Computer Forensic Tools to the Rescue
By Christopher Brown

Professional grade computer forensic tools have come a long way in the past five years and are now available and affordable for most mid- to large-sized businesses. With the latest regulations -- like California Senate Bill 1386 and Sarbanes-Oxley -- that require the capability to investigate incidents or report fraudulent activities, more companies are turning to computer forensics to investigate what is happening on their computer systems. The good news is that the forensic tools are ready for the challenge.

Before looking at the recent improvements to professional computer forensic tools, it is important to understand how they operate and why you should use a forensic tool when conducting any investigation, be it someone hacking into your systems, an employee who is suspected of illegal or unethical activities, or answering a court order for discovery of electronic data. First, it is imperative that you are able to see all the data on a system, including files that have been deleted, as they may hide illegal activities. Second, it is imperative to not destroy the data you may need to further your investigation. Simply listing files with a non-forensic tool may make it impossible to determine when files were last accessed by users.

To conduct an investigation properly, you need to be able to look at, search, and extract data from a computer system without altering the data (or metadata). Professional grade computer forensic tools provide this capability, plus they have the added benefit of preserving the data and creating reports in an evidentiary quality manner that will allow them to be used in a court of law, if necessary. Having evidence that can be used in court will actually help settle cases out of court. Employers must be able to collect and report on all the data in order to defend against unfounded nuisance law suits.

It is imperative to insure the integrity of any evidence uncovered during a digital investigation. Professional grade computer forensics tools use disk sector reads to pull the data from the hard disk, avoid using the suspect system’s file i/o, and avoid alteration of any data or metadata on the suspect system hard drive. These professional forensic tools then create a cryptographic hash signature of the data extracted and store that information for future comparison to prove the data extracted is exactly the same data that is being presented in court. Cryptographic hash signatures can be considered the tamper proof tape of the computer forensics realm.

So how have these tools progressed to make them an integral component of managing corporate risk? The major improvement that has allowed for broader adoption involves the ability of today’s tools to examine live systems through a network connection. Historically, to conduct a forensic examination of a system, you had to shut the system down and remove the disk drive. This meant high costs and lengthy downtime, both of which are unacceptable in most situations. Today’s computer forensic tools allow the ability to conduct forensic examinations on live systems using a network connection.

Digital investigations can be conducted without disrupting operations and you can selectively extract the evidence needed for the investigation instead of spending hours trying to image terabytes of corporate data, most of which is not relevant to the case. Using today’s computer forensic tools allows you to rapidly conduct your investigation, preserve any relevant evidence, and perform any required remediation quickly to keep your systems up and running.

Additionally, today’s computer forensic tools can operate in stealth mode that allows the examination of an employee’s computer while they are using it. This can eliminate costly travel and late night “black bag” operations to investigate employees suspected of illegal activities or violating company policy.

This new capability of examining live systems using a network also allows investigators to collect the contents of the RAM memory and capture other volatile system state information. Information -- such as open ports with associated processes, logged-on users, and running applications -- give the investigator a better understanding of what is really happening on a system. Computer forensic tools can even allow investigators to examine the computer registry keys, access control lists, and Internet histories on systems to gather evidence.

Since professional-grade computer forensics tools perform low-level reads to access the data on a suspect system, they allow investigators to see Trojans and rootkits that hide on systems. This can be particularly helpful in conducting an incident response investigation where a hacker has broken through the firewalls. The newer Trojans and rootkits can cloak themselves on a system, allowing them to monitor internal networks for user names and passwords that enable them to break into systems to steal data or to store illegal content on the system. Computer forensics tools can see these cloaked Trojans and any content they are hiding.

Another major new capability that helps computer forensic tools manage corporate risk is the ability to control them via a scripting language, such as Perl. This enables repetitive tasks, like searching a set of systems for keywords involved in a case for electronic discovery, to become a highly automated task and saves significant manpower in the process. Scripting can also be used for incident handling. If, for example, you have a procedure that requires gathering a set of key data from each server that has been involved in an incident, this can be automated. You can even use scripts to search a set of computers for a memory resident virus that has attacked your network. Scripting significantly enhances the utility of professional computer forensic tools.

And to make computer forensic tools “ready for primetime,” the ease-of-use has been significantly enhanced. Computer forensic tools now provide user-friendly, menu-driven GUI interfaces and built-in help functions that walk the user through most tasks. With a modest 1 to 3 day training class, experienced IT professionals can become proficient with these tools.

Today’s threats, both external and internal, are driving companies to look for ways to detect and prevent unauthorized access to computer networks. While there is no perfect solution that will guarantee that your systems will never be compromised, you must have a way to investigate these incidents. Fortunately, the tools are there to enable you to conduct these investigations in a professional way.

About the Author
Christopher Brown is the Chief Technical Officer of Technology Pathways.
He can be reached at cbrown@techpathways.com

<< Previous Page