Large Scale Network Forensics – It’s not just for Law Enforcement Anymore

Computer forensics have hit the big time. A previously “superniche” technology, forensics have moved into the collective consciousness of IT sys. admins. and Corporate CSO’s. In recent months (late 2002-early 2003), I have seen more articles addressing the use and definition of corporate computer forensics than ever before. I’ve seen a general acceptance of investigative software as a useful tool for keeping the enterprise internally secure.

Much has been made of firewalls, VPNs, smartcards, and biotechnology. These things are important of course, but how are companies investing in protecting their internal security? Threats from within make up a good percentage of identity theft (read: NY Horse Racing Association scandal), credit card fraud, proprietary information theft, harassment, and intellectual property violations. All very serious business indeed. I am positive that most high tech Human Resources departments do not employ a forensic investigator, nor is it likely that there exists the appropriate funding for IT admins. to attend forensic training.

Proper tools and training are definitely important. Understanding the methodology behind forensic investigations is even more important. I’d go toe to toe with anyone that thought they could purchase a bargain forensic toolkit and do a decent job of it. It’s just not comprehensive enough. Then again, what is “enough?” There are many determinants to deciding on appropriate investigative tools: How secure do you want to be? What exactly are you looking for? Do you need to monitor crucial business functions like Accounting and Finance? Is leaked information in Software Engineering a cause of concern? Are PCs and laptops properly investigated for signs of abuse when an employee has left or been terminated?

These are questions that beg consideration. The “threat” to corporate security is not waiting around the outside of the parking lot day after day. Sometimes, yes. More frequently, it’s internal. Multi-national companies pose an interesting challenge in that there are hundreds, sometimes thousands of people networked together, making the ability to respond to threats in real-time and from a remote location, increasingly important.

Privacy Issues?

I’ve spent a good deal of time following the privacy concern issues behind the use of computer forensics in the corporate environment. The fears have been common enough and yet, they seem to stem from a misunderstanding about what forensics can and cannot do. As an employee of any company, you sign documentation to the effect that all company systems, data, inventions on behalf of the company, etc., are property of the company. At least, this is the way North America does business. In knowing and embracing your status as a company employee, you understand that nothing on your desk (save for some pictures, weird objects and a cup of coffee), belong to you. However, this is fundamentally the very first thing that’s forgotten when arguments are presented. How can your company “spy” on you? Well, they aren’t spying, they are monitoring the data and work flow of their organization. Shouldn’t any company in these scary economic times want to assure that it is operating at the most efficient and secure levels possible? If you, as the loyal employee to “Company X”, are not in any violation of company policies, then the ad-hoc monitoring of your network communications and actions should not concern you-¦or should it? Depends on what you’re up to.

Computer forensics do not follow you home in your car. Enterprise Forensics, or “Large Scale Forensics”, are installed on a base server with a specified number of licenses issued to monitor a specified number of systems on the network. The sys. admin. (or examiner as it may be) does not monitor all systems on the entire network. It isn’t really possible and is very inefficient. The company chooses areas that it feels need monitoring, or a specific individual that is most likely committing some type of internal policy violation, and they monitor thusly.

Mirroring a system does not affect performance of that system. Copying down information gleaned from the system while it’s in use may slow up the performance a bit, but again, it’s highly specific information that an investigator is looking for, not random emails about Friday night’s date.

Computer forensic tools can compile custom reports that run unattended 24-7 to monitor certain areas of concern. As an example, because of new regulations for American companies traded on the public market, the Security Exchange Commission (SEC) requires that all corporate heads personally vouch for their company’s financial reports. To ensure that these reports are indeed accurate, a CFO might want to employ a forensic solution to monitor cash flow in and out of Sales or Finance. A custom report could be programmed that would glean specific information for the CFO through the network capabilities of the enterprise forensic tool. In this way, there is consistent visibility into areas of the company that might otherwise go unnoticed but may cause catastrophic downfall all the same. Read: Enron.

Also of note, enterprise computer forensics do not work across the internet. They are company network specific. The Administrator exchanges a digital key with the vendor company and the vendor company holds the master agreement in an extremely secure location off-site. This again leads back to the licenses, and how many a company is utilizing. There is the potential to have a license to mirror every system on the network, but this is defeating to any real purpose and there are definitely not enough IT folks in a single company to do the monitoring on that scale.

Log Files

Regardless of an existing computer forensic tool installed on the network, what can be audited on every system are its log files. Time consuming and difficult to synthesize in massive amounts, log files have always been available to sys. admins. for customization, long before the advent of computer forensics. This is where the perceived “evils” of computer forensics must be addressed. The ways and means to monitor workflow and information exchange on computers has been there since their inception, on every system and with every user. Most companies employ some sort of log file audit process of their own. As with forensics, actions and events are chosen to be log-worthy. Trying to log every event on a system would adversely affect performance and isn’t practical. As for inferred human rights violations and or privacy violations of computer forensics, there isn’t anything magical or nefarious about the process other than it’s been made much easier to find critical data and it’s been automated.

The purpose and use of log files have been a topic of discussion in most in-depth forensic articles I’ve read. To this end, I’ve called upon Mike Fowler, a master trainer at Guidance Software*, to speak on the topic of log files and forensics.

“What value do log files have to a forensic investigator using a forensic tool? In the case of EnCase Enterprise (Guidance Software’s Enterprise tool), log files can be viewed regardless of whether or not they have been deleted or exist in allocated filespace. These details, commonly referred to as ‘System Artifacts’, assist the examiner in determining not only the breadth and scope of an investigation; but also allows them to target locations on the suspect drive that contain items of evidentiary value.”

On the subject of performance sacrifice, Fowler continues, “Like any networked application, forensic tools will utilize as much bandwidth as the system administrator will allow it to accomplish its job. Performance is dependant more on network topology than on any bandwidth throttling issues.”

Discussing the ‘old school ‘ means of gathering evidence from the network, Fowler offers, “Logging is the cornerstone of any comprehensive security plan. The presence (and validity) of system logs can frequently mean the difference between suspect identification and suspect anonymity. Forensic tools are not meant to take the place of generating and maintaining system logs, they are intended to compliment and enhance that system, used in conjunction with the gleaned information. A forensic solution can track and correlate log reports of user activity on a given computer during simple or complex network investigations.”

Customized Scripts

Also of note is the topic of scripting to perform investigations on a large scale network. Brought up as a possible solution to utilizing a forensic toolkit, customized scripts, coded by the IT sys. admin., have been talked about as a good alternative. While properly coded scripts are of great use to investigators in gathering data from unattended areas of the network, they are a compliment to, and not a fix for a good forensic solution.

Fowler adds, “The nice thing about using Perl scripts is that it automates many log and data collection activities that may otherwise be forgotten due to limited time on the part of the system administrator. Tedious tasks such as collecting, analyzing, and storing log files from a number of locations can often be overlooked. A properly created Perl script can free up a system administrator so he/she can concentrate their investigative efforts in areas of the network or system that sometimes forego attention due to time constraints.”

Methodology

The process behind most analytical tasks is based on a generally accepted “checklist” of duties and/or considerations to perform such a task. Proper methodology for computer forensics would involve a laundry-list of actions and thought processes that an investigator needs to consider in order to have the basics covered. While one would think forensics methodology would come naturally to most high level sys. admins., it’s not that simple. Which part of training methodology deserves special attention and what should one already know and be practicing? Fowler explains, “The question of training methodology is a great one. We are hearing from investigators that testify during investigations. The consensus is that the focus on the product used, is of less concern than the methodology used during the investigation itself. When training Law Enforcement students, they are often seasoned veterans with years of experience dealing with issues such as evidence handling and investigative best practices. The transition to the computer forensic mindset is usually a painless one given that they possess the basic knowledge and can apply it to most investigations.

IT professionals present an additional challenge. Although they have years of knowledge dealing with computers and networked systems, frequently the methods of protecting items of evidentiary value and utilizing accepted evidence gathering practices have not been a part of their training.

I have always said, “Give me an investigator and I can train him in the technical issues in my class.” Taking an IT professional and giving him the investigative mindset needed is something that cannot be covered in a 4 to 5 day class. What we can teach is sound forensic methodology that they can use while gaining the required investigative experience they need.”

What Is Needed?

Fowler continues, “One of the chief questions I get asked when teaching our corporate investigations course, is if I can provide a checklist of items that need to be completed in order to let the investigator know that the investigation is finished. The short answer is “No.” There is no checklist or special script that an investigator can run that will log in your evidence, examine the drive, chronicle the items of evidentiary value and write your reports. Each case worked will have its own set of idiosyncrasies and areas that require in-depth review. This is what separates an investigator, the compulsion to dig deeper until he is satisfied that he knows everything there is to know about the case.”

Time on your hands?

Should an IT examiner have excess time on their hands, they could conduct a network investigation utilizing several types of forensic utilities to do the job of a comprehensive toolkit. There is the option of shareware, specialized forensic components, log files, scripting and much more available for consideration.

In reality, today’s IT administrator already does the job of ten people and needs a solution that is customizable, expandable, upgradeable, and can adhere to industry best practices and legal protocols. That’s a tall order indeed. There are solutions out there that can perform at this level, and some are considered costly when not measured against immediate ROI and performance metrics. One should not gauge a forensic solution by its cost alone but rather by the accumulated cost of procuring multiple utilities, time constraints on the administrators, possible data loss of the company, inadequate reporting that may not be upheld in a court of law, and immeasurable loss due to employee misconduct and policy violations.

I revisit the argument of how secure do you want to be? This is a question best asked around a conference table with all the big players present. Human Resources, CFO, CSO, CEO, CIO, VP of Engineering, VP of Sales, and of course IT. All of these critical functions are directly affected by the efficiency of a good forensic solution. Instead of asking, “How much does it cost?” One should be asking “How much is our company worth to us?” There are solutions that are definitely “good enough”. Think about it.

When questioning Mike Fowler about the pros and cons of using Guidance’s solution as opposed to various solutions on the market, he replied, “Remember, I was a customer of Guidance’s (having been in Law Enforcement conducting investigations) long before I came on board. A comprehensive enterprise solution offers comprehensive ‘one-stop shopping’ in conducting drive examinations, ease of use, and the best customer service in the industry!”

Summary

Computer forensics are being injected into the corporate world to fulfill a large gap in IT capabilities and a greater need for comprehensive security. There are many common misconceptions about what the technology can and cannot do. Single solutions and cutting edge tools can accomplish their goals at the hands of trained examiners employing investigative mindsets and utilizing proper methodologies. There is no quick fix forensic solution, there are brilliant tools on the market that are well worth a company’s time and energy to explore. The cost in dollars is dwarfed overall by the multiple uses for enterprise forensics and their total, almost immeasurable ROI. While not at all magic, complete enterprise forensic solutions are efficient, comprehensive, and always ahead of the game.

*Guidance Software is the world’s largest provider of computer and enterprise forensic investigation solutions and training. Founded in 1997 and headquartered in Pasadena, CA, Guidance Software, Inc., has offices and training facilities in California, Virginia and the United Kingdom. More than 8,000 corporate and government investigators employ EnCase software, while more than 2,300 investigators attend Guidance Software’s forensic methodology training annually. Validated by numerous courts and awarded several industry awards, EnCase software is considered the standard in forensic tools.