S 6.126 Introduction to computer forensics

Initiation responsibility: Top Management, Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Auditor

A computer or digital forensic investigation involves proving and clarifying any punishable or otherwise illegal or antisocial activities by collecting and evaluating digital evidence. The typical goals of a digital forensic investigation after a system intrusion or other type of security incident are the following:

To reach these goals, all data relevant to the analysis of the incident must be collected from the IT systems affected. It must be ensured that as much information as possible can be collected from a compromised system without changing the current state or current status of the system. To conduct an effective investigation, it helps to create a guide in advance that describes each step of the investigation process.

According to the Computer Forensic - Secure, Analyse, Present (CFSAP) model, an investigation process can be divided into three main phases. In the secure phase, all data is carefully recorded. It must be ensured in this case that the area being investigated is carefully secured. It is often still unclear at this point whether or not the perpetrator was an internal employee of the organisation. If the members of the team of experts want to prevent the possibility of manipulation in such cases, then corresponding precautions must be taken so that insiders are not able to erase their traces. In this phase, the use of appropriate methods forms the foundation for ensuring the information collected will not lose its evidentiary value during a subsequent legal appraisal. Even though it is often not completely clear in this very early phase of the investigation whether or not legal clarification will be desired, the evidence collected should still meet evidentiary standards. For this reason, all activities must be must be carefully recorded and documented. The data collected also needs to be protected promptly against accidental or deliberate manipulation. For this reason, extensive use should be made of corresponding hash methods and of the two-person rule.

In the analyse phase, the evidence is carefully analysed and the results objectively evaluated. The conclusions must be examined critically to ensure missing links in the chain of argumentation are identified.

While the level of detail recorded and methods used in the secure and analyse phases do not depend on the specific questions to be answered by the investigation of the security incident in most cases, the tasks performed in the present phase do depend on who needs to be convinced of the truth of the results of the investigation and how they should be convinced.

Ultimately, the results should convince anyone who was not present during any part of the investigation and may not have the technical expertise to understand all details. This means that all results obtained must be documented conclusively and in a manner understandable to technical laymen. The results of a forensic investigation usually need to be presented to the decision-makers in the organisation, but it may also be necessary to provide external decision-makers or criminal prosecution authorities with the results.

Regardless of which questions need to be answered and which IT systems need to be examined (servers, workstations, PDAs, routers, notebooks etc.), it is possible to identify several basic types of sensitive data that will be of interest to the investigation:

It is important to know the half-life of this data, because the order in which the data is collected in the secure phase is determined by its half-life.

As a result of this, there are two basic methods of investigation in computer forensics, i.e. live response and post mortem analysis.

Analysing a system that is still active and has not been switched off yet offers an opportunity to collect most of the relevant volatile data and is referred to as live response. This approach is useful when valuable volatile data could be lost or the system cannot be switched off for availability or dependency reasons. A live response analysis is also helpful when there is a risk that it will become impossible to access the data media any more if the system is switched off. One of the main advantages of a live response analysis is that this analysis method is often the only one available that will be able to determine if the system was really attacked and if any malicious code is still active. In many cases, it is only possible while the system is running to detect irregularities indicating that a rootkit or other malicious software is running. One advantage of this method is that it is possible to secure the process memory and the events currently occurring on the system in a structured manner.

One of the main problems of live response analysis, though, is that it is not always possible to specify the order in which the volatile data will be collected with absolute certainty because every action performed on the suspicious system will also change the suspicious system itself. For example, when copying the list of processes currently running on the suspicious IT system, the commands used in the copy operation will also appear in the list. When tools are used improperly, there is also a risk that additional data will be destroyed or that a rootkit installed on the system will be able to hide information that is relevant to the investigation.

The second investigation method is often called post mortem analysis, because it deals with the evaluation of data media or copies of data media from systems that have already been switched off. In this case, the analysis is performed on a forensic copy of the data medium of a compromised system. A forensic copy is a bitwise copy that is stored as an image file. Examination of the original data medium without securing the data first should be avoided because there is a risk of destroying evidence in this case.

A post mortem analysis is performed when the contents of volatile memory are irrelevant to the incident being investigated or when the incident happened a long time ago. The advantages of performing a post mortem analysis on a forensic copy of a data medium is that it is impossible to accidentally destroy volatile data while making it possible to plan the entire analysis process and the tools to be used because information cannot be lost any more. However, this method also has disadvantages: Very few conclusions about what happened at runtime can be drawn, and essential evidence may still remain hidden.

If the volatile data is of interest in order to understand and clarify the security incident, then the volatile data of the suspicious system should be secured carefully before the system is switched off. Once this data has been carefully and properly secured, the system can be disconnected from the power supply system. If possible, a normal system shut-down should be avoided because numerous pieces of fragile data will be irretrievably destroyed in this case.

To ensure that all members of the team of experts for handling security incidents can perform the necessary analyses properly and calmly, the various steps of the analyses should be described in a guide. This guide should state, among other things, how the data of a suspicious system can be secured, and should also contain analysis plans for typical security incidents as well as the evaluation methods to be used. In addition, it should point out which legal grounds are applicable.

The forensic analysis methods should be examined regularly for possible optimisations.

Review questions:

© Federal Office for Information Security. All rights reserved.