Increasingly in demand in business, digital forensics has come of age at last. Mark Mayne wields the magnifying glass.
Computer forensics has a mixed reputation. Often seen as a poor relation of information security, forensics conjures up images of ex-coppers scrutinising HD sectors. It's all a bit nerdy to the rest of the infosec profession, with their cutting-edge DLP and SIEM systems. On the flipside, it's where IT security gets interesting, where bad guys are at their closest and perhaps the only area of infosec that has made it through to the silver/small screen – regularly deployed in CSI, for one...
The demand for IT forensic investigations has certainly never been higher. Jarrod Haggerty, partner, forensic and dispute services practice, Deloitte UK, says: “We have been experiencing a massive rise in demand for forensic services. There is a real appetite for data analytics in fraud prevention and the increasing need for real-time fraud management means that the cost-benefit analysis is coming down more and more on the preventative side. Some enterprises are using forensic data techniques to predict supply chain fluctuations, adding another positive boost to the industry.”
Both compliance and increasing concern over data breaches are key drivers. Reported data breaches are at an all-time high. Of the types of data stolen, payment card data represents the overwhelming majority, at 85 per cent, while just seven per cent is sensitive company data and as little as three per cent is related to intellectual property, according to a January 2010 survey – UK Security Breach Investigations Report 2010 – by UK information security consultancy 7Safe. And an astounding 285 million credit card payments were affected by fraud in 2008, according to Verizon Business's 2009 Data Breach Investigations Report.
Simultaneously, regulation is getting more stringent. On top of the existing Data Protection Act, FSA regulations and PCI DSS, fresh initiatives such as the UK's 2010 Bribery and Corruption Act are forcing more enterprises to take genuine steps towards increased security and – crucially – visibility of data. US-style data breach notification laws are also undoubtedly heading for the UK. Recent moves in this direction include a draft code of practice published in June 2010 by the Irish Data Protection Commissioner, which requires organisations that lose the personal data of more than 100 people to report the data security breach to the authorities.
The UK's data watchdog, the Information Commissioner's Office (ICO), was given a two-month deadline by the European Union in June 2010 to increase its powers in line with the EU Data Protection Directive. If it fails to do so, the next step would be for the UK Government to be taken to court. The European Union approved a data breach notification law last year, but this only applies to telecoms firms at present. The Commission and Council rejected EU Parliament proposals to extend the law to include businesses that operate online, such as shops and banks.
Haggerty continues: “The widespread tightening of regulations has been a key driver, especially in the financial services sector. The need to frequently report back to a regulator has meant that many monitoring and reporting tools have come into much more regular use.”
Matthijs van der Wel, EMEA forensics practice manager at Verizon Business, agreed: “Over the past four years, the variety and capabilities of the tools we have at our disposal have increased hugely, but many challenges remain. The key issue is data. In 2001, we were still dealing with investigations that involved floppy disks, which you could print the data from relatively easily. Of course, this is totally impossible now… With automated tools, it is increasingly important to know where to look – the sheer volume of data makes even indexing it impractical.”
It's not just the volume of data either, as James Kent, director of computer forensics and electronic discovery at 7Safe, points out: “There's also the sheer spread of data to be considered. When data is shared across 20 plus servers located in different countries, it makes an investigation considerably more complex to carry out.”
Distributed data sources clearly present new and potentially complex issues to investigators. The increase in business appetite for buzzword-orientated architectures such as virtual machines and cloud computing is equally problematic, according to Haggerty: “The cloud is a fascinating issue. Traditionally, a forensic examination would look to capture data and digitally fingerprint it, but with the cloud there is no physical image of the data and proving your chain is extremely complex. When you're dealing with virtual machines, such as in VMware environments, it's a new world and the forensics aspect is something that vendors are only beginning to address. It's hard to say which way they'll go – will they push the responsibility back onto customers?”
Kent is less concerned about the technical questions that virtualisation raises: “Things are always changing in our world. OK, sure, there's no MD5 you can check in virtual systems, but there are other ways. In the world we're moving to, visual representations are as important as technical proof of legitimacy when in court. There will always be an element of doubt, but the situation will be worked through in time. For example, when mobiles first began to be an issue we used to take photos of each screen as we worked through – not exactly high-tech, but it worked.
“One thing for sure is that VM forensics will be huge in the future, and investigators will need expertise in it.”
That future isn't all technological change, as Tony Dearsley, computer forensics manager at UK legal technologies consultant Kroll Ontrack, points out: “The downturn has had quite an effect. We've seen aggressive stances taken by businesses on data threats and we've seen the market value of stolen data increase as well. Technically, many investigations remain similar to those of a few years ago. IP theft and email abuse cases are still very common. It's a bit like DNA – the evidence hasn't changed, but the methods of recovering and analysing it have progressed drastically.”
In spite of increased interest in forensic tools and benefits, and the rise in organised crime, business awareness of the necessity for computer forensics is still low. Haggerty believes it could be described as patchy at best: “Financial services and pharma companies are very aware of the issues, due to the intense regulatory demands – but in other sectors it is much less of a live issue. Powerful regulations such as the Bribery and Corruption Act and restructuring of the FSA/Bank of England mean there is a strong focus on compliance in the City.”
Kent believes that although awareness is still poor, education holds some promise: “Forensics is often seen as a mystical art and is not widely understood. We always advise people to call someone for advice – it's free. A lot of in-house teams tend to be investigators in title only. Forensics is more and more an IT function, part of incident response, but only in larger corporations. The SME arena simply isn't there yet. Having said that, there is more awareness building. We see a lot of interest in our education courses...”
Van der Wel agrees that awareness is still a key issue: “I like to use the analogy of the dead body on the floor with a knife in its back. Everyone knows not to touch the knife – but in the IT world, everyone wants to mess about with the PC and thus compromise the evidence, whether for business continuity reasons or just simple ignorance. Sysadmins are often the worst culprits, uploading their own specialised tools to repair damage – and that muddies the water. The vast majority of businesses still have no idea what to do in this area – we often hear things such as ‘there was a security problem, so we reinstalled everything from scratch'.”
The lack of awareness is generating other consequences, such as an urge to ‘go it alone' in the event of a problem. However, although forensics tools are more widely available than in the past, there are obvious concerns for businesses adopting this attitude. Van der Wel continued: “Most businesses attempt to do their own investigation first before calling us in. Strangely, we usually get calls at 5pm on a Friday, and I spent a while wondering why, before realising that this is the result of a problem that was discovered earlier, still unresolved by Friday morning – and finally escalated to the level where there was enough authority to call in external help.
“Firstly, you have no idea which cases will go to court, so unless you're prepared for this eventuality from the beginning, your case may be compromised. Secondly, in most organisations, forensic capabilities are not core competencies, so whoever is tasked with the incident response is likely to be inexperienced – and maybe a little rusty with regard to the latest forensic and anti-forensic techniques.”
As well as the lack of experience, there are other common issues, says van der Wel: “Usually the problems we are asked to investigate have been captured and logged, just not spotted or acted upon. There's often not enough time available to integrate the output of these tools.”
The lack of resources is a key issue. As forensics tools become ever more powerful and data volumes rise, the time required to accurately interpret and enact the policies based on their output consumes more and more time as well. And vendors are actively targeting the developing market. Kent explains: “In addition, there is increasing interest in integrating forensic imaging technology into security products, so admins can ‘snap' a forensic image of the system whenever necessary. There are a few products already, but there is still plenty of evolution left in the market. The future will be more about process than technology, that's for sure. Data visibility will become ever more important, with cloud challenges both a clearer and a larger issue.”
Van der Wel agrees: “Forensics is becoming increasingly complex and more technically difficult and there's a huge gulf between being a target of opportunity and a target of choice for attackers. In the latter case, there is a great deal of time, money and expertise being focused on your defences and this makes our life much harder. It's common for attackers to compromise strings of systems to cover their origins, and if some of those are in countries where computer laws are lax, then there really is little enforcement that can be carried out.”
It is clear that computer forensics is very much in the frontline of IT security. Budget cuts and squeezed resources have combined with increased attack sophistication to create a perfect storm.
Stopping the rot with increasing automation is only part of the solution, while improved processes also have their place. Increased business awareness of forensic requirements will undoubtedly be an essential part of closing the door on cyber crime...
Catching the sniffer
In July 2007, a large retail chain discovered it had been the victim of a security breach when customers began to complain of suspicious credit card transactions. Initial suspicions fell on point of sale (POS) detail-skimming by employees across the 1,000 retail locations. However, in spite of a lengthy police investigation, no evidence was found and the fraud continued for a further six months.
Verizon Business Investigative Response (IR) was called in to investigate and soon uncovered a single output file that contained targeted sequences of payment card account data. The investigators concluded that the file was produced by a custom-coded packet sniffer that was capturing credit card information before it was deleted from the POS and server systems, which according to PCI standards must occur immediately after bank authorisation.
“One of the easiest things to do if you don't find immediate evidence of unauthorised access is to start looking for quantities of data in the fraud patterns,” said Bryan Sartin, managing principal, Verizon Business IR. “As these sources of in-scope information are located in the target network, forensic analysis may reveal when and how the data has been accessed in the past and by whom.”
The sniffer was found at every store location within the chain. Further investigation revealed that the retailer routinely had trouble ticket issues that were escalated to a vendor for resolution. A virtual private network (VPN) concentrator had therefore been deployed that allowed the vendor access to the retailer's POS systems for troubleshooting and repairs. The vendor had admin rights and access to the retailer's entire POS network – which had provided a route into the POS system for the hacker.
With the entry point uncovered, the investigators needed to gather admissible evidence and pinpoint the hacker's location. It was decided to set a trap, so both the output file and the packet sniffer program were rigged to alert investigators if accessed – and to log events, including the attacker's IP address.
With the trap approved by law enforcement, investigators didn't have long to wait before the alarm was triggered. However, when data was retrieved from the log files a problem was discovered. Although the attackers had used the vendor's VPN concentrator to breach the system as expected, they had also immediately erased the VPN logs, removing vital details such as their IP address. Fortunately, the retailer happened to be a Verizon internet customer and the ISP's logs were beyond the reach of the hacker.
Within hours, the retailer's lawyers granted permission for Verizon Business to disclose internet connection activity for the timeframe in question (a process that would normally require weeks to finalise). The results were clear – there was only one IP address that had entered the VPN concentrator at the time of the system breach.
The investigators now had enough evidence against the owner of the IP address – based in Eastern Europe – to hand the case over to law enforcement personnel to proceed with an arrest and prosecution.
Top forensics tips
Never be the most visible
When you buy a new box or implement new software, don't allow your vendor to publish you in its list of ‘top ten clients'. Once a vulnerability has been discovered, hackers often use these lists for easy target leads.
Do you have an incident response plan? Is it up-to-date? Are the freelancers covering the weekend shift aware of it? Preserving usable forensic data means taking steps as soon as an event is suspected, not hours later...
If you have got an up-to-date plan in place, test it. Fire drills occur regularly; IT drills should too – and for the same reasons.
Ask your peers
Get a group of IT pros together in an informal setting and ask them how they would attack you. Then go back and check your outgoing data traffic at an IP level, using a geographical lookup tool. Consider the results. Is there a lot of data being sent to Eastern Europe on Saturday morning? Find out why...
Only keep what you need
What data are you keeping, where and why? Many businesses are storing massive amounts of data ‘just in case' – do you really need all yours?
Mirror your servers. Then when an incident is suspected, switch to the mirror site, while investigators inspect the former live site. This maintains business continuity at a low cost, but enables detailed investigations to take place.