Physical crimes leave behind a trail of evidence that forensic teams can analyse and bring to court, but what about cybercrime, such as the theft of intellectual property? Computer forensics expert and director of Klein & Co Nick Klein said that when companies conduct a digital forensic investigation themselves, there are five things they should do.
Speaking at the Security 2011 Exhibition and Conference event in Sydney yesterday, Klein said businesses that had suspected that a digital crime had been committed on their systems often took a "Bunnings" approach to forensic analysis, and suggested a four-step structure for undertaking an investigation.
- Prepare the business:
Prior to a breach occurring, businesses could do some preparation, which would help them later on in an investigation, Klein said.
He said that typically, businesses had a lack of policies and procedures to secure data, with in-house legal counsel often not working together with a business' IT department in developing policy. He said that policies, such as making a full backup of an ex-employee's machine prior to their departure, are often overlooked, when they could provide critical information to assist a case months later.
He also said that despite most operating systems allowing businesses to enable logging on sensitive information, most businesses tended to only use minimal logging of access.
Another area that Klein suggested businesses look at was where backups and critical databases were stored, and whether policies should be implemented to require employees to store information on the company's file server, where the business would have greater control over it.
"We have a lot of cases where people say, 'We had an employee who deleted their email. The only copy of it was a PST archive [which contains Outlook emails] on their computer. Can you get it back?' A simple policy change to force that person to store that PST on the network could have overcome that."
Lastly, Klein said that businesses often didn't do enough to protect themselves in their employment contracts.
"Does it talk about confidentiality of information? Does it talk about monitoring of their user activity? Does it include things like USB devices? Can you have something in your employment contracts that says, 'When you leave, we may ask you for your USB devices'? — It's something to think about."
- Understand the case:
After a breach has occurred, and a business has decided to investigate by itself, Klein said that the first step was to understand the case.
"The first instructions that you get are not always complete, and are not always completely accurate. We might have a customer that comes to us and says, 'Here's their computer, we need to find all the emails they sent two years ago'," he said.
"Our first question is, 'Why the computer? Why do you think the evidence is going to be here? Where else have you thought about the evidence being in your environment? What other data sources do you have?' Scoping the case is very, very important — asking questions."
In the case of intellectual property theft, Klein said that businesses needed to consider all of the ways in which information could have been removed, as well as all the ways that information could have been linked. In addition, businesses needed to consider what systems and data sources employees had access to through normal duties.
Beyond digital systems, Klein said that businesses also needed to consider whether or not a third party was involved that could have evidence. From his experience, he said that in about half of the cases that he had seen, a third party had been involved.
- Collect evidence:
Klein said that there is a wealth of information that can be gleaned from a large number of sources, and the more information a business has, the better chance it has of building a successful case.
He said that local computers store an incredible amount of information about their users, but there were also less-obvious places for information to be kept. As an example, he used the case where a personal iPod was used to remove information from a business, but the serial number of the device was able to be retrieved from the ex-employee's work computer. In combination with other evidence found, lawyers were able to seize the ex-employee's iPod device as use for evidence in court.
He also said that evidence-rich systems needn't be the typical servers and backups that most people would think of. In one case, Klein said that a photocopier, which was being used to scan and send intellectual property outside of the company, contained a hard drive that contained copies of recently scanned documents, and was able to be used as evidence. In another, Klein saw CCTV footage used to tie a suspect to a physical location at a particular time.
However, Klein said that the collection of evidence needs to be done carefully, stating that the golden rule is that changes to evidence during collection and analysis needs to be minimal, or there's a risk of the evidence being thrown out of court.
He said that forensic software could help, but simply writing down a factual account of what had occurred during the collection and analysis phases of an investigation could assist, so long as it was free from inference and presented only the facts.
"Taking notes is a key step. A bad case note is something that said, 'I looked at the email and this user definitely sent this email at this time'. A better version of that case note is, 'I observed in this mail box there was an email. The email said this. It had a timestamp. The timestamp said this. I used this tool to do it. I did it at this date and time on this computer.' You want to record the facts."
- Analyse the evidence:
When analysing the evidence collected, Klein said that businesses needed to be specific about what the evidence proves and what it doesn't. As an example, he used the case of a document being modified.
"You don't just look at modification time; you have to consider other factors that are at play. It will have external metadata on the file system. It will have timestamps when it was accessed, created, modified. Internally, if it's a Microsoft Word document, it might have other timestamps, like printer time, or other internal metadata, which is separate."
Klein also said there were further considerations to make that might not be immediately apparent.
"What operating system was it? What file system was it, because that will depend on how the timestamp is stamped. Is the internal clock of the computer accurate? What's the clock skew? How far out is it? Is it a few seconds or a few minutes?"
Klein said that after this, businesses would need to determine whether the findings corroborate observations and account for any discrepancies.
"If there are any discrepancies, you need to account for them. You need to be able to explain, possibly in court, why this discrepancy exists, you might need to test various systems to analyse why it exists," he said.
"Once you figure out and think you know what's going on, you have to be very specific in describing what is the accurate answer, why do you think that answer is accurate, are there any caveats or limitations, and what do the findings not prove?"
- Present the findings:
Klein said that the most important thing his company does is explain what has happened during the investigation.
"Explaining these things clearly and concisely is really critical, because without that, it doesn't matter how much work you do — you can't get that point across, you can't win the case in the end.
"The way you explain things, you have to be very clear, very concise, you have to make sure the evidence is good."
Klein said that while diagrams and analogies can be a very powerful tools to explain complex concepts, they needed to be well thought out.
"There are different techniques that you use when you explain electronic evidence, and analogy can be very, very powerful, but you have to be very careful in how you present analogy as it can backfire on you."