Enterprise IT Forensic Process - Analysis

In the last two months, I have talked about the first two processes - Approval and Acquisition. Now, let's us move to the next process - Analysis. 

You may have heard of PPT - People, Process and Technology.  While the Approval and Acquisition are more about Process and Technology, Analysis is really about People. No matters how good your processes or technologies are, without the "People" factor, those processes or technologies would not yield much tangible outcome. One needs to have a very good analytical skills and adequate experience to be a good forensic examiner. One gains experience by doing more forensics in different scenarios and solving more technical issues etc. Bottom line, it's all about experience. 

Nevertheless, there is one vehemently crucial element for the Analysis process. Even the most experience forensic examiner will need to have this prior to any investigation:

Knowing what to look for - You can't find anything if you don't know what to look for.  For example, one cannot just tell the police to look for a "murderer" in a big shopping complex. The police would need more detail descriptions of the murderer - male or female? Hair colour? What type of clothes etc.  It is the same in IT forensic, one cannot just throw a laptop to a forensic examiner and tell him/her to look for something criminal on this laptop. It needs to be more specific than that. For example - "look for any trace of child pornography in this laptop" is specific. 

This info about "What to look for" shall be obtained prior to Approval process, ideally it should be part of the Request for Investigation. 

Once you know what to look for, the next steps will be:

How to look for - There is no fix procedure or formula for this. It's really depends on situation and it is case by case. This is when one's experience really make a hell lots of difference. However, as a start, in most cases a forensic investigator or an examiner can use a certain forensic tool such as Encase or FTK to do a search based on relevant keywords. The search results would give more hints or clues on what or where to look deeper. In a nutshell, here are the basic steps:

1. Develop basic keywords
2. Perform search based on those keywords
3. Review search results
4. Refine keywords or develop new keywords
5. Repeat 2 - 4 until tangible results are obtained. 
6. Mark, note or extract those relevant evidence for reporting later. 

Of course, the above approach may not be always valid or applicable. For example, if you are investigating a DoS attack, you'll need to use a completely different approach. Using Encase or FTK to review firewall, routers, webservers logs are not effective and I will say it doesn't even make sense to do so. For this one, manual reviews of the logs with some customised filtering scripts is the best way forward. Needless to say, every investigator has his/her own favourite tools and methods.

Enterprise IT Forensic Process - Acquisition

Last month, I talked about the first  process in Enterprise IT Forensic Process, which is the Approval process. Today, I shall proceed to talk about the next process - Acquisition.

What is acquisition? In a nutshell, it means collecting the evidence. Sounds easy right? Not really. There are many things need to be considered, especially if there is a high chance that the investigation will lead into a legal case.

You may have heard that the evidence collection must be done in a forensically sound manner. I bet you would recall from many scenes in CSI or other movies alike that some criminals got away scott-free on technical grounds, for example police's mistake when taking evidence etc. This sort of things could happen in IT Forensic as well. Thus, it is very imperative that the acquisition is done properly and (again), in a forensically sound manner.

Now, what is meant by "in a forensically sound manner"? Basically:
1. Ensure that evidence intake is done legally (refer my last piece on "Approval" process).
2. Evidence's chain of custody is well documented and preserved.
3. Ensuring that tampering of evidence is not possible during collecting, transferring, analysis and storing of the evidence.
4. All forensic activities are well documented and traceable.

I will say a) Evidence Intake and b) Evidence Chain of Custody are two key sub-processes within the Acquisition Process. Furthermore, there are two principals that I always apply:
1) Four Eyes Principal - ensuring that there is always a witness around
2) Bag and Tag - ensuring that evidence is properly labelled, sealed and its movements are recorded.

a) Evidence Intake:
Basically referring to how the evidence is collected or taken into custody.

Let's image a simple and basic scenario - A forensic investigator is tasked to collect a laptop from IT department (data custodian) for forensic.

What the forensic investigator needs to prepare beforehand?

Tools:
1. A camera or phone with decent camera - It is always a good idea to photograph everything before you touch the evidence.
2. Evidence Intake and Custody form:
a) To record the information of the to-be-taken evidence
b) This form also serves as an acknowledgement of transfer/receipt of evidence. Both the investigator and the custodian shall sign on it (Four Eyes Principal).
3. Waterproof envelope to "bag" the evidence
4. Sticker to "tag" (labelling) the evidence

General Steps:
1. First, take photos of the evidence. Important info such as serial number, model, brand etc shall be clearly photographed.
2. Fill in the form and record all details as possible e.g. the model of the laptop, serial no, HDD size, its condition etc.
3. Label the evidence (Tag) with a unique ID (you shall already has this info beforehand!).
4. Put the evidence into the envelop and seal it (Bag).
5. Label the sealed envelope (Tag).
6. Sign the form and ensure that the data custodian counter signs as well (Four Eyes Principal). Once both parties have signed, the custody of the evidence is now with the investigator.
7. The investigator can now proceed to his lab and start the forensic analysis (shall be done in a forensically sound manner as well).

That's it for a simple scenario. How about a more complex scenario? Such as - evidence intake is to-be-done by a representative in a remote location, then the evidence will be shipped to the head office and handed over personally to investigator. As you can imagine, the evidence intake and chain of custody process will be much more complex.  So, stay tuned for the next piece!

Enterprise IT Forensic Process - Approval

In last March 2012, I wrote a piece about what are the key processes for IT Forensic in Enterprise's environment. Let's do a bit of a recap. There are 5 key processes - Approval, Acquisition, Analysis, Reporting and Disposal.

Today, I'm going to dive into more details on the first process - Approval.

Approval is the most important process. We don't want to do something that is illegal right? Therefore, this process will ensure that the investigation and forensic activities are legal in every aspect e.g. company's policy as well as law's.

Normally, the process starts when there is a Request for Investigation (RFI) raised by someone within the company (referred as Requestor hereafter). Naturally, the obvious next step is for the the Investigator to discuss with the Requestor in details about the RFI. Following questions shall be discussed and agreed:

Who shall approve this investigation?
As each request is normally a unique one, it cannot be predetermined who shall be the approver. However, typically following persons/roles should be part of the approval list:
a) A person that can confirm that investigation is allowed from employment contract's perspective e.g. Head of Human Resource Department
b) A person who can confirm that investigation is allowed from country law's and legal's perspective e.g. Head of Legal Department
c) A person who can confirm that data belonged to the subject (or suspect) is allowed to be transferred and examined by the Investigator e.g. Head of Data Protection.
d) a person who is direct disciplinary authority to the subject e.g. Direct manager of the subject
e) In some countries e.g. Germany where the Workers Council is strong, their approval maybe needed as well.
f) Your boss. He has to approve from resource allocation's perspective :)

Who shall be the driver to gather all these approvals?
It is in the best interest of the Requestor for the investigation to be approved. Therefore, the Requestor shall be primarily responsible to gather all the needed approval. The Investigator, to a certain extend (due to resource limitation etc) could provide support as well.

Another reason to have the Requestor taking the lead role is to avoid "misuse" of RFI. As an investigator, I'm sure you don't want to be running around chasing for approvals whenever there is a RFI raised to you :) .

We know we will get the approval, to expedite the time, could we start collecting evidence in parallel? 
NO. You shall not do that. Never collect or acquire evidence before you have all the green lights, no matter how strong is the pressure. Just like a police shall never search a place without a warrant.

Is email approval accepted?
I will say yes, provided that the email is digitally signed with a valid user certificate of your organisation's PKI infrastructure. A digitally signed email will ensure non-repudiation.      

Hack in the Box Amsterdam 2013

Today marks the end of the first part - Tech Training. Yesterday was a pretty smooth but today was a different story.

The "TECH TRAINING 6 – RECENT ADVANCES IN IPV6 INSECURITIES" guys were trying to prove their points and they did succeed, few times in fact. Therefore, the network was unstable almost the whole day and at some points, not working at all. The Wifi APs suffered as well. Nevertheless, the network team did try their best to manage it.

Yes. That's the routers.

However, I was informed that the exploited vulnerability (buffer overflow) is not something that they can just fix it on the fly (they would if they could) as it is on a third party's software, something that they don't have control. I was also tipped that Marc (the trainer) will tell more soon.. so, stay tuned to his site - thc.org
 
Tomorrow is the most important day. It is the official opening of HITB AMS 2013 Security Conference, and the keynote speaker is the CISO of RSA, Edward Schwartz.Keynote speaker for the second day is Bob Lord, CISO of Twitter.

BTW, we are still setting it up.....

Gateway to ComSec Village

5 Key Processes in Enterprise IT Forensic

As an Information Security Professional, I'm sure that many of us had been approached by the management to perform IT/digital forensic.

Cases such as: a manager suspects his employee is feeding secret company info to a competitor, a dude claims that a colleague has some of child pornography materials on his laptop, or HR  wants to pursue a case against an employee for breaching of company policy etc are not uncommon to us. Most of the time, the laptop of the suspect will just be thrown on our lap and we are expected to perform forensic and search for evidence asap.

I mentioned in my previous piece that IT forensic not only must be carried-out in a forensically sound manner, it must also be done legally. What's at stake is not only about winning the legal case but also our ass. In some countries such as Germany and other EU countries in general, one cannot simply access other's data without the owner's consent or proper approval. By performing forensic without a proper clearance, it is a criminal offense which could invite a hefty jail time.

Enough talking. So, what are the key processes for IT or digital forensic in enterprise? If you googled, you will find many useful information here and there but the principals are roughly the same. For me, I'll just stick to these 5 key processes:

Why it is crucial to perform IT or computer forensic in a forensically sound manner?

One does not need to be a CSI fan to know that before a search can be performed, a warrant is required for the law enforcement to enter a premise. In a crime scene, it is crucial for the law enforcement to properly handle the evidence to avoid tampering or contamination. The same principles apply when it comes to IT/Computer forensic. This story will show you why....

They story begins like this: Information security chap was invited to an emergency meeting to discuss about a potential dismissal  of an employee that was suspected of breaching the company's policy. The meeting was called by a senior manager who was the department head of the suspected employee.  

Mr. Senior Manager:  Ladies and gentlemen, thank you for coming to this meeting. I'm sorry for the short notice, but let me assured you that this can't no longer wait. Let me bring you up to the speed. Two weeks ago, we suspected that Mr. White was involved in a fraud. Upon our investigation,, we managed to find evidence that linked him to the fraud. I would like to thank our Miss System Admin here. Great job!. Now we shall discuss how can we proceed to dismiss this employee as soon as possible.

Information Security chap: Thank you for the letting me know now. Before we proceed, may I ask Miss System Admin, how did you perform the investigation and how did you gather those evidence?

Miss System Admin: I was approached by Mr. Senior Manager here couple of weeks ago. He asked if I can connect to Mr. White's PC, access his file remotely, copy out all the files and perform analysis. Of course I can do that. I'm the system admin right? I have admin right that allows me to connect to everywhere. So, I did exactly what was asked. I copied all his files and emails to my laptop, then I went through them on my laptop.

Information Security chap: I see. And I assume that you got all the approvals to do so.....

Miss System Admin: I think so. It was Mr. Senior Manager who asked me to do it, since he is the boss of the suspect. Therefore, there is no problem right?

Mr. Senior Manager: Yes, I asked her to do it.

Information Security chap: < * starting to worry...* > Mr. Senior Manager, you did check with HR, legal, data protection etc before you proceed right?

Mr. Senior Manager: Nope. Should I? I'm his boss, I think I have the right to do so.

Information Security chap: Hmm... now things just get very complex. We may not be able to dismiss that employee. Not before fighting a tricky legal battle. I'm not a legal expert, should Mr. White decide to take this to the court, I'm pretty sure we would lose the lawsuit on technical grounds. Not only that, you and Miss System Admin her might be incriminated as well.

Mr. Senior Manager: What are you saying exactly?

Yahoo Mail is now fully HTTPS. This is how to turn it on.

Good news to loyal Yahoo Mail users like me, as of 2013 you can have full HTTPS session when using Yahoo Mail.

Some would argue that Gmail has it implemented since the day it was launched years ago. Anyway, it's still a good news to us. Yahoo is doing all the right things after they recruited their new CEO Marissa Mayer from Google. In case you missed it, the recently updated Yahoo Mail interface is also better, faster and simpler to use.

Why https? In layman term, to protect your email session from malicious eyes. It's the same reason why you want your internet banking to be in https. Want to know more about https? Check out the wiki  :)

So, how do you turn on the https in Yahoo Mail? It's pretty simple actually. Go to Mail Options, scroll down and tick the box. See below:

Counter CyberCrime - Do not challenge the hackers

I'm pretty sure many organisations had faced cyber-attacks before. Some organisation might think of getting a "revenge" at the attacker. It could be a good idea, but it could also be a bad idea totally, depending on how you do it.

This is a story about why it's a bad idea, if you do it this way......

Few months ago, in that XYZ company.....

Business Owner guy: How come my users can't access this application at all? I have got emails, phone calls from everywhere, complaining!

IT Supplier chap: Mr. Business Owner sir, our Network Operation Center (NOC) just confirmed that the application is currently under DDoS attack. Our ISP and NOC is trying their best to mitigate the attack.

Business Owner guy: What? How dare they attack us. Do we have any information who is doing this to us? Can we track them?

Information Security lad: Not easy to trace. As most certainly those machines or IP addresses that we seen attacking us are zombies or compromised machines part of a botnet. I'm afraid the real attacker is a few more layers behind those compromised machines.

IT Supplier chap: We do have a solution to mitigate this attack. There is this Company P that provides protection against DDoS. It would cost us 10K EUR to use their service. From what we are seeing now, the attacks are not going to stop anytime soon and it will only get worse. Hence, it just a matter of time that our whole network would be completely brought down by it. We should engage this DDoS protection service immediately.

Business Owner guy: Ok. Let's do it. You have my approval to proceed.

2 hours later. After the solution has been implemented....

IT Supplier chap: Good news folks. The attacks have subsided. It is a right call to engage that company.

Business Owner guy: Great! But I'm still not very happy. I want whoever behind this attack punished. I want them to know that they are messing with the wrong guy. I have contacted my friend in the law enforcement and opened an official case. Not only that, I will call a press conference to tell whoever behind this that we are coming after them and that they are messing with the wrong people.