Digital Forensics

Things You Can Do To Help An Investigation, Part II

In a previous column, I talked about the importance of locking up a computer and not continuing to use it after it has been compromised, or the fraudster was fired.

This works in a lot of situations, but there’s also situations where it’s NOT the best thing to do. If you know a computer has been compromised by an external entity, the best things to do are:
1. leave it on,
2. don’t let anybody use it, and
3. call your experts in.

Why leave it on? There are things running in memory that won’t be captured if you shut it down. Remember that you lose everything that’s in RAM, as well as network connections and processes running. It’s critical information if you want to find out who is doing it, and how they’re doing it.

Don’t log into it to “see what you can find out.” In some cases, servers get hacked, and admins tend to log in to “fix it.” As I noted earlier, Sometimes they reboot the box to “clear it out.” There goes all your information, and very probably the ability to at least find out how it was done so that you don’t restore the box to the same “hackable” condition.

Don’t have experts you can call on, that you know are good? That means you’re suffering from the ostrich syndrome. The time to build relationships that can help in a crisis is not during the crisis. Do yourself a favor and at least research the mostly likely people you’ll need to get the job done.

Things You Can Do to Help An Investigation

Sooner or later, you will be called upon, as an Admin or an Auditor, to assist or address a possible fraud or event pertaining to someone’s computer, laptop, pda or smartphone. People can be very anxious and over-react when an event is happening. Or, just as difficult, proceed to do nothing, because they’re not sure what to do.

Neither approach is truly helpful in investigating digital fraud, theft or other computer-related incident. I was asked to do an exam, a few years ago, of the hard drives of a CFO who had admitted to fraud and was fired. Her computer sat on her desk, and her secretary AND the company admin both logged into the computer over the course of weeks before we were engaged.

The problem? Every time someone logs in, files get changed. The secretary checked her email; the admin was checking something else. If the company had wanted to prosecute, the evidence on her hard drive was hopelessly muddied and would not have stood up in court.

Here’s the best idea: take the computer and LOCK IT UP. Don’t let it just sit there (so the defense attorney can point out anyone could have logged in) and don’t let people use it. Yes, we might use some volatile data in memory, but many times the computer is already turned off.

If events happen quickly, the fraudster leaves the building with/out access to his/her computer for the last time and it’s still running: LOCK IT UP. If it’s in an office, secure the office and don’t let anyone into it. If it’s in an open area, that’s when you’ll need to power it down and lock it up.

Will these rules fit every situation? Probably not. But they will fit 85%. If you know it’s going to be a forensic situation ahead of time, I hope management lines up someone to come in immediately, who can capture data from a live machine. But if not, and you’re first on the scene, the two rules above are the most important.

Hard Disks Never Die - They go to Digital Forensics

I’m attending an absolutely fascinating course on Digital Forensics provided by SANS. One of the things we will be doing is collecting data from hard drives for various practice exercises.

Imagine my amusement when the handout and appendixes recommend where to get used hard drives to practice on: eBay or Craigslist. Didn’t Simson Garfinkel do this a few years ago? And come up with a whole bunch of juicy information?

How do you dispose of hard drives? There are overwriting programs and businesses that will pick them up and dispose of them securely, providing a certificate (and thus transferring your risk). But how do you know they are performing as agreed?

I’m looking forward to my eBay hard drives and what they will disclose. Hope they’re not yours!