Overview Of Digital Forensics -

Transcription

Overview ofDigital ForensicsCybersecurity Digital ForensicsCyberincidents are fast moving and increasing in number and severity.When a cyberincident occurs, the attacked enterprise responds with a set ofpredetermined actions. Applying digital forensics to aid in the recovery andinvestigation of material on digital media and networks is one of theseactions. Digital forensics is the “process of identifying, preserving, analyzingand presenting digital evidence in a manner that is legally acceptable in anylegal proceedings (i.e., a court of law).” The purpose of this white paper is toprovide an overview of digital forensics as it applies to cybersecurity.www.isaca.org/cyber

Overview of Digital ForensicsCybersecurity Digital ForensicsBRIEF HISTORY OF DIGITAL FORENSICSDigital forensics is nearly 40 years old, beginning in the late1970s as a response to a demand for service from the lawenforcement community (see figure 1). Most of the firstcriminal cases that involved computers were for financialfraud.2 In the 1980s, digital forensics training courses weredeveloped by organizations such as the Association ofCertified Fraud Examiners, the National Consortium forJustice Information and Statistics, and the High TechnologyCrime Investigation Association (HTCIA); the first digitalforensics company, Access Data, was formed; and theInternational Association of Computer InvestigativeSpecialists (IACIS) was formed.3 Today, students can earna Bachelor of Science degree in Computer Forensics andDigital Investigations.Cyberincidents are fast moving and increasing innumber and severity. When a cyberincident occurs,the attacked enterprise responds with a set ofpredetermined actions. Applying digital forensics toaid in the recovery and investigation of material ondigital media and networks is one of these actions.Digital forensics is the “process of identifying,preserving, analyzing and presenting digital evidencein a manner that is legally acceptable in any legalproceedings (i.e., a court of law).”1 The purpose ofthis white paper is to provide an overview of digitalforensics as it applies to cybersecurity.The methods that digital forensics uses to handledigital evidence are very much grounded in the field’sroots in the scientific method of forensic science.Every forensic science certification requires a codeof conduct of an unbiased and ethical approach toexaminations.FIGURE1Digital Forensics Time LineAd Hoc19701980Enterprise PhaseGolden Age2000201017025rd ISOstandablishesimeISO puybercrn on Cnventioest CosecBudapt Practies Besperpublishsics PaSWGDr Forenteupfor ComUnitCrimei-Techtional HUK Napg GrouWorkinhnicalBI TecterDOJ/FCompution onrganizational OedInternace formeEvidenferencal Conernationvidenc1st Inteputer Eon Comrouprking Gfic WoGDE)Scientice (SWEvidenDigital31990nyCompaensics1st ForDataAccess2C,, FLETSearchART, FBI CHTCIATeamdCertifietion ofAssocia ExaminersFraudesial CasFinanc1Structured PhaseMohay, George M.; Alison Anderson; Byron Collie; Rodney D. McKemmish; Olivier de Vel; Computer and Intrusion Forensics, Artech House, USA, 2003Ibid.The International Society of Forensic Computer Examiners , “Certified Computer Examiner,” www.isfce.com/history.htm 2015 ISACA. All Rights Reserved.2

Overview of Digital ForensicsEarly forensic tools, like MACE and Norton, providedbasic recovery abilities, such as undelete andunformat. Most investigations were on a singleworkstation that was used by one individual. Theopen-source, community-driven model that is usedtoday for digital forensic tool development makes toolevolution modular, extensible, robust and sustainable,across various platforms. Software and standardsbaselines provide a foundation that focuses onextensions, plug-ins and digital evidence bag (DEB)metaformat for development.Government involvement in standardizations beganin 1984, when the FBI established the ComputerAnalysis and Response Team (CART) to meet thegrowing demands of law enforcement for a morestructured approach to examine evidence. By theearly 1990s, the FBI was assisting the US PostalService in creating its own computer forensics unit.A group of federal crime laboratory directors, whichbecame the Scientific Working Group on DigitalEvidence (SWGDE), began meeting twice a year todiscuss areas of mutual interest. After Mark Pollitt,Unit Chief of CART, spoke to the directors aboutdigital evidence and Scott Charney, CCIPS, discussedlegal aspects of computer evidence and searchwarrant requirements for seizing digital evidence,another technical working group (TWG) was formedto address the forensic issues that are related todigital evidence.4 In the United Kingdom, the needsof law enforcement led to the creation of the NationalHi-Tech Crime Unit in 2001, with resources that arecentralized in London. The unit became the SeriousOrganised Crime Agency (SOCA) in 2006.Following are further developments in digital forensics: 1993—The first International Conference on ComputerEvidence was held in the United States. 1995—The International Organization on ComputerEvidence (IOCE) was formed. 1998—G8 appointed IOCE to create internationalprinciples, guidelines and procedures for digitalevidence and the INTERPOL Forensic ScienceSymposium, to respond to issues in computerforensics. With the advent of cases admitting digitalevidence in court, there was a need for standardization. 2002—The SWGDE published “Best practices forComputer Forensics.”5 2004—The Budapest Convention on Cybercrime, whichwas signed in 2001, became effective. The conventionworked to reconcile national computer crime laws,investigative techniques and international cooperation.The Convention was the first international treaty oncrimes committed via the Internet and other computernetworks, focusing on infringements of copyright,computer-related fraud, child pornography, hate crimesand violations of network security.6 The United Stateswas the sixteenth country to ratify the Convention in2006.7 2005—The International Organization forStandardization (ISO) published ISO 17025, Generalrequirements for the competence of testing andcalibration laboratories.Morgan Whitcomb, Carrie; “An Historical Perspective of Digital Evidence: A Forensic Scientist’s View,” International Journal of Digital Evidence, Spring 2002, Volume 1, Issue df5Scientific Working Group on Digital Evidence, “Best Practices for Computer Forensics v1.0,” 15 November 2004, omputer%20Forensics%20v1.06Council of Europe, “Convention on Cybercrime,” Budapest, 23 November 2001, 5.htm7Anderson, Nate; “World’s Worst Internet Law ratified by Senate,” arstechnica.com, 4 August 2006, www.arstechnica.com/uncategorized/2006/08/7421/4 2015 ISACA. All Rights Reserved.3

Overview of Digital ForensicsIn 2013, US President Obama issued Executive Order (EO)13636, Improving Critical Infrastructure Cybersecurity,which calls for a voluntary risk-based cybersecurityframework (the Cybersecurity Framework, or CSF) that is“prioritized, flexible, repeatable, performance-based, andcost-effective.” The National Institute of Standards andTechnology (NIST) led the development of the CSF throughan international partnership of organizations, includingowners and operators of the nation’s critical infrastructureand ISACA. Key principles from the ISACA COBIT 5business framework, which helps enterprises to governand manage their information and technology, areembedded into the CSF.Implementing the NIST Cybersecurity Framework guideimplements the CSF using ISACA’s COBIT 5 processes.In the CSF, digital forensics is a subcategory in theRespond function and Analysis category of the FrameworkCore.8 The study guide for the ISACA CybersecurityFundamentals Certificate discusses digital forensics in theincident responses topic.9TYPES OF INVESTIGATIONSAlthough cybercrime activity and security breachescontinue to rise, business requirements often takeprecedence over security requirements. This precedenceleaves applications, systems and networks vulnerable tointrusion. When a breach occurs, the forensic analyst mustlocate the point of compromise. The mission criticalityof the compromised application, system or networkdetermines the level of investigation. A full forensicexamination is less likely on a highly critical systembecause the system cannot be shut down or sloweddown to do a full backup.The two types of computer crime investigations arecomputer-based crime and computer-facilitated crime.In a computer-based crime, a computer or computersare used as the vehicle to commit a crime. In computerfacilitated crime, a computer is the target of a crime(e.g., a hacking incident or theft of information).10Computer-based crimes are activities such as childpornography, cyberbullying, cyberstalking, spamming orcyberterrorism. Typically, computers and/or hard drivesare seized as evidence and provided to a forensic expertto analyze. When a computer has been the target of acrime, usually the information system is compromised,and information on the system or network is stolen, orfraudulent documents are created. Digital forensics isused to capture volatile information from random accessmemory (RAM) and other running processes, includingnetworks.11 It is important for the forensics expert toconsider the following four areas of analyses: Storage media Hardware and operating systems Networks ApplicationsISACA, Implementing the NIST Cybersecurity Framework, USA, 2014, ty-Framework.aspxISACA, Cybersecurity Fundamentals Study Guide, USA, 2014 damentals-Certificate.aspx10Hailey, Steve; “What is Computer Forensics?,” Cybersecurity Institute , 19 September 2003, www.csisite.net/forensics.htm11Ibid.89 2015 ISACA. All Rights Reserved.4

Overview of Digital ForensicsRELEVANT LAWS In any investigation, it is important to consult with a legalcounsel on the applicability of local, regional, nationaland international laws. In the United States, the ComputerFraud and Abuse Act of 1986, 18 U.S.C. 1030, criminalizesconduct that abuses computer systems. The statuteprotects computers that have a federal interest, i.e., federal computers, financial systems and computers thatare used in interstate and foreign commerce. The statuteprotects computer systems from trespass, threats, damage,espionage and being used as tools of fraud.Other statutes that may apply follow:12CAN-SPAM Act: 18 U.S.C. § 1037. The CAN-SPAMAct of 2003, Pub. L. No. 108-187, 117 Stat. 2699 (2003),which became effective on January 1, 2004, providesa means for prosecuting those responsible for sendinglarge amounts of unsolicited commercial email (a.k.a.“spam”).Wire Fraud: 18 U.S.C. § 1343 provides: Whoever,having devised or intending to devise any schemeor artifice to defraud, or for obtaining money orproperty by means of false or fraudulent pretenses,representations, or promises, transmits, or causes tobe transmitted by means of wire, radio, or televisioncommunication in interstate or foreign commerce, anywritings, signs, signals, pictures, or sounds for thepurpose of executing such scheme or artifice, shallbe fined under this title or imprisoned not more than20 years, or both. If the violation affects a financial 110Prosecuting Computer Crimes institution, such personshall be fined not more than 1,000,000 or imprisonednot more than 30 years, or both. The Interception of Communications:18 U.S.C. § 2511(1)(a) & (b); the disclosure of interceptedcommunications, 18 U.S.C. §2511(1)(c) & (e); and the useof intercepted communications, 18 U.S.C. § 2511(1)(d).These prohibitions are subject to a number of exceptions,most of them detailed in section 18 U.S.C. § 2511(2). Unlawful Access to Stored Communications:18 U.S.C. § 2701; Section 2701 focuses on protectingemail and voice mail from unauthorized access. Aggravated Identity Theft: 18 U.S.C. § 1028A, TheIdentity Theft Penalty Enhancement Act, which tookeffect July 15, 2004, established a new offense ofaggravated identity theft. Section 1028A applies whena defendant “knowingly transfers, possesses, or uses,without lawful authority, a means of identification ofanother person.”Communication Interference: 18 U.S.C. § 136.Where a compromised computer is owned or usedby the United States for communications purposes,18 U.S.C. § 1362 may provide an alternative oradditional charge. Title 18: United States Code, Section 1362 provides:Whoever willfully or maliciously injures or destroysany of the works, property, or material of any radio,telegraph, telephone or cable, line, station, or system,or other means of communication, operated orcontrolled by the United States, or used or intendedto be used for military or civil defense functions of theUnited States, whether constructed or in process ofconstruction, or willfully or maliciously interferes inany way with the working or use of any such line, orsystem, or willfully or maliciously obstructs, hinders, ordelays the transmission of any communication over anysuch line, or system, or attempts or conspires to dosuch an act, shall be fined under this title or imprisonednot more than ten years, or both. 12Access Device Fraud: 18 U.S.C. § 1029. Ten separateactivities relating to access devices are criminalized in18 U.S.C. § 1029. The term “access device” is definedas any card, plate, code, account number, electronicserial number, mobile identification number, personalidentification number, or other telecommunicationsservice, equipment, or instrument identifier, or othermeans of account access that can be used, alone orin conjunction with another access device, to obtainmoney, goods, services, or any other thing of value, orthat can be used to initiate a transfer of funds (otherthan a transfer originated solely by paper instrument).Office of Legal Education Executive Office for US Attorneys, Prosecuting Computer Crimes, pdf 2015 ISACA. All Rights Reserved.5

Overview of Digital ForensicsFor a more comprehensive reading of applicable USfederal laws, Prosecuting Computer Crimes is availablefor download from the Department of Justice.13 Statestatutes should also be considered, and consultingwith a legal counsel is advised. Additional US laws14include the following: Health Insurance Portability andAccountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Consumer Credit Protection Act Telephone Records and Privacy Protection ActInternationally, the European Union (EU) developed aworking document that pertains to the identificationand handling of electronic evidence. The EU/Council ofEurope (COE) Joint Project on Regional Cooperationagainst Cybercrime: Electronic Evidence Guide is abasic guide for law enforcement and judges.15US law enforcement personnel who search and seizecomputers during an investigation should be awareof the requirements in the Searching and SeizingComputers and Obtaining Electronic Evidence inCriminal Investigations manual, from the Departmentof Justice Computer Crime and Intellectual PropertySection.16DIGITAL FORENSICS POLICIES AND SETOF CONTROLSThe enterprise cybersecurity program should havepolicies that address all forensics considerations, such ascontacting law enforcement, monitoring, and conductingregular reviews of forensics policies, guidelines andprocedures. Good practice requires that policies are part ofan overall governance and management framework, suchas COBIT 5, from ISACA, which provides a hierarchicalstructure into which all policies should fit and link clearlyto the underlying principles.17 Policies should be alignedwith the enterprise risk appetite, which is determined in therisk governance activities, and are a key component of theenterprise system of internal control.18 Policies should allowauthorized personnel to monitor systems and networks andperform investigations for legitimate reasons in appropriatecircumstances. The policies should clearly define the rolesand responsibilities of all people who perform or assist withthe enterprise forensic activities.19 Policies, guidelines andprocedures should clearly identify the tools that may beused in a forensic review and provide reasonable guidanceon the use of those tools under various circumstances.Note: Information security and cybersecurity require acomprehensive set of controls. The set of controls, auditcategory and reviews for cybersecurity investigations andforensics are explained in detail in the ISACA publicationTransforming Cybersecurity.20 This publication applies theCOBIT 5 framework and its component publications totransforming cybersecurity into a business process in asystemic way.Ibid.Bosworthy, Seymour; M.E. Kabay, M.E.; Computer Security Handbook Fourth Edition, John Wiley & Sons, Inc., October 2002Council of Europe, Electronic Evidence Guide, 2013, de/default en.asp16Cybercrime.gov, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Office of Legal Education Executive Office for United States Attorneys, nual2009.pdf17ISACA, COBIT 5 for Assurance, USA, 2013, d.19Kent, Karen; Suzanne Chevalier; Tim Grance; Hung Dang; NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, Recommendations of the National Institute of Standardsand Technology, National Institute of Standards and Technology (NIST), August 2006, 00-86.pdf20ISACA, Transforming Cybersecurity, USA, 2013, -Using-COBIT-5.aspx131415 2015 ISACA. All Rights Reserved.6

Overview of Digital ForensicsMany cyberincidents can be handled more efficiently andeffectively if forensics considerations are incorporatedinto the information system life cycle. Examples of suchconsiderations follow: Perform regular backups of systems and maintainprevious backups for a specific period of time. Enable auditing on workstations, servers andnetwork devices. Forward audit records to secure centralized logservers. Configure mission-critical applications to performauditing and include the recording of all authenticationattempts. Maintain a database of file hashes for the filesof common operating system and applicationdeployments, and use file integrity checking softwareon particularly important assets. Maintain records (e.g., baselines) of network andsystem configurations. Establish data retention policies that support theperformance of historical reviews of system andnetwork activity, comply with requests or requirementsto preserve data that are related to ongoing litigationand investigations, and destroy data that are no longerneeded.21DIGITAL FORENSICS SCIENTIFIC PROCESSKen Zatyko, the former director of the Defense ComputerForensics Laboratory, defined the following eight-stepdigital forensics scientific process:221.Obtain search authority—In a legal investigation,legal authority is required to conduct a search orseizure of data.2.Document chain of custody—In legal contexts,chronological documentation of evidence handling isrequired to avoid allegations of evidence tampering ormisconduct.2122233.Image and hash—When digital evidence is found,it should be carefully duplicated and then hashed tovalidate the integrity of the copy.4.Validate tools—When possible, tools that are used forforensics should be validated to ensure reliability andcorrectness.5.Analyze—Forensic analysis is the execution ofinvestigative and analytical techniques to examine theevidence.6.Repeat and reproduce (quality assurance)—Theprocedures and conclusions of forensic analysisshould be repeatable and reproducible by the same orother forensic analysts.7.Report—The forensic analyst must document his/her analytical procedure and conclusions for use byothers.8.Possibly present expert testimony—In some cases,the forensic analyst will present his/her findings andconclusions to a court or another audience.The process involves more than intrusion-related securityincidents. Zatyko defines scientific digital forensics as:“The application of computer science and investigativeprocedures for a legal purpose involving the analysis ofdigital evidence after proper search authority, chain ofcustody, validation with mathematics, use of validated tools,repeatability, reporting, and possible expert presentation.”23As the process steps indicate, the digital forensic analystmeticulously handles, analyzes and reports on the evidenceobtained, to present an objective opinion on the facts of acase without prejudice.Ibid.Zatyko, Ken; “Commentary: Defining Digital Forensics,” Forensic Magazine, 2 January 2007, fining-digital-forensicsIbid. 2015 ISACA. All Rights Reserved.7

Overview of Digital ForensicsAPPLYING VARIATIONS OF THE SCIENTIFIC METHODScientists often use variations of the scientific methodto solve problems. Deductive reasoning applies broadprinciples to predict specific answers (see figure 2).Conversely, inductive reasoning uses a series of specificpieces of information to extrapolate a broad conclusion.For example, forensic analysts might use inductivereasoning to determine where a cyberincident started.FIGURE2Because physical evidence may never depict all theevents that happened, inductive reasoning has a greaterlevel of uncertainty. The conclusions are based on limitedinformation rather than on a more solid scientific principle,but inductive reasoning can be useful when no broadprinciple can be applied. The forensic analyst identifiesthe best tools and approach for each case.24Variations of the Scientific Method of Forensic tion ySource: Forensics: Examining the Evidence, “Understanding the Scientific ethodDigital forensics follows a rigorous scientific process to present findings of fact to prove or disprove a hypothesis in a courtof law, civil proceeding or another action. Zatyko’s eight-step process can be grouped into three basic steps: acquisition,analysis and reporting, which are discussed in the following paragraphs and shown in figure 3.24Forensics: Examining the Evidence, “Understanding the Scientific Method,” s-science/understanding-the-scientific-method/ 2015 ISACA. All Rights Reserved.8

Overview of Digital ForensicsFIGURE3Digital Forensics Process Obtain search authority. Document chain of custody.DataCollection Duplicate digital evidence and validate using hash function. Validate forensic tools. Analyze evidence using investigative and analytical techniques.Examination Repeat and reproduce forensic analysis procedures and conclusions.and Analysis Report analytical procedures and conclusions.Reporting Present experts testimony about findings and conclusions.Data from: Zatyko, Ken, “Commentary: Defining Digital Forensics,” Forensic Magazine, 2 January ry-defining-digital-forensicsDATA COLLECTIONThe acquisition of data begins with seizure, imaging orcollection of digital evidence to capture suspect mediaor network traffic and logs, post breach. Enterprisestypically assume that they have the right to monitor theirinternal networks and investigate their own equipment aslong as they observe the privacy right of the employee.Employee privacy rights and the enterprise rightsshould be in written policies that are communicated toemployees. In the United States, the Fourth Amendmentcovers seizures. Federal warrants are issued underTitle 18 of the US Code for probable cause of a crime.However, exceptions allow data collection without awarrant for reasons such as consent, hot pursuit orplain view. In the United Kingdom, a magistrate issueswarrants to a constable under Section 18 of the Policeand Criminal Evidence Act. In the US, no one shouldever go on site until after they read the search warrantto review the seizure authority and the affidavit for the 2015 ISACA. All Rights Reserved.reasoning and the items to be seized. Regardless of thecountry, enterprises should understand and follow localand country jurisdiction laws before seizing materials.After digital media are acquired, an exact duplicate image(the forensic image) of the original media evidence iscreated and validated with hash values that have beencalculated for the original digital media and the duplicateimage. A hashing function, e.g., MD5, SHA-1 and SHA256, applies a mathematical algorithm to the digital dataand returns a fixed-size bit string hash value. Any changeto the data will change the hash value. Data with the samehash value are identical. The hash value validates that theevidence is still in the original state. The original mediaevidence is write blocked and stored to prevent anyfurther possible alteration. Hashing may not always bepossible. Mobile devices and memory, in particular, mayhave to be treated differently to maintain evidence.9

Overview of Digital ForensicsEXAMINATION AND ANALYSISAfter the duplicate image of the evidence is created,analysis can begin on the image. The digital forensicanalyst may use specialized tools to uncover deletedor hidden material. Depending on the forensic request,the analyst can report findings about numerous typesof information, e.g., email, chat logs, images, hackingsoftware, documents and Internet history. After evidenceis collected and analyzed, it is assembled to reconstructevents or actions and provide facts to the requestingparty. These facts may identify people, places, itemsand events and determine how they are related so thata conclusion can be reached. This effort can includecorrelating data among multiple sources.25 In someenvironments, early case assessment (ECA) providesimmediate review for the requesting parties, at which timethey can ask for more advanced analysis. ECA typicallyinvolves imaging, indexing, archiving and an internalreporting mechanism for the requesting party to quicklyaccess needed reconnaissance. ECA typically saves timeand is often preferred over analysis.REPORTINGAfter the analysis is complete, a report of the findings isdeveloped, which outlines findings and methodologies.The provided exhibits may include attribution of fileownership, chat logs, images and emails; detailed login/logoff times; entry into facility logs and anything thatplaces the suspect at the device at the same time andlocation of an event. The findings can be used to confirmor disprove alibis and provided statements. Digitalevidence can also be used to prove intent. The completedreport is given to the investigator, who is usually from lawenforcement in a criminal matter or a designated seniormanager in a civil action. Further actions are determinedafter the report is reviewed.25Digital forensic analysts provide facts and impart knowledgeto give expert opinion only when they are required to do soin court. They never seek to aid or blame. Instead, analystsprovide a scientific basis so that the court, company orother requesting party may use the unbiased evidenceand gain a better understanding of events.BRANCHES OF DIGITAL FORENSICSComputer forensics is the oldest and most stablediscipline of digital forensics. It concentrates ondeveloping evidence from a computer and associateddigital storage devices in a forensically sound mannerto preserve, develop, recover when necessary, analyzeand present facts in a clear and concise manner.In computer forensics, after the storage device isacquired, it is standard practice for an analyst to createa disk image from which to work. If the original device isconfiscated, it is safely stored as evidence. Sometimesa device is not confiscated so that additional evidencecan be gathered and future activities can be monitored.The forensic analyst creates a disk image of the device topreserve the original evidence. Today, virtual drives mayalso be used as way to emulate an entire machine.A number of techniques are used in computer forensicsinvestigations. Cross-drive analysis correlates informationthat is found on multiple hard drives, which are beingused to identify social networks. Live analysis extractsdates using existing system administration or developedforensic tools. Recovering deleted files is often inthe news, and it remains a mainstay of forensics forrecovering evidence. Because files are not erased, but areoverwritten eventually, over a period of time, an analysthas time to reconstruct deleted files.Op cit. Kent 2015 ISACA. All Rights Reserved.10

Overview of Digital ForensicsNetwork forensics is a relatively new field within digitalforensics. Generally, network forensics focuses on monitoringand analyzing computer network traffic to gather evidenceof exceeding authorization or detect an intrusion from aparty with no authorization to be on that system or network.Because network traffic is volatile and dynamic, analystsmust be proactive in their approach to capturing information.Network forensics takes two approaches to gatheringinformation: The more traditional approach catches and storesall data for analysis at a later time (e.g., logging theInternet usage of all users and only reviewing thedata after an alert). The second approach scans the data that pass throughthe network and is selective about the data that arecaptured (e.g., o

Cybersecurity Digital Forensics BRIEF HISTORY OF DIGITAL FORENSICS Digital forensics is nearly 40 years old, beginning in the late 1970s as a response to a demand for service from the law enforcement community (see figure 1). Most of the first criminal cases that involved computers were for financial fraud.2 In the 1980s, digital forensics .