the initial detection of a possible security event. Who normally suspects or discovers it? Nearly always, the breach will be noticed either by an end user or a member of the Information Technology (IT) staff. I'll not spend time talking about end user training except to say that end users must be trained to notify a member of the IT staff immediately any time that something doesn't appear "right" with their machine - and take no other action. We do not want or need well-meaning but inept end users "assisting" us in gathering evidence. The IT staff should respond immediately to reports of suspected breaches and should be able to determine quickly if a possible security incident has occurred. Once confirmed, the matter is turned over to security investigators for further action.

This works well in large organizations that can afford to pay a full time team of lawyers and forensics technicians to respond to incidents. Everyone may agree on the need for proper preservation and collection of evidence, but not everyone may be able to afford (or even want to pay) a full time response team. What’s the solution for a cost-conscious institution? Enter the “First Responder.”

What is a First Responder? A First Responder is not a lawyer, but is trained in pertinent legal areas that govern how they preserve and collect potential evidence. They may not be vendor-certified network administrators, (although that is a distinct advantage that we will discuss later), but are trained in the use of tools and techniques to collect and analyze evidence without destroying its legal value. Their training permits them to provide expert technical testimony at cyber crime trials. Most importantly, they are part of your existing staff. For them, security incident investigation is an “additional duty”, but an additional duty for which they have been uniquely trained. If the situation warrants, the First Responder has the training to implement proper procedures for evidence preservation and collection in a forensically sound and legally sufficient manner. If the investigation comes to involve law enforcement agencies, the First Responder’s training will allow a smooth transition of the evidence to law enforcement without a break in the chain of custody. All of these attributes give the First Responder’s employer a “leg up” in the courtroom.

As a guest speaker for the International Council of E-Commerce Consultants (EC Council) "Hacker Halted" International Security Conferences, I have spoken to audiences in Dubai, Mexico City, Singapore and the United States on the risks and preventions for financial, government and retail organizations. The consensus of attendees is that the defendant is not the only accused party at a cyber crime trial. Defense attorneys also put the security incident investigator and the victim company’s policies and procedures on trial in order to obtain an acquittal for their client. The victim company must convince a judge, jury, or both, that records containing purported evidence of an intrusion are admissible in a court of law and that the programs used to produce those records are “reliable.” Investigators and first responders must present independent, corroborative evidence that they are properly trained and meticulously followed that training during the investigative process to produce admissible evidence. If not, they will be unable to convince a judicial body that their actions did not contaminate evidence or break the chain of custody.

It makes sense, therefore, that first responder candidates should be chosen from the ranks of the IT staff. These individuals have probably received vendor certified training on the myriad of details necessary to operate, maintain and secure the applications and operating systems used in the organization. They are probably familiar with the layout of the network (topology) and can more accurately determine if a suspected incident is really a cause for alarm or just a network aberration. As a First Responder, their training allows them to articulate the specifics of why they performed certain actions. They are somewhat immune to defense attacks on their credibility as a witness because they have been trained not only on forensic procedures, but also on the intricacies of the operating systems from which they have collected the evidence. Using a trained First Responder for evidence collection will help the victim company convince a court to admit the collected evidence even when the company doesn’t employ a full time lawyer or forensic technician on staff.

What training should a First Responder receive? Obviously, First Responders should be trained in the legal areas that authorize and dictate their actions. First Responders within the United States should have a fundamental understanding of the 4th and 5th Amendments to the US Constitution, US (or home country) statutory laws relating to monitoring and collection, and Rules of Evidence. They should also receive extensive training on the computer investigation process, forensic techniques for various file and operating systems, and how to acquire and duplicate data without compromising the original copy. Because evidence may sometimes be hidden inside other data, they should be trained in image file forensics and steganography. They should be familiar with forensic techniques for not only computers, but also routers, firewalls, mobile and PDA devices. Their comprehension of the material should be measured by rigorous testing and the training itself should be proctored and administered by an accredited body. The EC Council’s Computer Hacking Forensics Investigator (CHFI) certification is one example of such training. The witness stand is no place to tell the court your security incident investigator trained by reading a “Dummies” book. (No offense to the authors of these wonderful “References for the Rest of Us”).

The security investigator’s role in the organization can only be understood by first looking at the part security investigations should play in the grand scheme of network security. Network security is often referred to as a triad consisting of vulnerability assessment and risk management, network intrusion detection and incident response, and computing investigations and forensics.

As with any triad, the closer you get to one apex of the triangle, the further you get from the other two. Most organizations now understand the value of vulnerability assessments, risk management, network intrusion and incident response. They have implemented policies and procedures to integrate these important areas into everyday business operations. This balance is represented by the position of the ball in the diagram. Computing investigations and forensics, however, are usually dealt with on a reactionary basis. They are considered only after an incident occurs. The trained First Responder can help the organization to move the ball into the “sweet spot” at the center of the triangle by serving as a policy and procedural consultant to the organization. He or she can advise the organization on how they can revise documentation to adhere to the Rules of Evidence. While this may not seem very important at first glance, consider the following: You have a warning banner configured on your network to advise employees that their activities may be monitored. Is the banner sufficient to meet the burden of consent under 18 U.S.C. § 2511(2) (c) “…where such person is a party to the communication or one of the parties to the communication has given prior consent to such interception…”? I’m not going to give you the answer. Ask your First Responder or security investigator!

First Responders make sense in an environment that may not be able to afford full time legal and forensics staffing. They should be recruited from existing staff who have an in depth knowledge of the organization’s network environment. They should receive training from an accredited body on the wide variety of subject matter essential to successful forensic investigation. They should not be used only for investigation, but as a policy and procedural resource to aid the employer in preparing for a successful future trip to the courtroom.


About the Author

Larry Detar, CEH|I, CISSP, LPT, MCSE

Larry Detar, CEH|I, CISSP, LPT, MCSE

CEH|I, CISSP, LPT, MCSE

Larry Detar is an IT Security Manager with Clifton Gunderson LLP, Southwest Client Service Center. He plans, implements, and conducts network data security and general Information Systems controls reviews including vulnerability assessments and penetration testing. Larry has worked in the Information Technology industry for over 22 years, 14 of which were with the United States Army Military Intelligence Corps. He instructs Ethical Hacking and Countermeasures courses for the EC Council and is a Licensed Penetration Tester, Microsoft Certified Systems Engineer and former Microsoft Certified Trainer. He has spoken before the National Association of Federal Credit Unions (NAFCU), the Credit Union Internal Auditors Association (CUIAA) and numerous Credit Union leagues. A member of the International Council of E-Commerce Consultants, he was a guest speaker at H@cker Halted International Security Conferences in Mexico City, Singapore and Dubai, U.A.E. on the subjects of data security, network defense and social engineering.




Around the Network