Digital Evidence and Computer Crime, Second Edition
15.2 Identification
Recall that the cybertrail is bi-directional. When dealing with a computer as a source of evidence, the crime scene search generally leads to a connected network and ultimately the Internet. Conversely, when digital investigators find digital evidence on the Internet, their search often leads them through a smaller, private network (e.g. ISP, employer, and home networks) to an individual computer. These search areas are depicted in Figure 15.1 with a dashed line between the Internet and the smaller, private network because the division between the two is not always clearly defined. For example, corporate networks often have internal servers that are used to share information within the organization and these servers are sometimes accessible to employees via the Internet.
Given the amount of information that can exist in any of these areas, it is necessary to have a method of quickly locating systems that contain the most useful digital evidence. The first phase is to seek the end-points and intermediate systems such as switches, routers, and proxies. These systems can contain digital evidence that helps establish the continuity of offense and gain a more complete understanding of the crime. For example, log files on an e-mail server used to send harassing e-mail can provide a more complete view of the harasser's activities than a single message. Additionally, intermediate systems like routers and switches may generate detailed logs of network activity, which leads to the second phase. The second phase is to seek log files that provide an overview of activities on the network, such as packet logs from traffic monitoring systems, traffic logs from Argus probes, NetFlow logs from routers, and alert logs from intrusion detection systems. These network level logs are very useful for determining what occurred and which other systems on the network might be involved. For example, when investigating an intrusion into one computer, network level logs may reveal that the same intruder targeted several other systems. The third phase is to look for supporting systems such as authentication servers and caller-id systems that can help attribute online activities to an individual. In practice, these three phases are conducted simultaneously since, in some instances, the second and third phases may lead to other intermediate system or end-points. This three-phase approach is useful for focusing the search for digital evidence on a network to reconstruct the crime (recall Figure 4.5).
The process of tracking an intruder provides a simple example of following the cybertrail, establishing the continuity of offense, and ultimately apprehending the offender.
CASE EXAMPLE
An investigator examines a compromised machine and determines the source and method of attack. By locating other systems compromised using the same modus operandi and by monitoring network traffic to the compromised machines, the investigator determines where the intruder is connecting from. The investigator contacts the ISP, instructs them to preserve the related evidence on their systems, and obtains a search warrant. It transpires that the intruder is using a stolen dial-up account. Fortunately, the ISP has Automatic Number Identification (ANI) information and is able to provide the investigator with the telephone number that the intruder was using to dial into the ISP's modems. This telephone number leads the investigator to the intruder's home. Another search warrant is obtained and the intruder is caught red-handed, logged into compromised systems around the world.
Preview (Chapter 19): When investigating computer intrusions, it may be desirable to examine a host that is still running to find digital evidence in memory that will be lost when the system is turned off. For instance, active network connections and processes in memory may reveal where the intruder is coming from and what he/she was doing on the system. When performing this type of live host examination, digital evidence should be collected in order of volatility, first preserving data that will change more frequently and then collecting evidence that changes less frequently.
In some cases, a search of an intruder's computer results in more leads and it is necessary to request additional information from telephone companies and ISPs to obtain records to develop a more complete reconstruction of events. For example, all relevant account usage and telephone records can give a more complete view of the intruder's activities.
The previous case example demonstrates the time critical nature of this kind of investigation. It may be necessary to analyze evidence immediately to locate other sources of evidence and apprehend an online offender. Having one group collect evidence and another group analyze it immediately is more effective than leaving everything to one individual. However, when an individual is confronted with a choice between collection and analysis, it is best to collect digital evidence carefully first and analyze it later. This issue is complicated when dealing with highly active devices such as routers and dial-up terminal servers because the results of one command often help digital investigators determine what other information to collect from memory, and what command to execute next, requiring simultaneous collection and analysis. This emphasizes the need for standard operating procedures for collecting evidence in such situations. It may not be feasible to have standard operating procedures for all network devices that may be encountered, but the most common ones such as Cisco routers and firewalls can be developed.
The need to correlate multiple sources of evidence and establish continuity of offense to attribute computer intrusions to an individual also applies to other kinds of investigations, including child pornography.
CASE EXAMPLE (UNITED STATES v. HILTON):
The investigator who had examined the defendant's computer was asked to explain his conclusion that pornographic images on the suspect's computer had been downloaded from the Internet. The investigator explained that the files were located in a directory named MIRC (an Internet chat client) and that the date-time stamps of the files coincided with time periods when the defendant was connected to the Internet. The court was satisfied with this explanation and accepted that the files were downloaded from the Internet.
Largely because of the haste required to preserve data on a network and the large amounts of resulting data, digital investigators have made mistakes, implicating the wrong individual. For instance, digital evidence examiners accidentally typed the incorrect time (3:13 P.M. instead of 3:13 A.M.) in a request they sent to AOL, resulting in the wrong subscriber information. In another instance, digital investigators typed the incorrect IP address (192.168.1.45 instead of 192.168.1.54) in a request they sent to Uunet, resulting in the wrong subscriber information. The danger of implicating the wrong individual is compounded when offenders modify digital evidence to misdirect digital investigators. Again, obtaining corroborating evidence from multiple independent sources can mitigate this danger.
Given the expanded search area, potential for mistakes, and wide variety of digital evidence on networks it is necessary to have a methodical approach to searching for evidence on networks. Although it is necessary to follow the cybertrail, connecting the dots to establish the continuity of offense, this is not sufficient to locate sources of evidence that were not directly involved in the commission of a crime but still contain relevant data. For instance, most routers are configured to send their logs to a remote server for permanent storage, making it necessary for investigators to take a slight detour on the cybertrail to collect this useful digital evidence.
A graphical depiction of the network and where potential sources of evidence are located - a digital evidence map if you will - can greatly facilitate a methodical search. A simplistic digital evidence map is shown in Figure 15.2.
Many organizations have network topology charts showing how the more important network components are connected. Such network charts can be used as a starting point when developing a digital evidence map but digital investigators must be aware that these charts are often outdated (many networks are growing and changing continuously) and are rarely detailed enough for a digital investigator's needs. Therefore, it is important to sit down with the individuals who are familiar with a given network and work with them to develop an accurate, detailed depiction of all relevant systems on a network. Also, information gathered in the preparatory stage of the search (e.g. Table 15.1) can be useful for developing a complete and accurate digital evidence map.
Locating entry points into a network and key servers often leads to the richest sources of digital evidence. Once important servers and network devices are identified, digital investigators can determine what data they retain on disk and in memory, where their logs are stored, and where related configuration files and backups are located.[1] For instance, Cisco firewall and routers are usually configured to send their logs to a remote server for permanent storage and only retain the most recent log entries in memory. However, some information such as the last time the device was rebooted or configured may be stored permanently in memory. Also, system administrators often keep copies of old configuration files and data obtained using administrative and performance monitoring tools that can be useful for determining the past state and operation of network systems.[2]
Before excluding a system as a potential source of evidence, be sure to examine a network component closely before discounting it - important digital evidence can reside in unexpected places. For example, if the routers on a given network only keep logs of anomalies, determine if the anomalies can tell you anything useful. Alternatively, the logs generated by a network component might be of no relevance at all, but the time the network component was last reconfigured could be important. In addition to showing how systems are connected, a digital evidence map should summarize what information can be found at each node on the network, how long the evidence exists, and how it can be obtained (who has the necessary privileges and knowledge to access and collect the evidence). This information enables digital investigators to prioritize, preserving the most volatile, short-lived evidence first (e.g. logs rotated and overwritten once each day).
CASE EXAMPLE
A system administrator who was the prime suspect in a homicide investigation used an IP address that was not officially assigned to him. As a result, searching network logs for traffic from hosts that were officially assigned to him did not result in any useful data, suggesting that the suspect was lying. By the time the error was realized, the network traffic logs had been deleted and overwritten by newer ones and it was not possible to determine if there had been traffic from the unofficial IP address. Use, but do not rely on records that system administrators maintain, and collect full logs.
A digital evidence map might seem like a tedious process with minimal benefits but the effort will pay off the moment you realize that the network contains something you are missing. Without the map, digital investigators might never know that they are missing something or that the network contains what they are missing. Also, rather than shouting "Eureka!" and then running around for hours trying to figure out how to obtain the evidence, you can shout "Eureka!" and run straight to the evidence with the help of your trusty digital evidence map.
[1]Keep in mind that additional backup tapes of important systems may be located off-site (e.g. Iron Mountain). Additional time and resources are often required when dealing with backup tapes from large systems (e.g. Tivoli Storage Manager, BrightStor ARCserve Backup) because they use compression and may not have indexes on each tapes, making it more difficult to recover data from them.
[2]Much of this information is obtained through Simple Network Management Protocol (SNMP). If a device has not been queried using SNMP, it can be fruitful to do so before turning the device off.
Категории