Monday, December 24, 2007

Merry Christmas!

A very merry Christmas to all!

Hope you have a great time over the festive period.

Drive carefully, stay safe and see you after Boxing Day...

Monday, December 17, 2007

Document & Media Exploitation - more interesting than it sounds!

There's an article from Simson Garfinkel at the ACM Queue website here which I think many will find interesting (don't let the rather dull title put you off, it's a great read). It covers something called DOMEX which we're told is defined by the US Intelligence community as "the processing, translation, analysis, and dissemination of collected hard-copy documents and electronic media, which are under the U.S. government's physical control and are not publicly available". Essentially it's about the challenge of bringing relevant information or evidence to light in the face of various obstructions (large disk sizes, encryption, time constraints etc.) Simson calls for more work to be done with a view to improving or automating many of the processes currently carried out by forensic examiners and ends by discussing the wider implications of such improvements.

Oh, and there's another good article at the same website here about hard disk reliability. Both articles are well worth a read!

Monday, December 10, 2007

Forensic workstation recommendations

Just a quick note to highlight this thread in the forums where we're trying to put together a list of hardware suggestions/recommendations for anyone considering building or buying a forensic workstation for imaging and analysis.

Do please chime in with any thoughts, not just for the main components (motherboard, chip etc.) but also for the less "sexy" items. Can you recommend a particular case, for example, which you've found has worked well - perhaps due to it's connection possibilities or some ergonomic feature which you particularly liked? What about a particular brand or type of hard drives - are some more reliable than others in your experience?

The focus of the recommendations is on hardware which gets the job done but also represents value for money. Hopefully once complete it will serve as a useful reference for new practitioners entering the field or anyone upgrading from an older system.

Thursday, December 06, 2007

Sharing knowledge (part three)

All good things come in threes (apart from Star Wars, of course, as I may have mentioned previously) so here's the last part of this "sharing knowledge" trilogy.

We talked earlier about asking and responding to questions as they arise, the type of situation you see in the forums or our - very quiet! - email discussion list. I'd like to wrap up by encouraging everyone to share their knowledge in a more proactive fashion, either in the form of articles or papers (which I'm very happy to publish at the Forensic Focus site and in the monthly newsletter) or by contributing to one of the forensic wikis which are out there.

Let me be the first to admit - if it isn't already blindingly obvious - I'm not a great writer. I also find it hard going at times. I don't always find it particularly easy to express myself and the process of editing and revising what I do put together can be time consuming (I'm not just referring to contributing to the this site, I'm speaking more generally in this case). With that being said, though, with a little bit of planning and enough effort to actually get started I have found that it is possible to put something together which has some value.

It's clear to anyone who browses the Forensic Focus forums, or those of other computer forensics sites, that there are many very experienced members and there are also those who can write very well (some of the more lengthy and detailed posts are almost full articles in their own right). There are also some who have the ability to share their knowledge by putting pen to paper but don't do so, often through lack of time but also because they're concerned about how what they've written will be received - the fear of criticism holds back many people I've spoken to privately over the past few years. This latter point is a great pity, many of those same people are those with very useful information and interesting perspectives. Whether held back by lack of time or lack of confidence, I really do want to encourage everyone to think again about writing something for the wider forensic community.

The obvious question which remains is what to write? The answer, I think, is simply anything which might be useful to someone else (and I often think the easiest way to judge that is to ask yourself if you would find it useful, or would have done so at some stage in the past). I also want to stress that, at Forensic Focus at least, basic forensics or discussion of fundamental principles is also very much on topic, just as much as advanced techniques. In addition, aspects of computer forensic work outside the purely technical are very welcome - examples might be professional challenges, career development, legal issues, even just personal thoughts and reflections. In essence, if it's a topic which interests you then it will probably be of interest to someone else.

If you'd like to share your knowledge and experience then I encourage you to write something and send it through either to me, for Forensic Focus, or consider submitting to one of the wikis. The ultimate goal is to expand the list of useful resources available to anyone with an interest in this field, from those just thinking about it as a career to those who've seen and done almost (but not quite) everything. I hope you'll decide to help.

Friday, November 30, 2007

Sharing knowledge (part two)

I talked briefly last time about the difference between those who enjoy sharing their knowledge and those who prefer to keep things to themselves. I feel strongly that the vast majority of members at Forensic Focus (and similar sites) fall into the former camp which means we have a tremendous resource at our disposal. Like anything of value, though, it needs careful handling. Just as those who are in a position to help may feel a responsibility to provide accurate information (and don't forget that many answers provided in the forums are highly detailed and have involved considerable time and effort to compose), so those who are seeking answers have an obligation to frame their questions appropriately and do what they can to help themselves before seeking advice.

Forensic Focus is openly and unashamedly a site for both old hands and newcomers to the field, it's certainly not just a site for experienced practitioners. One of the reasons behind that is a focus not just on today's challenges but on tomorrow's too, and more specifically on those members who, although they may be new to computer forensics right now, will be the ones who drive it forward in 5, 10, or 20 years from now (by which time the only computer I'll be using will be one of those gadgets you get at Christmas to keep track of your golf score). So if you're a beginner and there's something you don't understand, what should you do? Here are some thoughts, and I encourage others to add theirs:

- Before even going online, think about the resources you already have to hand. Books and training course notes are often excellent reference sources. If you have neither, now might be a good time to consider laying down some sound fundamentals. Computer forensics courses (both academic or commercial, classroom based or distance learning) have experienced tremendous growth in the past few years. If a course is not appropriate, at the very least read as much as you can. I often still refer to books I've purchased over the years and building a library of the best reference works should be a priority. Subscribe to news feeds and blogs too so you're up to date with general developments.

- Whether your question is general or specific, try a little hands on research and testing yourself. Often, putting together a small network or even a single PC for testing purposes can be achieved at little expense. Want to know what happens to the registry when an external disk has been used and removed? Give it a go and try for yourself. Many useful forensic tools are open source and freely available and in the course of using them you will often build your knowledge in other areas.

- If you have a question about a particular item of hardware or software, consider trying the manufacturer's support site or forum first before looking in a forensic forum for someone with relevant experience. The same applies to forensic hardware and software, often the manufacturer's own web site or forum will get you the answer you need quicker.

- Some software packages come in for particular scrutiny during an investigation of course, primarily those developed by Microsoft due to their dominance in the OS and browser markets. Fortunately Microsoft makes a lot of information available through its own web site (you can search through it here).

- It almost goes without saying, but Google really is your friend. If you don't find what you're looking for immediately, though, don't give up. Read some of the advanced search tips for other ways of searching.

- Before posting in the forums, have a good search of the existing posts. As you're doing so you'll probably ask yourself why there aren't many stickied posts or FAQs and I think you'd be right. It's something I intend to improve next year.

- If you've done all the above (with a particular emphasis on a solid Google and forum search) but haven't found what you're after PLEASE DO ask in the forums - that's what they're there for and I'm certainly not trying to put anyone off from posting. However, there are a few important points to keep in mind when you do post, namely:

1. Always post in the most appropriate forum (yes, there's more than one!)

2. Give as much information as you can about the problem straight away. Most people are very willing to help but it can be frustrating if there are obvious gaps which need to be filled before they can do so. Describe the general context of the situation, explain something about your own background or experience if you're new to the board, describe any hardware or software in detail (including version numbers) etc. The more information you can give, the more likely you are to get a useful reply.

3. Say what you've already done to answer the question or solve the problem. Don't be afraid to admit your own limitations. This has two benefits. Firstly, it prevents other from going over the same ground but perhaps more importantly it shows that you've already put your own effort in and just can't get any further. In that case most people will be only too happy to help and you'll get the result you're looking for.

I hope the above is useful and helps us build our friendly community still further.

Have I missed something? Would you like to add your own tip for making the most of our shared knowledge pool? Don't hesitate to comment.

Tuesday, November 27, 2007

Sharing knowledge

Everyone working in a computer forensics role has at least one thing in common - they know a lot more now than they did when they started. No matter how knowledgeable someone is today, there was a time when they knew next to nothing about forensic matters.

Something not everyone has in common, though, is a willingness to share that knowledge. In the 15 or so years that I've been involved with IT (not just forensics) I've had the good and bad fortune to meet some very different personality types, on the one hand true professionals who are only too happy to share what they know and on the other those who take an almost perverse delight in hoarding their knowledge. I've often thought about what it is that makes one person willing to give up their time to teach others while someone else will only ever seem to act in their own interests. I don't necessarily have a good answer to that question but what I have noticed is that those most willing to share their knowledge have always been those who truly understood the subject matter at a deeper level and genuinely enjoyed thinking and talking about it. They felt secure in their own position yet were comfortable talking about their own limitations.

No matter how much we know now, the pace of change is such that there will always be something new to learn tomorrow. Furthermore, the scope of high tech investigations is such that no one can possibly know everything. At some stage we all need to turn to the resources which are available in order to increase our knowledge. Those resources are many and varied. For most forensic examiners studying, training and research (if you're lucky) are the main paths to increasing knowledge and understanding. Frequently, though, a problem or question arises the answer to which is not covered in any training course and the time to research it in the lab is simply not available. On these occasions we need to turn to others who may already have answered the same question.

How we ask that question, especially for those new to the field, can be crucial in determining the type of response we receive. More on that tomorrow...

Monday, November 26, 2007

Motivation & The Cuckoo's Egg

Many moons ago when I was a student at university I remember motivation being at something of a low ebb as I started work on my dissertation. The subject matter was interesting - the main focus was on Unix and Windows security issues in a networked environment - but it was dry, very technical and I was feeling less than inspired.

It was then that I read "The Cuckoo's Egg" by Clifford Stoll. I had picked it up at a second hand bookshop without knowing much about the subject matter, other than that it was computer related and seemed to be some kind of story rather than just technical data which made a nice change. I expect many readers will have read The Cuckoo's Egg already, but for those who haven't, it's the true story of an astrophysicist called Clifford Stoll who starts by investigating a seeming innocuous computer time billing discrepancy and ends up tracking a hacker through a maze of computer networks, ultimately leading to a connection with international espionage. [I note that the full title at Amazon these days is "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage" which tends to give the plot away!]

It's a relatively quick and easy read but it's a gripping tale nonetheless, especially for those with an interest in computer investigations. For me it was exactly what I needed to boost my motivation because it gave me some insight into what might lie beyond my university years.

Now, it has to be said, many forensic assignments are fairly straightforward, even mundane...but now and again something crops up which creates a buzz of excitement and I'm reminded of Clifford Stoll and his cuckoo's egg. At its best, this is a fascinating field to work in.

I'm always interested to hear what motivates others with an interest in computer forensics. Drop me a line or leave a comment.

Wednesday, November 21, 2007

Holographic storage - science fiction or fact?

If you're anything like me (i.e. old), the mere mention of the word "holographic" is enough to immediately bring back memories of R2D2 relaying Princess Leia's cry for help to a bemused Luke Skywalker. If that doesn't mean anything to you, let's just say there was a time long ago (in a galaxy far, far away) when Star Wars films were actually pretty good.

Holographic technology has multiple applications, one of which is data storage. Although the use of light to read and write data is familiar from established storage mediums such as CDs and DVDs, holographic memory promises far greater storage in a smaller space coupled with faster access speeds.

How does it work, exactly? Here's what Wikipedia has to say:

Holographic data storage captures data using laser beams shining on photorefractive material. Creating holograms is achieved by means of two coherent beams of light split from one laser source, one being the reference beam and the other the signal beam. When both these beams interfere with one another, a resulting interference pattern is formed which encompasses the pattern both in amplitude and phase information of the two beams. When an appropriate photorefractive material is placed at the point of interference, the interference patterns are recorded inside the material. When the reference beam illuminates the material in the absence of the signal beam, the hologram causes the light to be diffracted in the same direction of the initial signal beam and all the information of the original signal beam is reconstructed.

Clever stuff. Of more interest to forensic examiners is the fact that holographic memory might be one solution to some of the data storage issues we talked about previously. On the other hand, it's a technology which has been discussed for decades and has yet to become a commercial reality. In addition, if it - or any other future storage option - ever does become a viable data storage solution for use in the workplace it will eventually become affordable to the consumer, thus increasing (yet further) the amount of data we need to recover and examine.

What do you think about forensic storage issues? Is the data mountain becoming too high to climb or will some new technology help us scale new heights? Comments welcome.

Tuesday, November 20, 2007

Darling, two of our CDs are missing

UK based readers are probably already aware of the recent news surrounding the loss of 2 CDs containing the personal details of around 25 million British citizens. Computer forensic examiners are, generally speaking, very aware of the issues surrounding the handling of confidential information and will have the necessary procedures in place to ensure that such data is properly handled. This incident, though, shows just how catastrophic the effects of a single breach in procedure can be.

Consideration of privacy issues is something which impacts every stage of an investigation and often plays a key role in determining exactly what an examiner is permitted to do. Beyond that, the way in which data is transported and stored needs to be thought about carefully, usually in the light of existing legislation and the principles of best practice. With this recent breach hitting the headlines it seems almost certain that data protection procedures will come under close scrutiny in the UK - what better time to review your own procedures?

Please feel free to comment on the above. How does data protection legislation impact you? Is the law clear or are you concerned about compliance issues? Does such legislation make it difficult to carry out your job or do you think it is reasonable?

Monday, November 19, 2007

Image storage options

Talking about future technology issues has started me thinking more about image storage options, specifically what technologies are most commonly used today and what future advances might have to offer.

Image storage refers to the need to keep a forensic image safe both during an investigation and after the investigation is complete. Both requirements involve protecting the integrity of the image but while an investigation is ongoing access to the image may be required on a regular basis and after an investigation there may be a legal requirement to maintain the image in a secure environment for a certain length of time.

To a large degree the types of technology which a forensic unit chooses to fulfil these requirements may be influenced by the typical size and number of the cases they deal with. Some organisations may use single hard drives for ongoing investigations whereas others may need to invest in large RAID systems. Again, for longer term storage smaller forensic outfits may use DVDs or even CDs whereas larger units are likely to require some form of tape storage. In each case there are always important issues to consider beyond the storage capacity. Considerations surrounding the reliability of the medium, for example, are likely to be paramount but other issues such as compatibility and speed also need to be taken into account.

Image storage is not a particularly glamorous topic but, as with any other aspect of computer forensics which involves data integrity and legislation compliance, it's one which practitioners take seriously. The choice of which technology to use is rarely clear cut, most decisions are to a degree a compromise between various competing factors (including cost). However, as typical image sizes continue to increase every year it's always interesting to keep an eye out for brand new technologies just over the horizon which might just promise to make life easier.

More on that tomorrow, but in the meantime I'm interested to hear what challenges readers are currently experiencing in relation to image storage...please leave a comment!

Friday, November 16, 2007

Future directions in computing

A few days ago I wondered what the future of computer forensics would look like. Later that day I came across an article on the BBC web site called "Future directions in computing" which takes a brief look at some of the advances which might be on the horizon. For those who like to look far ahead there's plenty of food for thought but don't expect to see any of these new technologies in PC World any time soon :-)

Thursday, November 15, 2007

Dealing with the unpleasant side of computer forensics

Yesterday I touched briefly on the fact that high tech investigations can lead to the examiner being exposed to disturbing material (graphic images, videos, descriptions of crimes committed, etc.). How the examiner reacts to such exposure is very much down to the individual - some can be traumatised, others are able to maintain an emotional distance from the material in question. In addition, an examiners response may change over time.

How we respond to this issue is an important challenge for our profession. The problem is not new, it is the same as that confronted by many of those whose work is emotionally challenging, but I often feel we have been slow to admit how serious an issue this is for computer forensic examiners. In particular, the amount of material which needs to be processed and the fact that many examiners come from a purely technical background (rather than one where crimes or acts of violence are more routinely encountered) can prove problematic.

What can we do? As always the first stage is to admit, especially in some formal sense, that there is an issue which needs to be addressed. There are signs that this is happening and I'm encouraged to hear of psychological assessments being considered standard practice in many organisations. We need to ensure that we don't consider that the end of our responsibilities, however. A regular assessment needs to be seen as the bare minimum required by responsible employers, a method of catching those who have slipped through the net if you will. We need to focus our attention on the environment within which we work on a daily basis and try to foster an atmosphere of mutual support and understanding each and every day in the workplace. All this is easier said than done, of course, and there will be those who consider it a waste of time. In addition, many of us work in environments where it might seem that concern or compassion are hard to express. It needn't be difficult though, just the occasional word of support or friendly enquiry can make all the difference to an examiner's state of mind. And each time we do so, we set the tone for tomorrow, a day when we ourselves might need some help.

Back tomorrow with something lighter.

Wednesday, November 14, 2007

How would you feel?

When I talk to people about their plans for working in an investigative role I'm often surprised by how little thought they've given to the type of material they might be expected to deal with. Often their concerns are related solely to whether or not they have the technical skills necessary to search for and collect evidence. However, I really think it makes sense to think carefully about exactly what kind of evidence they might be searching for and exposed to, especially that which involves images and video. Some material which can be uncovered during an investigation can be harrowing and disturbing, how would you feel if you needed to deal with such evidence, perhaps even on a daily basis?

When I mention this, occasionally the person I'm talking to says that only the police have to deal with such material and that if they were working in a corporate role there's little chance of them being exposed to something of this nature. Of course it's true that law enforcement (both police officers and civilians working for the police) are required to handle material which others would find repugnant, but in my experience corporate investigators run a small but significant risk of uncovering material of this nature too, even if it is not the focus of their original investigation.

I'll talk more tomorrow about how we deal with this type of scenario.

Tuesday, November 13, 2007

Computer forensics - are you ready?

In the field of computer forensics, traditionally an investigative discipline called upon after a crime is committed or evidence of misconduct is discovered, action taken before an incident occurs can have a significant impact on the success of a subsequent investigation. The essence of these actions is not incident prevention (the work of computer security professionals) although a reputation for being able to carry out effective investigations may have a preventive effect, but rather preparation, specifically preparation which allows an organisation to investigate effectively and efficiently within the bounds of relevant legislation and prepare evidence for presentation in any subsequent court case.

When an incident occurs which warrants investigation, a company needs to decide exactly what the goal of the investigation is and how that investigation will be carried out. Before these decisions can be made, however, the company also needs to know exactly what investigative techniques the law allows. In a computer forensics investigation where data generated by and transmitted between people is being examined the rules regarding privacy need to be very carefully considered before embarking on a particular course of action such as analysing data on hard disks or monitoring network traffic. Organisations where reasonable privacy policies already exist which make clear the rights and responsibilities of both employer and employee are likely to encounter less restrictions on the range of investigative techniques available to them as employees have already been made aware of the circumstances under which an investigation may be carried out.

In addition to legal issues, those responsible for incident investigation also need to have a firm grasp of computer forensic principles and techniques. By its very nature, a forensic investigation demands that evidence is collected and handled in such a way that it may be presented in court. Probably the biggest implication of this requirement is that every care needs to be taken to ensure that digital data is acquired and preserved in its original form and is not altered by the investigator (a relatively simple requirement in theory which involves careful handling in practice.) Detailed documentation of an investigator's activities also forms a critical part of the investigative process and is often neglected during a non-forensic incident response. Crucially, the best time for an organisation to develop the skills and procedures required in a forensic investigation is before, not after, they are needed. By doing so an investigation is much more likely to be carried out in a timely and forensically sound fashion.

Finally, investigators need tools. The forensic tools available today, both hardware and software, cover all requirements of a forensic investigation from evidence acquisition through to analysis and reporting. Some are small, single-task utilities available for free or at low cost whereas others are large, multi-functional commercial packages. Again, the time for an organisation to consider which tool best meets their needs (and to become familiar with its use) is before the tool needs to be deployed in a real investigation.

Future forensics

Although difficult, it's always fun to look into the future and try to predict the challenges which lie ahead for computer forensics practitioners. Some are perennial favourites: tougher, more widespread encryption; wiping tools (even Macs have them built in these days, apparently - thanks to Azrael for pointing that out!); anti-forensics tools; larger hard disks, etc. More interesting, perhaps, is trying to think about new ways in which technology might be used in the future and what that might mean in terms of the crimes committed. In recent years we've seen a huge increase in the speed and reach of the digital networks which bind us together and as a result, new ways to abuse them (from botnets to "happy slapping") have emerged. What will be the next frontier to be pushed forward with implications for computer forensics? AI? Nanotechnology? Science fiction today, perhaps, but it might be all in a day's work for tomorrow's cybercop...