Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

Don’t react, respond! Cyber crime is rapidly increasing and is striking at the heart of many organizations. By ensuring measures such as effective policies and rapid response capabilities, excellent information technology security positioning and forensic support can exist. Businesses can respond quickly, minimizing the risks of lost data, financial loss, network damage, and loss of reputation.

Organizations wanting to counter cyber crime need to apply risk management techniques that allow a speedy response and minimize harm. Although organizations cannot prevent a cyberattack, they can have a planned response and even turn e-crime preparedness, or effective security, into a new competitive advantage.

Conclusions Drawn from Types of Vendor and Computer Forensics Services

• The technological revolution marches on at a frantic pace, providing the world with an immense availability of resources. The same technological revolution has also brought forth a new breed of investigative and legal challenges.

• Computers are now at the core of people’s activities and evidence contained in them is being introduced with greater frequency in both civil and criminal judicial proceedings. Questions arise regarding location of evidence stored on digital media, analysis of that evidence, and authentication of that evidence in court. The field of computer forensics seeks to answer these questions and provide experts to introduce this digital evidence in court.

• Computer Forensic services include: digital evidence collection; forensic analysis of digital evidence (including analysis of hidden, erased, and password-protected files.); expert witness testimony; and litigation support.

• Who can benefit from Computer Forensic services: Attorneys involved in complex litigation that deals with digital evidence; human resource professionals involved in administrative proceedings such as wrongful termination claims, sexual harassment, or discrimination allegations, and employee violations of company policies and procedures, where key evidence may reside in e-mails, word processing documents, and the like; and company executives who are interested in confidentially auditing their employee computer usage concerning proprietary information, misuse of company resources, and trade secret issues.

• Insurance companies that are interested in reducing fraudulent claims by using discovered digital evidence.

• Documentary evidence has quickly moved from the printed or type written page to computer data stored on floppy diskettes, zip disks, CDs, and computer hard disk drives.

• Denial of service attacks have always been difficult to trace as a result of the spoofed sources.

• With the recent increasing trend toward using distributed denial of service attacks, it has become near impossible to identify the true source of an attack.

• ISPs need automated methods as well as policies in place to attempt to combat the hacker’s efforts.

• Proactive monitoring and alerting of backbone and client bandwidth with trending analysis is an approach that can be used to help identify and trace attacks quickly without resource-intensive side effects.

• Subsequent detailed analysis could be used to complement the bandwidth monitoring.

• Timely communication between ISPs is essential in incident handling.

• Deleted computer files can be recovered.

• Even after a hard drive is reformatted or repartitioned, data can be recovered.

• In many instances, encrypted files can be decrypted.

• Forensic analysis can reveal: What Web sites have been visited; what files have been downloaded; when files were last accessed; when files were deleted; attempts to conceal or destroy evidence; and attempts to fabricate evidence.

• The electronic copy of a document can contain text that was removed from the final printed version.

• Some fax machines can contain exact duplicates of the last several hundred pages received.

• Faxes sent or received via computer may remain on the computer indefinitely.

• E-mail is rapidly becoming the communications medium of choice for businesses. People tend to write things in e-mail that they would never consider writing in a memorandum or letter; e-mail has been used successfully in civil cases as well as criminal cases; and e-mail is often backed-up on tapes that are generally kept for months or years.

• Many people keep their financial records, including investments, on computers.

An Agenda for Action in Types of Vendor and Computer Forensics Services

The following is a provisional list of actions for some of the principle types of vendor and computer forensic services. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these services have been mentioned in passing already:

1. Computer Forensics services should provide: Analysis of computers and data in criminal investigations; on-site seizure of computer data in criminal investigations; analysis of computers and data in civil litigation; on-site seizure of computer data in civil litigation; analysis of company computers to determine employee activity; assistance in preparing electronic discovery requests; reporting in a comprehensive and readily understandable manner; court-recognized computer expert witness testimony; computer forensics on both PC and MAC platforms; and fast turnaround time.

2. Computers systems may crash. Files may be accidentally deleted. Disks may accidentally be reformatted. Computer viruses may corrupt files. Files may be accidentally overwritten. Disgruntled employees may try to destroy your files. All of these can lead to the loss of your critical data. You may think it’s lost forever, but you should employ the latest tools and techniques to recover your data.

3. In many instances, the data cannot be found using the limited software tools available to most users. The advanced tools that you utilize should allow you to find your files and restore them for your use. In those instances where the files have been irreparably damaged, your computer forensics expertise should allow you to recover even the smallest remaining fragments.

4. Business today relies on computers. Your sensitive client records or trade secrets are vulnerable to such intentional attacks as computer hackers, disgruntled employees, viruses, and corporate espionage. Equally threatening, but far less considered, are unintentional data losses caused by accidental deletion, computer hardware and software crashes, and accidental modification. You should safeguard your data by such methods as encryption and back-up. You should also thoroughly “clean” sensitive data from any computer system you plan on disposing of.

5. Your files, records, and conversations are just as vital to protect as your data. You should survey your business and provide guidance for improving the security of your information. This includes such possible information leaks as cordless telephones, cellular telephones, trash, employees, and answering machines.

6. Always keep in mind that the IP you are investigating is only the apparent source of the activity you see on your logs. As mentioned earlier, this does not mean that you should ignore the IP address, only be cognizant of its limitations for determining the possible attribution of the event you are investigating. Although this process will educate the administrator on how to characterize the threat to his or her company from analyzing IP addresses that appear in the logs, a complete determination of the threat your organization faces is a more involved process.

7. What you can be sure of is that many threat entities will probe and attempt to intrude on your systems over time. These may range from Class I (privacy), II (industrial espionage), or Class III (terrorism) attacks. Attackers may range from the script kiddy aimlessly probing the networks, to a dedicated industrial espionage hacker looking for your company’s secrets. Depending on your company’s resources and the value of those resources, you should also investigate the possibility of staffing a professional competitive intelligence cell in your company or in sponsoring an assessment of the threat to your company’s systems from a group of intelligence and information security specialists.

8. The serious threat to your IT infrastructure is not a teenage hacker defacing your Web site. The true dangers are information and monetary theft, business disruption, and critical infrastructure failure. Perpetrators are likely to be professional criminals, hacktivists, competitors, or even foreign intelligence agencies. The most costly intrusions are likely to be those that you fail to detect. The bottom line, you need to know the threat against your systems as well as its vulnerabilities.