The network administrator's guide to forensic first response
The time between discovery of an incident and the handover of digital evidence is critical for the possibility of successful evidence retrieval. Mishandled evidence, whether to be used in court or solely in house, can damage the integrity of the investigation. The most critical concern, then, is to create the most conducive environment possible for the forensic examiner. This tip will discuss vital considerations for the administrator acting in a first responder's role to maintain the integrity of evidence and accountability.
Very few companies employ a designated, trained forensic examiner to handle incidents such as unauthorized resource usage or suspected computer crimes. Rather, the majority of companies outsource such tasks to a specialist, such as DIBS or CFS.
The time between discovery of an incident and the handover of digital evidence is critical for the possibility of successful evidence retrieval. Mishandled evidence, whether to be used in court or solely in house, can damage the integrity of the investigation. For instance, viewing pornographic images that were downloaded to an employee's computer will change the time/date stamp. If this occurs, there is no way to prove that it was the employee that downloaded the images and not the network administrator.
The most critical concern, then, is to create the most conducive environment possible for the forensic examiner. The following points will discuss vital considerations for the administrator acting in a first responder's role to maintain the integrity of evidence and accountability.
Fear, uncertainty and doubt will surely be some of your first reactions, especially in the instance of a network break-in. It is important to remember that you are not the first one that this has happened to and not to act rashly. For instance, if you notice that a system has been hacked into, it may be your first reaction to panic and pull the network cable. Although this can stop the attack, it may trigger a retaliatory routine planted by the hacker and cause further damage. By taking time to investigate and consult with a specialist, you may save the system from irreparable damage.
Secure the suspected devices
It is important to control access to the device or devices that are suspected as being evidence or as being compromised. Normally, this is achieved by keeping the items under observation until qualified relief arrives, but this can also be done over longer periods of time by keeping the devices under lock and key. It is essential to remember to control all secondary storage items as well. This includes floppy drives, CDs and flash media. It is worth noting that recently iPods and similar devises have been used for discreet data storage and should certainly be treated as suspect.
Consider legal aspects
One of the most important considerations is to protect yourself and your company from legal recourse. The fourth and fifth amendments may apply in your case, as discussed in the Department of Justice report on computer seizures. Also, laws will vary from state to state, so it is important to check with your legal department or legal representation before pursuing a suspected offense.
Much of this can be avoided through policy letters and system banners which will clearly state the company's policy on data collection and interception, as well as defining acceptable use. Be warned, however, that even with policy letters and a statement of understanding, you do not generally have permission to randomly or constantly monitor electronic communications. Any monitoring that is done should be documented and justified in writing.
Write down all known information about the system
When your network is under attack, it's difficult to know when not to act. While waiting for further guidance, it will help the investigator a great deal if the relevant information is collected and prepared as soon as possible. Your notes should include the IP address, the system time in relation to "wall time" (in other words, the system time, noting any offset with actual clock time), the computer name, running services or applications, plus any relevant information about the crime. This should include how the problem was discovered, by whom and when. It is also worth noting the primary use of the system, as a mail server would definitely be handled differently than a workstation!
Record all actions taken upon discovery
This is the point where the chain of custody begins. Any actions that you take could be called into question as to how they may have affected the validity of the recovered evidence.
Your actions should be recorded to include date/time, witnesses, etc., beginning with when you became aware of the incident and should document any time that the system or evidence was moved or changed hands. It is critical to note any time that the system was left alone, although this should not happen at any time.
Do not be tempted to start the investigation yourself
If nothing else, this is vital. You may be tempted to start viewing files or Web histories, but don't do it. While you may be able to find the information that you were looking for, any evidence collected is no longer admissible into court, should that be required. Furthermore, it may be easily contested if used for grounds for employment termination.
Do not change the state of the system
If the system is off, leave it off. Likewise, if the system is on, leave it on. Changing the state of the system could destroy valuable potential evidence. For instance, some operating systems will clear the swap file upon restart, and shutting down the system will close all programs that are currently running. Also, systems may be "booby trapped" with startup routines designed to destroy or alter data.
Disable virus protection
Although a vital tool for network security, virus protection can be a nightmare for the forensic examiner. While performing a scan, the virus protection program will, in effect, access each file. This can not only alter the time/date stamp of critical suspected files, but certain tools such as Norton Antivirus will automatically detect and remove "hack tools" by default, which may be crucial to the investigation.
It is imperative to stop all intrusive services such as virus scanners as soon as possible.
If there is an attack in progress, it is important to weigh the value of potential "live" evidence against the risk of an escalation. This should be discussed with the forensic examiner or incident response team as soon as possible to determine the best course of action.
Isolating a system from the network is typically only done in cases of intrusion attempts or virus activity, but it should be noted that network activity could write over data in certain cases.
The role of the first responder can be likened to the role of a paramedic. Your first job is to avoid causing further harm, while at the same time coordinating further professional support. By keeping a level head and clear policies, no incident will be a disaster.
Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.