Cybercrimes make computer forensics one of the fastest growing markets in the information security industry. Forensics tools are not only used to help track down perpetrators in some high-profile cases, they are also being used in everyday civil and criminal cases to prepare for potential lawsuits over intellectual property theft, enforcement of non-compete clauses and regulatory compliance issues.
One of the requirements in SOX, SB 1386, GLBA and HIPAA is the capability to uncover deceptive activity, which is where forensics usually comes into the picture. Coupled with increased cybercrime, regulatory compliance is yet another business driver that is making more companies bring forensics capabilities in-house and search for tools to assist them.
But prior to making your IT staff investigators, forensics requirements must be truly understood.
Your forensics team needs technical competence and a good understanding of all legal requirements. The team must also know how to gather and preserve the evidence, and have the capability to present the information. Forensic investigators must be prepared to defend their activities in court because, on the witness stand, their career and reputation will be scrutinized and criticized. If they don’t properly collect and investigate the evidence and present their findings properly in court, their evidence can be thrown out-which could cost the company the case.
A hybrid approach merging in-house forensics capabilities with external consultants is often the best approach. The in-house team brings out the investigation and gathers evidence, and is responsible for the crux of the case; the external team confirms that the investigation was executed as it should be, making sure the evidence is admissible in court. While the in-house team has more first-hand knowledge of the company, its systems and business needs, the external team has seen many more types of crimes. Jointly, these groups can provide more effective results.
There are several tools available to forensics teams to help ensure a correct investigation. Guidance Software’s EnCase, AccessData’s Ultimate Toolkit, and Paraben’s NetAnalysis are a few of the most widely utilized forensics tools in the industry. e-fense’s Helix is a strong open-source alternative.
Guidance Software’s EnCase
Guidance Software has long been the leader in forensics software with EnCase, the most-utilized forensics acquisition and analysis tool by law enforcement and the private sector. EnCase assists in the acquisition of evidence from just about every operating system, file system and media type, including live systems. EnCase has an exceptionally flexible Unix grep-like searching facility. These searches parse evidence byte by byte and can expose deleted files and other non-file data. EnCase then generates well-organized, detailed reports that are understood by experts and lawyers alike.
AccessData’s Ultimate Toolkit
AccessData’s Ultimate Toolkit (UTK) integrates a password recovery tool capable of decrypting just about every file, an enhanced registry viewer designed to illuminate evidence hidden in system-only accessible registry keys, a disk wiper and a distributed-computing encryption breaker.
UTK’s edge is its database-driven platform. As evidence is imported (typically drive and partition images), it’s scanned and indexed into a case database. This allows for rapid ad hoc string inquiries and organization of obtained files and data with no need to rescan.
Characteristic of a commercial tool, FTK can manage a case from acquisition to completion, and contains polished and flexible reporting capabilities that can be effortlessly installed onto an auto-play CD-ROM for circulation.
e-fense’s Helix, developed by forensics specialist Drew Fahey, is an open-source Linux LiveCD distribution that contains many forensics- and security-related tools designed to assist in the recovery and analysis of digital evidence from live and post-mortem (powered off) systems.
Among the tools Helix employs are its feature-packed Sleuth Kit and graphical interface Autopsy Browser. Used in tandem, these give the digital detective a very capable graphical analysis platform similar in functionality to many commercial software. Since Helix is a shareware tool, it’s inexpensive but lacks the technical support and fixes to bugs when required. Also, its youth is a disadvantage; there is little if any court case history in which Helix has been utilized.
Paraben has an wide-ranging array of tools that can be utilized to scrutinize e-mail, recover passwords, investigate chat logs and perform powerful Web surfing evaluation.
Paraben’s NetAnalysis tool can scrutinize AOL history files, reconstruct a cache for viewing, recover erased Internet history files, recognize Google searches, and provide a cookie and URL decoder. Its capability to extract evidence from most cell phones and PDAs is more thorough than similar capabilities in other tools. Although Paraben has an wide-ranging toolset, it has not caught on in the industry as well as the EnCase and AccessData products.
After your in-house forensics team has executed an incident or crime investigation with the suitable toolkit, it’s important to realize what went right and what went wrong so the method can be improved.
Some questions the team should deal with include whether further training or tools are required for future incidents, and whether every recovery activities brought in vulnerabilities or affected the company’s regulatory status. Based on the forensics team’s discoveries and its assessment of damages from a particular incident, a company can come to a decision whether to bring the case to court.
The team should be able to determine the technical sophistication of the criminal and the chance of being able to catch him. It’s also important to determine what type of individual did this type of crime. Was it a competitor or just some kids hacking for fun?
Find out who you are battling with. Don’t waste your money and effort in filing a multimilion-dollar lawsuit against some rogue teenagers who have no money.
Ultimately, having a skilled computer forensics team will ensure your company is prepared for the worst. Knowing how to track digital footprints can help your business catch a thief before he escapes into cyberspace.