[ISN] Cracking cybercrime

From: mea culpa (jerichot_private)
Date: Fri Oct 30 1998 - 14:51:29 PST

  • Next message: mea culpa: "[ISN] Forbes Details New York Times Hack"

    Forwarded From: phreak moi <hackerelitet_private>
    Cracking cybercrime
    Don't touch electronic evidence until you call in the cops or a
    cyberforensics expert
    October 30, 1998
    Web posted at: 11:50 AM EDT
    by Deborah Radcliff
    (IDG) -- Early this year, the audit manager for a financial services
    company suspected a former employee of embezzling nearly a million
    dollars. He took the suspect's PC to his office to analyze its hard drive,
    then got called out of town.  Unaware of the investigation, his trusty
    assistant reissued the suspect computer to the word processing pool to
    replace a broken one. 
    "That guy's evidence - and his case - was toast," says Michael Anderson,
    former IRS investigator and founder of New Technologies (NTI), a
    cyberforensics firm in Gresham, Ore. "All the ambient data was
    overwritten."  Earlier, the audit manager had considered outsourcing the
    forensics work to NTI but decided to forego the $215-per-hour fee and do
    it himself. 
    There's a lesson here: Thou shalt not bungle computer evidence intended
    for a court of law. 
    Crimes committed via computer leave distinct evidence trails. If you so
    much as access, download or open suspect files, you could taint the
    evidence and render it inadmissible. That type of activity alters backup
    files and system logs and overwrites date and time stamps, says Bill Boni,
    director of IS for PriceWaterhouseCoopers in New York. 
    Draft a contingency plan for when cybercrime strikes and take the
    proactive measures Boni suggests. Regularly print and save log files from
    critical servers. Establish a tamper-proof backup system to capture
    activity and audit trials. 
    Your policy should also include thresholds of what magnitude of loss or
    crime would trigger a call to law enforcement. Not all crimes should be
    reported for reasons of shareholder confidence and public image. 
    There are two schools of thought when it comes to actually handling the
    computers.  Anderson advises his clients to leave the system running. Boni
    suggests shutting it down. 
    Warren Kruse, investigations manager for Lucent's computer and network
    security department in New Jersey, laughs when he hears those options. 
    "The golden rule of computer evidence is there are no golden rules," he
    says.  "The person who tells you to keep the computer on worries about
    losing everything in RAM, which could contain valuable evidence in
    temporary files. The person who tells you to turn off the machine worries
    about hidden processes like timed viruses destroying the hard drive." 
    Lucent's seven-person computer and network security department works like
    a security help desk for the vendor's 136,000 employees. When users report
    suspect activity on their machines, team members are dispatched to
    Don't count on your audit manager or administrator to know the correct
    methodology for preserving evidence. In a recent court case, the defense
    retained PriceWaterhouseCoopers' forensics experts because the victim had
    badly damaged the evidence. 
    The aggrieved firm's management told IS to get proof that an employee had
    misappropriated intellectual property. "IS copied e-mail and log files but
    didn't create forensics copies - a bit-stream backup of the hard drive of
    the laptop, desktop and e-mail server," Boni says. "We had to tell the
    court that their copies were totally inadequate." 
    Forensics backups take a mirror image of the hard drive, grabbing all of
    the file slack and erased space - which traditional backups miss - as well
    as named files. This ambient data is often the smoking gun in cybercrime
    prosecutions, Anderson says. He suggests using Sydex, Inc.'s SafeBack to
    perform mirror-image backups. 
    The method of attack is another factor that determines what action you
    should take. If the crime stems from inside the network, Boni recommends
    suspending all access to the affected server or database until law
    enforcement can make evidentiary copies of relevant files. 
    "There's evidence in the database log, activity records or the operating
    system that could be affected by automated backup jobs or other routine
    activities," he says. 
    For external attacks launched from the Internet, start by printing an
    evidentiary copy of firewall logs. Then see what evidence you can gather
    from your firm's ISP - perhaps the ISP could freeze records or provide
    additional logs and auditing. However, Boni says most ISPs aren't too
    helpful because they put the burden of security on their clients. 
    Finally, know when you're in over your head, Lucent's Kruse says. If
    there's any question, call in the big guns: either a cyberforensics expert
    or law enforcement. 
    Cyberforensics consultants from the com-puter security divisions of the
    Big Five accounting firms charge upwards of $2,500 per day for their
    services.  One alternative is to teach an IT staffer or a team of
    auditing, security and legal workers the appropriate methodology for
    handling computer evidence.  NTI offers a three-day training course for
    $2,000, including software. 
    Most large metropolitan police forces and federal agencies have
    well-trained cybercops among their rank and file. 
    If your company does go to the authorities, be prepared to allocate a lot
    of time and resources to work with the police, Boni says. Above all, he
    says, "if evidence is in the machine, leave it in the state it's in." 
    Radcliff is a freelance writer in Northern Calif. She can be reached at
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:09:35 PDT