Business

Computer forensics advancing to 'spooky' extent

As hackers are using increasingly complex methods to commit their crimes, detection methods are also advancing, writes Karlin…

Fri Jun 10 2005 - 01:00

As hackers are using increasingly complex methods to commit their crimes, detection methods are also advancing, writes Karlin Lillington

The next time you are thinking how much benefit you have gained from some advance in technology, remember that criminals are thinking the same thing too.

"As soon as technology advances, so too does crime," according to Colm Murphy, technical director with Dublin computer security and forensics company Espion.

Although the crimes might seem frighteningly cutting edge - hacking into remote computer systems, committing denial of service attacks, secretly sending offensive e-mails to an employee, stealing identities online - they neatly fit under all the old headings - harassment, extortion,theft.

READ MORE

"These are not new crimes but new ways of committing all the old crimes," Mr Murphy told his audience at a recent seminar of computer forensics in Dublin.

The good news, as the various presenters at the seminar made clear, is that using digital technology to commit crimes leaves many forms of digital evidence. The bad news is that it is easy to overlook, misinterpret, or even destroy evidence when organisations do not have policies in place for dealing with computer crime or if they do not understand what they need to do to conserve evidence.

"Any investigation of computers or digital media is going to produce evidence which needs to be treated in a very specific way to be admissible in court," he says.

Computer crime can be split into two categories for the purposes of investigation - internal and external incidents. Internal incidents include a very broad range of occurrences, from pornography on company computers or e-mails, which Murphy says is "usually relatively easy to deal with using standard human relations department procedures", unless the material involves children, in which case it should immediately be referred to the Garda; bullying and intimidation; corruption (Murphy says he sees a lot of this involving suppliers); data theft, often by departing employees "who feel it is their God-given right to take what they want, with intellectual property [ IP] theft ranking high in Ireland"; leaks of information; and general misuse of systems.

"People are curious by nature and are often accessing files they shouldn't be," Murphy says.

External incidents include system intrusions and hacks; defacements of websites; minor incidents on message and bulletin boards; and denial of service (DOS) attacks, where an organisation's web servers are bombarded with requests, bringing down the system.

Murphy notes a recent spate of DOS threats against online betting sites where criminals would enact a DOS attack when it looked as if they were about to lose a hand.

"The slate gets wiped then and the hand gets replayed," says Murphy.

Evidence can be retrieved from a wide range of digital sources. Some are obvious - PCs, servers, laptops, palmtops and other handheld devices, mobile phones, closed circuit television (CCTV), telephone systems, firewalls, network services/routers/ switches and access systems.

Others might not come immediately to mind but can harbour important data for investigations, such as printers, fax machines, pagers, voicemail and copiers.

Multifunction printers, which include copying, printing and faxing capabilities, can be especially fruitful sources of forensic data since they hold information in memory for some time.

How to retain and retrieve such information in many cases requires additional forensic tools, which can range from e-mail management software to full-on forensic retrieval tools. These can help in a broader investigation by archiving, searching and retrieving useful data but also can enable organisations to resolve some incidents themselves, without resorting to specialist investigators.

"Having a forensic capability does allow you to solve a problem internally and discreetly," Murphy notes. "And, if appropriate, you can turn an investigation over to the guards but with proper forensic evidence."

Using software to manage e-mail is a key way to track and archive this common form of communication, says seminar speaker Brendan Nolan, chief executive of Waterford Technologies, which makes an e-mail management program.

Strategic e-mail issues include the need for compliance with a wide range of directives, both national and international; liability; and security, Nolan says.

Companies now want to do a wide range of management activities with e-mail, he notes.

"When we developed the product a few years ago, it was very much based on header analysis," he says. Headers are the data traffic details that appear at the head of the e-mail.

"Now companies want to look into the body of e-mail and into attachments."

More elaborate data can be retrieved and examined using a forensic software tool such as that provided by Guidance Software, which is widely used by businesses, governments and law enforcement agencies.

Russell May, special projects manager for Guidance and formerly head of the West Midlands Police Department's crime unit in the UK, says that forensic tools have evolved a long way from the first-generation programs that worked on the text-only Microsoft operating system MS-DOS and required separate add-on programs to do anything other than a basic examination.

Even with more recent versions of the software, computers had to be shut down and drives removed for forensic study - something many companies were reluctant to do with large servers running corporate networks.

The current version of Guidance's tool, which comes in a commercial version for typical organisations as well as a high-end surveillance level version used by governments and law enforcement, allows remote examination of PCs, servers or mainframes on networks. This remote capacity allows viewers to see processes and services running on a computer, access data, see open files and more.

May says that even encrypted files can be examined if on the PC that created them, since a version of the encryption keys are stored in the computer's memory. He acknowledged that for surveillance purposes - and with appropriate warrants and permissions - the remote forensics ability of the high-end version of the software could allow encrypted files to be examined over a network without needing the physical presence of a computer, rendering encryption pointless.

One feature of the software allows for remote remediation - items can be removed from the registry, processes can be halted - which is "useful for incidence response," May says.

Such features have been used in Iraq as "there are lots of cost benefits in terms of not having to send in investigators", according to May.

"It's starting to get a little bit spooky, some of the stuff we can do with this."

Computer Crimes

E-mail as evidence

What to do?

Business Today

Business Today

Get the latest business news and commentary from our expert business team in your inbox every weekday morning