Forensics By Choice, Not Chance
Let's talk for a moment about the initial detection of a possible security event. Who normally suspects or discovers it? Nearly always, the breach will be noticed either by an end user or a member of the Information Technology (IT) staff. I'll not spend time talking about end user training except to say that end users must be trained to notify a member of the IT staff immediately any time that something doesn't appear "right" with their machine - and take no other action. We do not want or need well-meaning but inept end users "assisting" us in gathering evidence. The IT staff should respond immediately to reports of suspected breaches and should be able to determine quickly if a possible security incident has occurred. Once confirmed, the matter is turned over to security investigators for further action.
This works well in large organizations that can afford to pay a full time team of lawyers and forensics technicians to respond to incidents. Everyone may agree on the need for proper preservation and collection of evidence, but not everyone may be able to afford (or even want to pay) a full time response team. Whatâ€™s the solution for a cost-conscious institution? Enter the â€œFirst Responder.â€
What is a First Responder? A First Responder is not a lawyer, but is trained in pertinent legal areas that govern how they preserve and collect potential evidence. They may not be vendor-certified network administrators, (although that is a distinct advantage that we will discuss later), but are trained in the use of tools and techniques to collect and analyze evidence without destroying its legal value. Their training permits them to provide expert technical testimony at cyber crime trials. Most importantly, they are part of your existing staff. For them, security incident investigation is an â€œadditional dutyâ€, but an additional duty for which they have been uniquely trained. If the situation warrants, the First Responder has the training to implement proper procedures for evidence preservation and collection in a forensically sound and legally sufficient manner. If the investigation comes to involve law enforcement agencies, the First Responderâ€™s training will allow a smooth transition of the evidence to law enforcement without a break in the chain of custody. All of these attributes give the First Responderâ€™s employer a â€œleg upâ€ in the courtroom.
As a guest speaker for the International Council of E-Commerce Consultants (EC Council) "Hacker Halted" International Security Conferences, I have spoken to audiences in Dubai, Mexico City, Singapore and the United States on the risks and preventions for financial, government and retail organizations. The consensus of attendees is that the defendant is not the only accused party at a cyber crime trial. Defense attorneys also put the security incident investigator and the victim companyâ€™s policies and procedures on trial in order to obtain an acquittal for their client. The victim company must convince a judge, jury, or both, that records containing purported evidence of an intrusion are admissible in a court of law and that the programs used to produce those records are â€œreliable.â€ Investigators and first responders must present independent, corroborative evidence that they are properly trained and meticulously followed that training during the investigative process to produce admissible evidence. If not, they will be unable to convince a judicial body that their actions did not contaminate evidence or break the chain of custody.
It makes sense, therefore, that first responder candidates should be chosen from the ranks of the IT staff. These individuals have probably received vendor certified training on the myriad of details necessary to operate, maintain and secure the applications and operating systems used in the organization. They are probably familiar with the layout of the network (topology) and can more accurately determine if a suspected incident is really a cause for alarm or just a network aberration. As a First Responder, their training allows them to articulate the specifics of why they performed certain actions. They are somewhat immune to defense attacks on their credibility as a witness because they have been trained not only on forensic procedures, but also on the intricacies of the operating systems from which they have collected the evidence. Using a trained First Responder for evidence collection will help the victim company convince a court to admit the collected evidence even when the company doesnâ€™t employ a full time lawyer or forensic technician on staff.
What training should a First Responder receive? Obviously, First Responders should be trained in the legal areas that authorize and dictate their actions. First Responders within the United States should have a fundamental understanding of the 4th and 5th Amendments to the US Constitution, US (or home country) statutory laws relating to monitoring and collection, and Rules of Evidence. They should also receive extensive training on the computer investigation process, forensic techniques for various file and operating systems, and how to acquire and duplicate data without compromising the original copy. Because evidence may sometimes be hidden inside other data, they should be trained in image file forensics and steganography. They should be familiar with forensic techniques for not only computers, but also routers, firewalls, mobile and PDA devices. Their comprehension of the material should be measured by rigorous testing and the training itself should be proctored and administered by an accredited body. The EC Councilâ€™s Computer Hacking Forensics Investigator (CHFI) certification is one example of such training. The witness stand is no place to tell the court your security incident investigator trained by reading a â€œDummiesâ€ book. (No offense to the authors of these wonderful â€œReferences for the Rest of Usâ€).
The security investigatorâ€™s role in the organization can only be understood by first looking at the part security investigations should play in the grand scheme of network security. Network security is often referred to as a triad consisting of vulnerability assessment and risk management, network intrusion detection and incident response, and computing investigations and forensics.
As with any triad, the closer you get to one apex of the triangle, the further you get from the other two. Most organizations now understand the value of vulnerability assessments, risk management, network intrusion and incident response. They have implemented policies and procedures to integrate these important areas into everyday business operations. This balance is represented by the position of the ball in the diagram. Computing investigations and forensics, however, are usually dealt with on a reactionary basis. They are considered only after an incident occurs. The trained First Responder can help the organization to move the ball into the â€œsweet spotâ€ at the center of the triangle by serving as a policy and procedural consultant to the organization. He or she can advise the organization on how they can revise documentation to adhere to the Rules of Evidence. While this may not seem very important at first glance, consider the following: You have a warning banner configured on your network to advise employees that their activities may be monitored. Is the banner sufficient to meet the burden of consent under 18 U.S.C. Â§ 2511(2) (c) â€œâ€¦where such person is a party to the communication or one of the parties to the communication has given prior consent to such interceptionâ€¦â€? Iâ€™m not going to give you the answer. Ask your First Responder or security investigator!
First Responders make sense in an environment that may not be able to afford full time legal and forensics staffing. They should be recruited from existing staff who have an in depth knowledge of the organizationâ€™s network environment. They should receive training from an accredited body on the wide variety of subject matter essential to successful forensic investigation. They should not be used only for investigation, but as a policy and procedural resource to aid the employer in preparing for a successful future trip to the courtroom.