As most of you know, today starts the first in a long series of blogs combined with webinars on various aspects of digital forensics. Vestige hopes that this information is helpful to attorneys, people in IT and HR, business owners and other digital forensic examiners. Each month will center on a theme with this month’s theme being the digital forensic process. So without further ado, let’s dive into identifying relevant sources of data and information.
When an incident occurs or a digital forensic investigation needs to be conducted, the results are only going to be as good as the pool of data examined. If the key message is really a text message but the team only collects email that message will never be found. If the identification of an intruder is sought but no one checks the log files on the web server, the identification may never happen. Furthermore while your friendly neighborhood forensic examiner can recover data that was deleted months or years ago, many types of digital data is still volatile and if not preserved quickly, you may never have another chance to get those answers.
So where to start with the data identification and data collection process?
For internal matters, the starting points are the workstations, namely those used by suspects or those under investigation. But you already knew this didn’t you? What about cell phones and tablets? Today’s smart phones aren’t just used for phone calls, they are in reality mini computers allowing one to message, email, surf the web, work on documents, transfer funds, transfer files, etc. Tablets are a step up from cell phones in the digital world hierarchy and even more closely resemble computers. Since cell phones and tablets may be personally owned, or at the very least, taken by the user everywhere they go, these devices may be more generous in providing a peak into the user’s habits. Of course, these devices may be more difficult to preserve if the idea is to do it covertly. If the tablet or cell phone is not owned by the company the degree of difficulty just went up, but that is a topic for another time. Regardless of the perceived difficulty in preserving some of these devices, one needs to identify them and address what to do about them.
One of the most overlooked sources of relevant data in a forensic investigation is the server.
One of the most overlooked sources of relevant data in a forensic investigation is the server. Most people ignore servers unless they are directly involved, such as when a server is hacked or compromised. But servers hold a wealth of information that should not be overlooked in any kind of forensic matter. Servers often log various actions taken by users as they access files that they shouldn’t, read emails that aren’t theirs, transfer data that doesn’t belong to them and surf websites that they shouldn’t.
If you are running a virtual server environment, then your ability to respond might be better than those who do not run such an environment. Virtual server snapshots provide a point in time picture of what occurred at that exact moment. Vestige recently handled a matter involving a server that was hacked by an outside entity. After assessing what happened, we were able to work with the client to retrieve a snapshot of the server from a period of time just minutes after the initial intrusion. An examination of this snapshot allowed us to better pinpoint what occurred and plan our analysis from there.
Firewalls, VPN concentrators and similar network devices are an extension of the server realm. Again, these devices possess logs which can be a treasure trove of relevant information or may just possess that one little piece that allows one to connect an action with an actor.
The dilemma though, with servers, firewalls, etc. is that with a configuration tweak here or there, your mountain of information may be a mole hill or vice versa. Which brings us to our next point: proper prior planning prevents pitifully poor performance. If you have computers in your organization, it is only a matter of time before they will be used for no good. You will have to deal with a forensic analysis or respond to an incident. To be better prepared for the inevitable, it makes sense to take the temperature of your organization’s readiness. Whether you work with your internal resources or you hire an outside expert, it makes smart sense to understand what information you are capturing, how long you are capturing that information and how quickly that information can be locked down for further analysis. During that assessment you can identify what your servers are logging, what they can log and how long that information stays around. Nothing kills a digital investigation quicker than a server with circular logging turned on causing it to overwrite last Tuesday’s data right before you capture it.
We’ve talked a lot about the data identification under your control, what about the items outside of your control? Websites containing libelous information hosted or owned by someone else?Cloud email services with logon information? Vestige had a case a few years ago which centered on possible illicit access to our client’s email by an outsider. Vestige talked with the provider and immediately requested any logs which recorded IP addresses signing into the mailboxes. Vestige was told that the provider didn’t capture this information. A week or two later this topic was revisited at which point in time Vestige was told that in fact this information was kept. That said, it was only kept for a short period of time, a period that had expired for the time in question between the timeframe when the provider changed their story. So while the proper source of information was identified and requested, up front planning by the client prior to a moment of crisis was not performed so the existence of the data was not confirmed.
As you can see, the sources of relevant information can be plenty. But those can be just the tip of the iceberg. Other items to consider may be voicemail systems, video surveillance systems, hard drives from copier/printers, etc. Maybe you have a server or computer in a corner or closet that could provide potentially responsive data. Vestige is often engaged to perform services such as identification of potentially relevant sources of data and the recovery of data. Quite often, Vestige will find sources never even considered – sources that could make or break your case.
We hope that this blog post has provided you a nugget or two of new information. Come back next week when we will discuss the next step – Preservation of Relevant Data “You’re Doing What With My Computer?”
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations