Book Image

Learn Computer Forensics

By : William Oettinger
Book Image

Learn Computer Forensics

By: William Oettinger

Overview of this book

A computer forensics investigator must possess a variety of skills, including the ability to answer legal questions, gather and document evidence, and prepare for an investigation. This book will help you get up and running with using digital forensic tools and techniques to investigate cybercrimes successfully. Starting with an overview of forensics and all the open source and commercial tools needed to get the job done, you'll learn core forensic practices for searching databases and analyzing data over networks, personal devices, and web applications. You'll then learn how to acquire valuable information from different places, such as filesystems, e-mails, browser histories, and search queries, and capture data remotely. As you advance, this book will guide you through implementing forensic techniques on multiple platforms, such as Windows, Linux, and macOS, to demonstrate how to recover valuable information as evidence. Finally, you'll get to grips with presenting your findings efficiently in judicial or administrative proceedings. By the end of this book, you'll have developed a clear understanding of how to acquire, analyze, and present digital evidence like a proficient computer forensics investigator.
Table of Contents (17 chapters)
1
Section 1: Acquiring Evidence
6
Section 2: Investigation
12
Section 3: Reporting

Corporate investigations

We will now discuss computer forensics on the civilian side, or non-law enforcement side. Since you are not an agent of the government, the search warrant requirement does not pertain to you. (Your specific jurisdiction may be different.) While you may not have the search warrant requirement, you cannot seize and analyze private property. What do I mean by that? You are the investigator for a large multinational corporation; you have an employee you believe is harassing other employees and may have viewed illicit images on their company laptop. What is the legal requirement for you to examine the contents of the employee's laptop? If you are an agent of the government, the employee has an expectation of privacy. As an employee utilizing the company's equipment, the courts have held that the employee has a limited expectation of privacy on the data in the device. 

Important note

This may differ, depending on your local jurisdiction. I was teaching a class in Germany and as I was teaching, the students explained that German law gave an employee a high expectation of privacy. In their jurisdiction, there were specific requirements that had to be met before they could examine an employee's computer.

Other than the search warrant requirement, the corporate investigator's duties are similar to those of law enforcement. They still must acquire the evidence, they must analyze the evidence, and they must present their findings. They could present their findings in an administrative proceeding, or they may forward their findings to law enforcement where they may have to testify in a judicial proceeding. In either case, the digital forensic investigator must ensure that the digital evidence was collected in a forensically sound manner while maintaining the chain of custody of the digital evidence.

If the digital forensic examiner cannot authenticate the evidence, then they cannot testify or present it in the administrative/judicial proceeding. The corporate digital forensic investigator also investigates a wide variety of crimes. Typically, they will not be investigating a crime where a person was hurt or killed, but they can still investigate fraud, forgery, a violation of the company's policies and procedures, corporate espionage, or if they believe an employee has stolen intellectual property or is trying to harm the corporation itself. So, let's now talk about employee misconduct.

Employee misconduct

As a condition of the employee's employment, they must abide by the policies created by their organization. Typically, an employer has an "Employee Handbook" or has a set of policies and procedures that dictate what behaviors are acceptable and which ones are not acceptable. Such policies also include laying out specifications to ensure that the organization treats all employees with dignity and respect in the daily operations of the organization. There may be rules that may specify what is an acceptable use of the organization's desktop and laptop computers, and a violation of those rules could result in an investigation analyzing those devices, as we mentioned earlier.

Now, I use the term "policy and procedures," and I have found there is a large amount of confusion with those two terms, primarily when used together. A policy is a statement from the organization addressing a specific issue, while the procedure is the specific instructions regarding how to accomplish the goals of the policy. For example, the organization could enact a policy to restrict employees from accessing non-organizational emails using the organization's computers. The procedure would have two audiences, all the employees, and the IT staff. The procedure would inform the employees of how to access the organization's email while directing the IT staff regarding how to block non-organizational emails from being accessed.

You need to follow some general guidelines as your organization drafts and implements policies and the accompanying procedures, as follows:

  • The policy should be simple to understand. Short and sweet – do not overcomplicate it. If there is a way for an employee to "misunderstand" the policy, then they will dispute whether their actions violated the policy.
  • The procedure should specify all the steps needed to implement the task outlined in the policy. Don't assume the reader will understand if you are not specific in what you want them to do.
  • The organization must inform the employee of the potential consequences of violating the policy.
  • The organization cannot implement policies that violate the law.
  • The organization must enforce the policies. There have been many investigations I have conducted where multiple employees have violated the policy, but the organization never enforced the policy. If they do not enforce the policy for 51 weeks and then, during the 52nd week, the organization enforces the policy against some employees and not others, how can the employees be held accountable during week 52?
  • There must be documentation that the employee knew and understood that the organization implemented the policy and the penalties for violating the policy.

If an employee violates the organizations' policies or procedures, does law enforcement have to get involved? Of course not. It would depend on the violation and whether it was a criminal act and if the organization had a responsibility to notify law enforcement. Sometimes, the law may mandate the organization to notify law enforcement if they discover the employee has committed a criminal violation. Make sure you are aware of the statutory requirements in your jurisdiction and communicate with in-house counsel during the investigation.

As a digital forensic investigator, it is not typically your decision about whether to notify law enforcement. After you consult with the organizations' legal counsel and C-level executives, they will make that decision. For the digital forensic investigator's purposes, it does not matter whether the investigation relates to a criminal or noncriminal matter.

Remember, we treat every investigation as if we may have to go to court and testify because, while the initial investigation may deal with policy violations, during the investigation, you may discover there have been criminal violations that mandate the involvement of law enforcement. The prosecution and defense will scrutinize all of your investigative endeavors before the involvement of law enforcement. If you do not maintain the standards of the investigative process, it could weaken the prosecution.

As a digital forensic investigator for a corporate organization, there are a variety of violations the organization may call on you to investigate. One of the more common incidents is the complaint of harassment or a hostile work environment. This is where one person causes one or more people to be intimidated, harassed, physically threatened, humiliated, or any other activity where it makes the workplace offensive. How would you investigate someone for a hostile work environment? After conducting the interviews with the complaining employees, they may provide statements on how the harassment/hostile work environment was created, if at all.

Your investigation will determine whether the actions were physical, verbal, or carried out on digital media and the frequency of the offending conduct. Was there a single employee whose behavior was offensive or is there a culture within the organization? If a supervisor was notified or if someone asked the offender to stop, what resulted from the efforts to stop the offending behavior? The offending employee could send offensive text messages, emails, or instant messages utilizing the organization's communication network. If the alleged behavior occurred or was facilitated with the organization's devices, you should be conducting your examination to determine whether there is any digital evidence to support or refute the allegations since the property belongs to the organization, which limits the employee's expectation of privacy. (Remember, this may vary by jurisdiction.)

Once you have supervisory approval to conduct the digital forensic examination, the investigation can proceed. With the information at hand, you can filter out a large amount of additional data that may be contained on the storage device. To be efficient while dealing with the extraordinarily large datasets contained within today's high capacity devices, you have to filter out data that is not pertinent to your investigation. For example, if we are dealing with harassing emails, you may restrict your examination to only email traffic.

Now, your investigation may grow based on your findings on the initial exam. For example, while viewing emails, you observe the subject sending out illicit images to other employees. Your investigation has now increased based on the violation and the potential number of violators. Do not limit yourself to only the suspect's computer; you need to examine both the suspect and the complaining witness.

The complaining witness may have evidence of the offending email, while the suspect may have used anti-forensic techniques to remove the source email from their computer. Or you may find the complaining witness had changed the email to contain offensive material. You want to be as thorough as possible and that dictates an examination of the emails from both the sender and the recipient. 

You are not typically called upon to determine whether the conduct was offensive – that is a very subjective determination. What one employee considers offensive, another employee may not. Your job will be to recover the artifacts to allow the fact finder to make a well-informed decision as to whether the complaining witness' statement can be substantiated. Human resources or in-house legal counsel will determine whether the employee's conduct was offensive. Your job is to be an impartial third party and to present the findings. This could be through an administrative proceeding such as a hearing, or you could make a presentation to a senior executive. Remember that the organization may be held liable in situations where they have been informed of the employee's offensive behavior and did not take action.

Corporate espionage

In the corporate environment, no matter how large or small, there are specifics about your organization you don't want to share with the entire world. You could provide a proprietary widget to another organization, or you have an exclusive recipe for a consumer food product. In almost every case, your organization is providing a service, and they get paid to provide that service. If a competitor could look inside the internal workings of the organization, that look may mitigate any advantage the organization has over the competition.

We can define corporate espionage as one organization spying on another organization to achieve commercial or financial gain. The same tactics that nation states use against each other are utilized by corporate actors against each other; for example:

  • Physical or digital trespassing to gain access to data or information
  • Impersonating any employee to gain physical access to an organization's buildings or other facilities
  • Intercepting voice or data communications or manipulating a competitor's website
  • Manipulating social media against a competitor

Some actions I just listed are not in the digital realm, so how can a digital forensic investigator determine what occurred?

Security

It comes down to physical and digital security. The organization has to be proactive and identify the critical infrastructure that needs protection. Once the critical infrastructure has been identified, the organization can then implement controls for security and documentation. If an attacker is successful, the digital forensic investigator will have to determine how the attacker got past the established protocols. The organization's physical and digital defenses should be multifaceted and not rely on a single aspect. What I mean by this is that there should be a mixture of physical and digital mitigation efforts to protect the organization. Access control is essential; a locked door could be access control, such as controlling access to the server room. Now, the door could be locked and unlocked with a biometric or a physical token. The organization should maintain the access control logs at an off-site facility.

If an employee's access control token was compromised and used by the attacker, a digital forensic investigator can analyze the logs and determine which user identity accessed the server room. Implementing digital surveillance recordings will allow the investigator to observe the compromise and determine whether it was the employee or an unknown third party. With a digital attack, you will have to analyze the logs from the network security devices, for example, antivirus logs, authentication servers, routers, and firewalls, all of which are detective controls. While a detective control allows you to investigate what occurred, it doesn't prevent the incident, nor is it a deterrent. Access control is about protecting an asset; you are controlling users and preventing unauthorized access.

Hackers

You may be the victim of an attack from a "hacker." What is a hacker? Typically, it's a malicious user gaining access to information systems that belong to another. You may see the term "black hat" or "white hat" hacker, where the color of the hat determines the hacker's intent. 

A "white hat" hacker is a positive actor. This is a person or persons whose goal is to identify vulnerabilities in the system so that the owner or the vendor of the organization may correct them. A "black hat" hacker is someone who is attacking the system with malicious intent; their goal is to violate and exploit the organization's data system. There is also the "activist hacker," who is looking to exploit vulnerabilities in the system for political reasons. The attack could be the compromising of information maintained in the system or a distributed denial-of-service attack on the organization. The following is a table to help highlight the differences:

A bad actor will not only rely on accessing the system through technical means; they will also attack an organization through the employees. This is known as using social engineering, which is what we will discuss next.  

Social engineering

Social engineering is another attack that is relatively common in the corporate environment. One aspect is a "phishing attack," where the attacker attempts to trick the user into gaining access to confidential information such as a username and passwords. Typically, this attack is made via email, where the sender purports to be a bank, someone in authority, where they're asking the user to provide biographical information, name, date of birth, governmental identification number, username, and passwords.

If the user believes the email and provides that information, the attacker can then impersonate the user and attempt to gain a foothold into the organization's data systems.

There are automated tools designed to use social engineering, such as a phishing attack, against organizations. These tools do not require a significant amount of specialized knowledge to implement. The users of these tools are referred to as a "script kiddies" and could attack your organization using these automated tools. The vendors of the tools state they are to be used by the organization as a method to test their defenses, but there is no method to control what the user does with the software once downloaded.

Gophish

Gophish is one such automated tool. It works on all three of the major operating systems and is freely available for anyone to download. It does not require significant installation skills; you can extract it and run the executable, and the program will be up and running. The following screenshot shows the initial login screen when the software is up and running:

Figure 1.3 – Gophish login

Once you log in, you will be presented with the Dashboard of the service.

Note

This book is not about running Gophish or any other program; it is merely to give you an idea of what is available out there.

Please follow all applicable laws and regulations.

You can create email templates that you can send out to organizations. You can capture members of the organization's emails using open source intelligence techniques (OSINTs) and import them into the program:

Figure 1.4 – Gophish import emails

A common theme when it comes to phishing the user's credentials is to send them an email asking them to reset their password, and when they do so, it directs them to a clone of the official landing page. After the attackers capture the username and password, the user is redirected to the official page, and they never know what occurred.

Real-world experience

One time, I was hired to conduct a vulnerability analysis of an organization. As part of the scenario, they did not provide me with any information about the internal workings of the data network or the physical security of the building. The building had public access during regular business hours. During regular business hours, I walked around the organization and conducted my reconnaissance to see whether I could identify any vulnerabilities. 

To go to the executive levels of the building, I was required to sign in at the security desk and receive a radiofrequency identification (RFID) pass. As I signed in, they did not require me to show any identification, nor was I required to state my business or my destination. I signed in and was given a visitor RFID card and was sent on my way. I took the elevator to the top floor and walked around the executive level. I was dressed in the typical business casual clothing, carrying my laptop case. I found an unlocked training room in which I entered and set up my laptop. I plugged into the network and accessed the system. While I was inside the training room, several employees walked in, but none of them questioned why I was there, sitting alone, typing furiously at my computer. I stayed in the room until 4 hours after the building closed. During that time, no one questioned why I was in there. I packed up my laptop and had free rein of the executive level for the rest of the evening.

If I was an actual attacker, how would you be able to investigate what happened? What sources of evidence, maintained by the organization, could you process? The first step would be to identify a potential timeline for what occurred. One control put into place for this vulnerability test was to not damage the network and to access the control file. A control file is a plain document of no value and can be safely manipulated to show unauthorized access. The manipulated file will contain the timestamps to show when the unauthorized access happened. The timestamps will give the investigator a starting point of where to start the investigation.

This will be achieved by examining server logs, firewall logs, and trying to identify my digital footprints within the network. Once they identify the physical device location where the compromise occurred, then they can review the surveillance footage to work backward on how I gained access to the executive level, to the RFID protected elevator, and to the physical security log I completed. Typing out the reaction to the compromise in the system does not address the enormity of the task facing the digital forensic investigator. If the organization identifies the compromise within a timely fashion, that makes the investigation more straightforward, but consider if the compromise isn't recognized for days, weeks, or months. How hard would it be to determine what occurred months later, after the compromise?

Consider the compromise of Sony Pictures in 2014. While the exact duration of the attack is unknown, the attackers spent at least 2 months inside the network copying files, with some reports saying the attackers had access to the internal network for a year. Although it has never been confirmed, the attackers claim to have compromised and transferred over 100 TB of data from Sony Pictures.

The compromise of information was not the only vector of attack; they made employees' computers inoperable, and also compromised some social media accounts for the organization. The employees of the organization were also victimized with the compromising of their personal information by the attackers.

Insider threat

An organization cannot assume the attack will come from an external threat. While the design of most protocols and mitigations is to safeguard the organization from the external threat, the internal threat can be more dangerous than the external threat. No longer can the organization rely upon outward-facing security such as firewalls, building access control systems, intrusion prevention systems, or intrusion detection systems; they must also assess internal vulnerabilities to mitigate the threat from the inside. This is not an easy task; the insider threat has knowledge of the security protocols, the organization's policies, and potential vulnerabilities that the external threat does not.

In 2016, almost 1/3 of all electronic crimes were known/suspected to be caused by the insider threat. The damage caused by the insider was more significant than an external attack. No sector is protected from the internal attacker; in fact, if you are a US federal agency or a defense contractor, the government requires you to create a formal insider threat program, which is not surprising since there have been nearly 100 insider threat incidents within the last 10 years. (We are not talking about espionage incidents.) Almost 3/4 of the insider attackers were actively employed by the federal agency, while 1/3 were not directly employed, such as a contractor or an employee of another agency. A majority of the federal cases dealt with fraud and were committed by the insider for financial gain.

Who typically commits insider attacks? Is it a new employee? A veteran? Remember, for an insider attack to be effective, the insider has to be trusted. If we look at the federal government sector, nearly half of the insiders had been with the organization for over 5 years, with a majority of them abusing their access and creating fraudulent documents. Now, in the information technology sector, the demographics of the insider attack are a bit different. Nearly 75 percent were former employees and were with the organization for less than a year. Almost 20 percent did not have their accounts deactivated when they left the organization. That means they could use their credentials to access the confidential information, despite leaving their employment.

As an investigator, this should be a warning that there is an issue with that organization's policies and procedures that needs to be immediately corrected. Having a procedure at hand to deactivate an employee's account either before termination or shortly after they give their resignation would have stopped 1/5 of the documented attacks.

Investigating an insider threat will be difficult. You are dealing with people/employees who, at some level, have gained the trust of the organization. The investigator has to try and determine what the insider's mindset is underneath the persona that is being shown every day. Are they an opportunist? Are they a disgruntled employee? Are they someone out for revenge against an executive? Those are the potential attackers you may have to deal with. You want to create the groundwork before the attack happens. 

Various sections of the organization – Human Resources, Legal, and IT – will be part of planning any potential response as well as being part of the response. The response team will identify who may be involved in an insider threat, such as the following:

  • Executive staff
  • Directors
  • Employees with access to data

If you have to identify any potential "data source(s)" for when we have an investigation, you will need to examine the following:

  • Company-issued laptops
  • Company-issued tablets
  • Cell phones or mobile devices
  • Any cloud account access

You will have to correlate the user and the user's devices with access to the critical data, and the team will have to identify the critical data beforehand. When should insider threat investigation be initiated? Typically, this will start with a notification from Legal or Human Resources. The organization could also implement a policy in terms of investigating when an employee leaves the organization. If the employee's position gives them access to sensitive or privileged information, then a review of their activities within the organization should be conducted. This could start in a broad sense; you are looking to gather data from their mobile devices, laptops, desktops, and potentially the cloud. Then, you take that dataset and filter it so that it reflects access to the critical information.

Once the employee has given their resignation or the organization has decided to terminate the employee, the data collection process should start. The data collection process should begin before the employee is told they will be terminated. I recommend that the organization collects between 30 and 90 days' worth of activity for the employee. The more data that's acquired, the better informed the investigator will be of the employee's actions. Some of the artifacts that may help determine whether the employee has exfiltrated data are as follows:

  • USB devices
  • Cloud accounts
  • Sharing of files via social media
  • Burning a CD/DVD

You will also analyze the activity around the critical data. This should be a standard activity so that there is an understanding of what is normal. You have to monitor the data to get that normal baseline so that you understand when the unusual traffic occurs. For example, you could monitor the traffic to the critical data and suddenly, access to that data spikes. Does an attack cause this spike or is it normal because it is the end of the pay period and the accountants are accessing the data as part of standard processing?

Another example could be whether the data is being accessed after regular business hours. Is there a legitimate reason for that access? These are the circumstances that need to be identified before the investigation starts. This foreknowledge will allow you to filter out all the baseline information and to only focus on that data outside of the norms.

The investigation may show no malicious intent, or it may indicate there was malicious intent. Either way, you report the findings to the team to determine the next steps. This could lead to a review of policies and procedures and the implementation of new controls to mitigate future attacks.