Data breaches, hacking attacks, viruses, and insider threats are some of the security issues many companies face on a daily basis. Besides employing preventive measures, such as the use of firewalls and intrusion detection devices to prevent data breaches and thwart external attacks, many organizations around the world have been using computer forensics to identify instances of computer misuse and illegal intrusion. The use of computer forensic techniques also has flourished in the internal audit profession. However, many internal auditors are unaware of the advantages that computer forensics can bring to audit investigations. Learning how to acquire, analyze, and report data through the use of computer forensics can help auditors make the most of this investigative technique, as well as recover previously deleted documents that can provide the "smoking gun" needed to determine if a fraudulent activity took place.
The Forensic Investigation
Computer forensics is the application of analytical techniques on digital media after a computer security incident has occurred. Its goal is to identify exactly what happened on a digital system and who was responsible through a structured, investigative approach. Forensic investigations cover all areas of computer misuse, including fraud, Internet and e-mail abuse, entry to pornographic Web sites, and hacking, as well as accidental deletions or alterations of data.
During the forensic investigation, evidence may be obtained in a variety of ways, including affidavits, search warrants, depositions, and expert testimony. Regardless of the means used to obtain data, examination of a computer or other device must be done thoroughly, carefully, and without changing anything. This ensures that the integrity of the original data and the evidence's validity are maintained.
If an internal auditor suspects fraud may have occurred, he or she should fill out an incident detection report form or similar document. The document needs to specify the date and time of the suspected fraud, who reported the incident, the nature of the incident, and the system(s) and application(s) involved. Once the incident is recorded, the auditor should inform the right company personnel, such as the chief information officer, chief security officer, chief information security officer, IT director, or human resources director. The person who needs to be contacted should be identified in the company's policies and procedures document. Note: It is important for companies to have an established, clear process for dealing with these kinds of incidents. This kind of pre-planning can help ensure that the proper channels are followed when an incident occurs.
Forensic investigations consist of three phases: acquiring the evidence, analyzing results, and reporting results. Below is a description of each.
Acquiring the Evidence
The process of securing or acquiring evidence starts with previewing the contents of a computer's hard drive or other media. To acquire the electronic data, including deleted information, the storage device must be mirrored or duplicated exactly bit by bit. The actual size or space of the storage device and transfer speed over a network cable will dictate the length of time needed to image the drive. Once the storage device is secured, a second device may be needed as a working copy if the original storage device was not seized or secured. This allows the examiner access to an unaltered copy of the electronic data.
The second step to collecting the evidence is the preview stage. Here, the auditor performs a simple check to determine the current status of data files. This can provide useful information about ownership of the data and its relevance to a particular investigation, as well as help to focus the subsequent investigation.
What Is Slack Space?
When an e-mail message is created, space is reserved in small sections. As the message grows, sections are added one at a time. These sections are of a specific size. When e-mail data is deleted, the space is available for use again, and new e-mails can use the sections as needed. If the new e-mail is shorter than the deleted e-mail, the storage device will contain sections with the previous data. This old written data is referred to as slack space. Here's a more general analogy: A person goes to the video store to buy a movie. The VHS tape allows for two hours of video to be recorded on it. The person decides that the movie is not worth keeping and uses the tape to record a 90-minute show. After taping over the original movie, the VHS tape still has 30 minutes of tape remaining, which contains the old movie.
The third step when collecting evidence is to protect the data by capturing an exact copy of the original information. This is done through a process known as imaging. An image is an exact replica of the computer's hard drive or other media, and should include any slack space (for more information, see "What is Slack Space?" at right). The image is then investigated, rather than the original, to avoid altering the original data, which would make any evidence gathered inadmissible in court. Imaging is a vital step in a computer forensic investigation and is accepted as the best method for capturing computer evidence that may be presented in a court of law.
Having captured an exact image of the data, the fourth step is to process it. All data must be processed, including deleted or partially overwritten files, information hidden outside normal storage areas, and data in virtual memory and slack space. The most common method used by forensic examiners to capture this data is by using a write-blocking device. This device prevents the forensic examiner's machine from writing or altering the data on the suspect drive. Windows operating systems are notorious for this problem.
Typically, the suspect drive is removed from the machine if possible and plugged directly into the write-blocking device. Once this has occurred, an examiner can make what is called a "bit-stream" image of the drive. This is an exact bit-for-bit copy of the drive's contents, including deleted space, file slack, and logical files. Another method of capturing this data is using a Linux live CD or a boot disk, which allow the investigator to view the files on the drive, including deleted space and unallocated clusters, without altering the drive's contents. The examiner can then copy the files onto an external hard drive and view them. Hidden data often contains the most vital evidence to prove or disprove a case. In some cases, a file extraction may be appropriate. In other situations, a data index may be created to support powerful search tools.
After auditors have a complete image of the drive, they can start collecting the evidence. Most forensic software includes ready-made scripts for a variety of operating systems that automate certain functions such as encrypted registry parser, file finder, and file mounter. Because different programs may work better for different tasks, auditors should ensure organizations are using the right product based on their data analysis needs. For additional tips on how to gather evidence, refer to the "Additional Steps and Techniques" section below or "Steps to Handle Evidence During a Forensic Examination" sidebar below.
Steps to Handle Evidence During a Forensic Examination
- Never work off the original image; create a backup for analysis.
- Before working on a backup, hash it. Keep the original evidence in a safe.
- Create a log of everyone who has access to the original evidence and copies.
- Make notes of all findings, especially important ones.
- Save often to prevent data losses in case of power outages.
Analyzing the Results
The second phase, analyzing the results, takes place after all the evidence is acquired and imaged properly. Because every case is different, auditors need to be fully trained when conducting a data analysis, or they should recommend a trained forensic examiner performs the evaluation if they lack the professional training to do so.
To analyze the evidence, auditors should use the working copy of retrieved, deleted, electronic data only, including files and folders. Auditors also need to maintain a chain of custody when handling the evidence. This enables them to ensure the legitimacy of the evidence presented in court is unquestionable and provides an audit trail of who accessed the data and when. To maintain a digital chain of custody, all images should be hashed — the process of creating a small digital fingerprint of the data.
During the data analysis stage, software also is used to inspect the raw data and organize it into an understandable report. As a result, the auditor must be able to tell the computer what to look for by using text-string search terms that will identify data pertaining to the specific incident under investigation. A search term should be created for each individual investigation and may be modified for each specific storage device within that investigation. Text strings could have as many as 500 words or phrases. The more text strings used, the better the results will be. Using more text strings, however, requires more work: As more text strings are used, results may contain a higher number of false positives or unrelated data that need to be examined. In addition, this process may take considerable time depending on the size of the storage device and the amount of data on that device.
Once the data is analyzed, auditors should review any information stored in special folders and files created by the operating system, in addition to folders and files created by the user. After this stage is completed, the evidence must be recorded, sorted into different classifications, and stored.
The final phase of the forensic examination is creating the report and reporting the evidence. Final reports of the investigation should include a list of all the evidence gathered, a copy of printed documents listed as appendices, and an executive summary. In certain cases, (e.g., to obtain a search warrant or make a criminal charge), auditors may need to create interim reports. These reports are updated as new information is gathered and until the investigation is completed.
Report findings need to be ready to be used in a court of law. For instance, reports should clearly explain what made the company or auditor suspicious of the hard drive, how the hard drive was imaged, how the data was handled prior to the analysis, where within the hard drive the evidence was found, and what the evidence means. Internal auditors who conduct the forensic examination should expect to be called to provide expert testimony during the court case and help the organization review the opposing counsel's evidence.
Additional Steps and Techniques
Before and during the forensic investigation, internal auditors can take additional steps to ensure evidence is court-ready. Prior to the forensic examination, the auditor should physically secure the system in question and take pictures of the room, the area surrounding the system, and the system itself. In addition, the auditor needs to secure the evidence onsite or in a laboratory to ensure a proper chain of custody is followed and digital evidence is secured effectively. The auditor should also document all system details and any connections to the system, such as network cables and 802.11x connections.
The following actions should be avoided at all cost prior to collecting the evidence:
- Modifying the time and date stamps of the system(s) containing the evidence before duplication takes place.
- Executing nontrusted binaries by double-clicking or running any executable files that are on the computer (e.g., evidence.exe could be a wiping program that, when run, can destroy all the evidence on the drive).
- Terminating the rogue process. This pertains to processes on the computer that are displayed when users press Ctrl+Alt+Delete. In hacking cases, it's common for people to press Ctrl+Alt+Delete and kill any processes they are unsure about. This may have adverse effects, such as wiping the drive or log files and notifying the attacker that the process has been discovered.
- Updating the system before the forensic investigation takes place.
- Not recording executed commands.
- Installing software on the system.
While collecting the evidence, a live or offline analysis can be performed as part of the gathering process. A live analysis takes place when the forensic investigation is conducted on the live system (i.e., the system is not powered down). Due to the volatile nature of digital media, auditors need to document all the steps taken while collecting the evidence during a live analysis. Besides refraining from installing software on the system, the auditor should not update the system with any security patches or hot fixes prior to imaging the drive. If the computer has any active windows open, pictures should be taken of the monitor as part of the examination's documentation, as well as the area by the system's clock to determine whether there are encrypted containers and, if so, whether they are open.
Internal auditors may encounter problems during any live analysis. Some of these problems include:
- Destruction or alteration of digital evidence by the auditor. Because computer files only get overwritten when data needs to take its place on the hard drive, clicking on files or folders on a computer will result in information being written to the drive, potentially overwriting valuable evidence. During a live analysis, this is unavoidable. To capture potentially overwritten data, the auditor should write every action performed on the system so that the forensic examiner can rule out that activity.
- Logic bombs and slag code. This refers to a piece of code or application that does something based on a condition. For example, wiping software commonly erases the drive on startup or shutdown. Therefore, the auditor can trigger a logic bomb or slag code simply by clicking on Start>Shutdown. The best way to avoid this situation is to unplug the machine from the wall. This will prevent software code from running, because the machine will have no electricity to run. If the investigation involves a laptop, after unplugging the machine, the investigator can shutdown the laptop by pressing the power button and holding it down for approximately five to 10 seconds. This will cut all power to the machine and force it to shutdown.
- Trojan binaries and root kits. Trojans and root kits are installed by the attacker. When operational, they send alerts to the hacker after a specific action takes place. Some Trojans even allow the attacker to view the computer screen in real time. Properly shutting down the machine, will prevent the hacker from seeing what the forensic investigator is doing. At a minimum, the computer's Internet connection must be disabled so that information is not sent to the attacker.
- No access to slack space, pagefile/hibernation files, Windows NT file system transaction logs, and print spoolers. Sometimes, these files may contain just the right evidence needed to prove a case. For instance, in cases involving the use of forged checks, printed files could have all the evidence needed. However, if the investigator is unable to access these files, the evidence could be lost as the investigation moves forward and files are imaged.
Once the data is gathered during the live analysis, the system must be imaged. Depending on the type of operating system, the auditor may need to shut down the system properly without damaging the evidence, while still allowing the system to boot up.
An offline analysis is when the investigation takes place on the imaged copy. When preparing the evidence, auditors need to know how to power down the system correctly. Some systems must be shut down properly, while others can be turned off by pulling the plug (refer to Table 1).
Pull the Plug
Shut Down Properly
Windows 2000 Server
UNIX- and Linux-based operating systems should be shut down properly to ensure that they boot up after imaging.
SCSI Raided Systems
Table 1: Comparison of systems that can be turned off through the shut-down method or pull-the-plug method
When taking the system down, auditors need to make sure they remove the plug from the back of the computer and not the wall, because the computer may be plugged into an uninterruptible power supply. All cords attached to the computer, such as USB devices or network Ethernet cables, must be documented. Once the system is turned off and the information is recorded, the auditor might want to make an image of the system.
Auditors always should check to ensure duplication procedures and tools used meet the country's legal requirements. Otherwise, evidence may not be admissible in a court of law. For example, in the United States the National Institute of Standards and Technology requires that disk imaging tools used during the forensic examination meet certain standards, such as not altering the original disk in any way and logging all input and output errors.
A forensic investigation can be conducted on any device that stores electronic data, such as a computer hard drive, smart card, or palm pilot. Internal auditors can use computer evidence in a variety of crimes where incriminating documents can be found, including cases involving financial fraud, embezzlement, or data theft. A key point to remember during any forensic examination is that protection of the evidence is critical. Furthermore, the results of a forensic examination can be rewarding. Collecting evidence can allow organizations to respond to any problems immediately and authoritatively and to maintain the company's professional image.
Auditors who wish to learn more about computer forensics can visit the Computer Forensics, Cyber Crime, and Steganography Resources Web site, www.forensics.nl/. Besides finding information on computer forensics, auditors can search online for free forensic tools. A couple of good Web sites include:
http://users.erols.com/gmgarner/forensics/: This Web site offers freeware forensic tools for Microsoft Windows platforms.
http://ftimes.sourceforge.net/FTimes/index.shtml: The site takes visitors to the FTimes system base-lining and evidence collection tool.
www.securityfocus.com/tools/525: The Security Focus Web page provides a link to AFind, a tool that lists a file's last access time without changing it.
www.weirdkid.com/products/emailchemy/: This site provides a link to Emailchemy, a mail-format viewer program.
http://ircr.tripod.com/: This site has a link to a Windows forensic tool that enables users to create an incident response collection report.