Saturday, April 29, 2006

Future Trends

Would I be remiss if I were to NOT discuss future trends in computer forensics?

Every now and then you see the curious posting questions about future trends and challenges in the computer forensics field, and invariably, the responses include something do to with the increase in the density of storage media. For example, information was recently leaked from Seagate regarding 750GB drives. But is this really a "future trend"?

Think about it. Not long ago, those tasked with performing computer forensics were facing 100 or 200 MB drives...yes, "megabyte", with an M. Even today, larger capacity with smaller form facter is just something we deal with. So...if this is something we've been dealing with from the beginning, does it really constitute a "future trend"?

Rather than sitting back and being driven by the course of events, IMHO, forensic analysts need to be the driving force in the future trends within the community. Specifically, there needs to be a greater level of education. I know that this is very easy for me to say, sitting here at oh-dark thirty, blogging away. However, I sincerely believe that this is the case. Let me provide some background and perhaps illuminate what I'm referring to...

Computer systems are becoming ever-more sophisticated. The bad guys are, too. Things that used to be done for fun are now being done for profit, or revenge. The face of computer crime itself is changing. While computer forensic analysis techniques are changing, they aren't being updated at anywhere near the same rate as the techniques used by those who end up becoming the focus of an investigation. There are still many folks out there, tasked with performing computer forensics, who firmly believe (through their initial training) that a computer forensics investigation begins with unplugging the affected system, securing it, and imaging the hard drive.

But what happens when you do this? Think of the massive amounts of data that are lost when power is removed from a system. Think of fraud or sexual harassment investigation, in which data was stored on the clipboard. Think about the malware that only exists in memory. Personally, I'm reminded of a case from 2000 in which someone else determined that the SubSeven Trojan was on a system via a file search...after power had been removed from the system. Sure, the MAC times on the files would give the investigator some information, but no one could say for sure if (a) the backdoor was running when the system was unplugged, or (b) if a bad guy were connected to the backdoor, or (c) if the "suspect" was using connecting to another infected system somewhere on our corporate network.

One of the main techniques still in use today by forensic examiners is the keyword search. Don't get me wrong...there's nothing wrong with this technique...in fact, it's proven to be quite useful. However, it should be a tool, not the tool, in the investigator's toolbox. Keyword searches across file systems and sectors can be fruitful, but not everything is stored on a system in ASCII or Unicode. Take a look at the Windows Registry...many important pieces of information are stored in binary format, or via Rot-13 "encryption". Both of these will cause simple keyword searches to fail.

Another thing to think about is disk encryption software. Unplug the power and what are you left with? Okay, now think about it this way...if you acquired the system live, what would you be left with?

Lets get right to the point...perhaps there really is no "future trend" in computer forensics, but rather, we're going to simply be revisiting the same old trends that we've faced in the past. IMHO, I don't see increased storage density as a new issue...it's something we've had to deal with for a while. HOW we deal with it is what's going to change the face of forensic computing...greater education and training will drive forensic investigators to include live response techniques (live acquisition, volatile data collection and analysis, etc) in their "bag of tricks", AND allow them to be able to testify about these techniques and data in court.

One final note...there are those who say that they would never perform a live investigation until there's case law and court decisions supporting the use of these techniques. Okay...we're back to the chicken or the egg argument. My response is to say that rather than waiting for the courts to make a change, the investigators need to start moving in that direction first, getting training and knowledge to not only perform live response but to also be able to present and explain that information in court. After all, many of us are already performing live response investigations, as well as Registry analysis, as a matter of course.

Thoughts?

2 comments:

Anonymous said...

9 years ago, I learned how to conduct file system forensics in a DOS environment using Norton Disk Doctor and Maresware.

At that time, with those tools, and in those circumstances this methodology worked, and allowed an investigator to find information that had been intentionally (or unintentionally) removed from the machine.

Since that time, and with the advent of the newer strains of Windows, those types of file system forensics don't really function as well as they used to.

However, its the word forensics that continues to create problems for the investigator. We continue to attempt to emulate a live field environment where we are picking up bullet casings from undisturbed ground, or collecting blood spatter from walls.

Nothing really says this like email. In an average MS-Exchange environment, in order to conduct a "forensic analysis" of mail in the system you have to take a server down. Tell your average Fortune 500 compnay that you will have to take their mail servers down for a few hours and you're going to be fired or slapped with an injunction before you can make it to the login screen.

Live forensics is the only way to effectively conduct an investigation of email. Why would anyone want to do differently? The data invluded can be entered into evidence as business record, simply note where the information came from, create a PST using EXMERGE, or simpler yet, connect to another user's mailbox using Outlook, and export everything to a PST. Hash, and archive, then conduct your searches as usual.

But change the typical forensics paradigm from "cannot modify or disturb" to "cannot materially modify or introduce new information," and the ability of forensics examiners to do their jobs will allow far more evidence to reach a court.

Anonymous said...

But change the typical forensics paradigm from "cannot modify or disturb" to "cannot materially modify or introduce new information,..."

Very well said. The bottom line is laying a proper foundation so that your evidence is admissible. If one file makes a case, and we can show that it has not been altered from the original, the process of how we got the file becomes less of an issue.

However, IMHO most practitioners are law enforcement. We're going to have far fewer opportunities to find, let alone acquire, a live system. It's not going to be practical for most of us to take the steps to determine when to go through the door to be sure that the machine is running. So, size (let alone Vista) does matter in the instances that are about to arrive.