Computer forensics: Donning your detective hat

"Quincy, ME," the 1970s TV series, showed the dramatic potential of medical examiners. We're waiting now for the premier of "Quincy, CF." Computer forensics is playing an increasingly important role in thwarting wrongdoers at the federal, state and local level. For example, recovered e-mails helped expose the involvement of National Security Adviser John Poindexter and Lt. Col. Oliver North in the Iran-Contra scandal during the Reagan administration.

The ubiquity of computers as a communications tool means that the role of computer forensics -- the practice of examining historical activity on electronic devices when someone suspects inappropriate or illegal activity -- will continue to grow in importance.

And the tools available to forensics analysts are keeping pace with increasingly sophisticated computers and other electronic devices. Forensic tools and the professionals with the qualifications to use them have also become more expensive. Accordingly, it can be a challenge for agency security teams to know when to put them to work.

"If you have reason to believe that a serious crime has been committed and that prosecution is desired, then you should bring in an experienced [forensics] investigator," said Jay Heiser, a research vice president at Gartner Group. But what if you're not sure yet that someone has committed a crime?

"Legislation, such as Sarbannes-Oxley, is making organizations more responsible and making data security and integrity a best practice," said Bill Margeson, chief executive officer at CBL Data Recovery Technologies.

All of the experts we interviewed said agencies could address legislative requirements and the growing number of incidents by establishing an internal forensic policy and creating a toolkit to execute the initial phases of a forensic investigation.

The four phases of forensics

At a high level, forensic activity has four phases: evidence collection, evidence preservation, analysis and reporting.

Of those, the collection phase is the most crucial, especially if agencies suspect illegal activity. Depending on the type of incident, forensic tools can collect activity data from a variety of sources, including servers, users' hard drives, log files, application data, portable devices and security tools, such as intrusion-detection systems.

When forensics experts collect information for an investigation, they typically remove suspected hard drives and make a write-protected image of the contents using a forensic workstation. However, new portable devices allow security employees to boot from a CD on a separate machine and safely extract an image of a hard drive via a USB or Ethernet port.

For user devices such as desktop and laptop PCs and personal digital assistants, you typically want to capture an image of their entire content, whereas on large, multiuser systems, you might only need to see specific folders, such as a user's home directory, or data from specific tables. Both forms of collection are admissible in court as long as the collection process is well-documented and security employees use proper seizure methods.

During the preservation phase, you should use cryptographic checksums to make exact copies of all the collected data. A cryptographic checksum is a mathematical value assigned to a file and used to verify that data has not been changed. If legal action is a likely outcome of your investigation, you can ensure the integrity of the collected images by maintaining checksum copies of the data.

With data images in hand, you can now enter the analysis phase. Sometimes during this phase, you will need to retrieve deleted or encrypted data. A variety of commercial and open-source forensic software can retrieve items, including incriminating evidence, that you might otherwise overlook.

During the next part of the analysis phase, you should search through the collected information for inappropriate or illegal activity. Although you can use Unix- or Windows-based search tools, forensics-based search tools are available to help ensure that you are analyzing the correct data. For example, if a user renamed a file and its extension to try to hide something, the forensic search software could uncover the foul play.

After uncovering the data, the next step is to correlate the information from the investigation's various data sources. For example, you might need to construct a timeline of events. To do so, you could have to mesh network log timestamps and data together with database access and usage logs. Forensic software will often include resources to help you correlate the information.

The final phase of forensic investigations is usually the production of at least one report that describes the investigation's outcome. Reports may include summary information about the event and additional details.

Walking through the phases

With an eye toward the four phases of forensic investigation, we wanted to gauge how effective some of the products mentioned here would be when added to an agency's forensic toolkit. We spent some time assessing AccessData's Forensic Toolkit, Paraben's P2 Power Pack and ASR Data's Smart Linux.

We recommend that you put more than one solution in your toolkit. Only one of the three units we tested, the Paraben P2 Power Pack, attempts to cover all four phases of forensic analysis. And each product had special capabilities.

During the collection phase, we found that all three did an excellent job of creating images. We were able to successfully copy information from several types of file systems, including file allocation table, NT File System, ReiserFS, journaled file system and Ext2/3.

We especially liked Smart Linux's concurrent task capability, which let us simultaneously scan multiple images. We were limited only by the resources of our available hardware. In addition to image collection, we found some other useful seizure capabilities in Paraben's modules. For example, they can collect data from cell phones and PDAs.

Moving to the preservation phase, we used Paraben's P2 Explorer and ASR Data's Smart Linux to generate Message Digest 5 checksums and algorithms for creating digital signatures. We used Smart Linux's tools to validate the images, and by using P2 Explorer, we could guard the information we had uncovered through write-protections.

All three tools provide in-depth analysis capabilities. For example, we were able to use Paraben's Decryption Collection tool to recover passwords. The three tools also provide useful searching functions. Access Data's Forensics Toolkit allowed us to rapidly search text and images. In addition, we used the product's Live Search function to find binary patterns in the collected data.

Access Data and Paraben provide additional analysis tools, including facilities for examining e-mail messages, compressed files, chat sessions and so on. We were able to successfully analyze e-mail messages from Netscape and Yahoo. Paraben's e-mail analysis tools also include support for products such as Lotus Notes. We used this support to inspect an e-mail file based on Lotus Notes Version 6.0. Paraben and Access Data also did a nice job of recovering deleted e-mail messages.

We then used Access Data's support for a number of different archive formats, such as WinZip and tape, to extract the contents of several large archives. Moreover, Paraben's Chat Examiner enabled us to analyze several Yahoo chat sessions with ease.

When it comes to correlating the collected data, Access Data and Paraben include some powerful filtering capabilities that simplify the compilation of potential evidence files. For example, you could use a filter to identify standard operating system files and program files so you can eliminate them from your results.

Of the three products we examined, Paraben's had the best options for addressing the reporting phase of forensics. Using Paraben's Case Agent Companion, for example, we could add notes, bookmark various sections of the data and produce detailed reporting data.

One of the most attractive qualities of these tools -- and many other similar commercial and open-source solutions -- is that you can either download them directly or try out a demo version.

If you're investing in the construction of a forensic toolkit for daily use, you'll likely want to include several products. Given agency budget constraints, you probably want to include commercial and open-source options. However, no matter how well-stocked your toolkit is, you will encounter situations in which you should just call in the cavalry -- an experienced forensics expert.

Turning to outside experts

After agency security employees finish an initial forensic investigation, they may find enough evidence to warrant contacting a forensics expert to conduct a more in-depth investigation. The experts we spoke to said that if agencies were considering legal action, they should contact experts to ensure that all the evidence would be admissible in court.

What should you look for when trying to select a forensics expert? Heiser said he recommends looking for "someone who has had a lot of courtroom experience, especially successful prosecutions."

Jon Berryhill, chief operating officer at Berryhill Computer Forensics, expressed similar sentiments. He advises agency officials to take a close look at experts' experience and references. "That person must be able to communicate clearly on the phone, in person and in writing to be able to explain to the judge, lawyers and jury exactly what happened during the event," he said.

Although you would want to summon an expert when handling serious legal issues, you can take advantage of your internal forensic policy and toolkit to address inappropriate activity. Constructing and maintaining the policy and toolkit can help contain costs while improving compliance with legislation to ensure data security and integrity.

Forensic education and training

We asked our experts how agency security and risk-assessment teams should go about gaining knowledge about forensics and the best ways to expand that knowledge over time. Heiser said a primer, such as the one he co-authored with Warren Kruse, is a good place to start. He added, however, that "the trend lately is toward subject-specific books" on the various aspects of forensics.

Berryhill takes a slightly different approach to gaining forensic knowledge. "Read as much as you can and get as much training as you can. Go to conferences," he said. "After that, the most important thing is to stay connected with the experts who are out there doing forensic work every day." Berryhill suggests that after initial education, agency security employees should seek out a forensics expert to act as a mentor so they can stay informed on the issues and technology advances.

"The best sources of educational materials can be gained by getting in touch with law enforcement organizations," Margeson said. He particularly recommends the High Technology Crime Investigation Association (www.htcia.org).

Indeed, there are many security and law enforcement organizations that regularly offer forensic training. For example, the SANS Institute (www.sans.org) offers monthly courses at various locations throughout the United States and abroad. Moreover, several universities -- including the University of Central Florida, Champlain College and the University of Washington -- offer courses of various lengths to help get you up-to-speed on forensic tools and techniques. Several universities offer forensics-related courses online, too.

Biggs, a senior engineer and freelance technical writer based in Northern California, is a regular Federal Computer Week analyst. She can be reached at maggiebiggs@acm.org.