We regularly see it in daily news media across our region: Singapore National Kidney Foundation's CEO is charged for corruption; Hong Kong public hospitals lose 16,000 patient records; New Zealand teenage hacker infects 1.3 million computers; naked celebrity photos stolen from PCs appear in the press. In every case where data theft is suspected, forensics experts will be imaging hard drives, analysing data and preparing evidence that will stand up in court. Computer forensics is the most secretive part of the IT industry. Individuals and companies damaged by cyber crime know that their reputations depend on remaining silent. So, when we asked computer forensics professionals about their latest cases, they explained that if they breached client confidentiality, they'd never work again.
The primary concern of forensics experts is to collect evidence that meets well-established criteria laid down by the law. "The rules of evidence are not new for computers," says Sean Lin, a director, Information Security Audit & Control Association (ISACA). "If digital photos are stolen, for example, we may need to prove which computer they were stored on and who copied and distributed them. In the old days, we needed to track down the people who processed and printed a roll of film. In both cases, the collection and protection of evidence must be legally acceptable. The standard of proof is the same, just the technology has changed."
But computer forensics is also being increasingly used by enterprises for applications such as preventing employees' Internet abuse, tracing the unauthorised disclosure of corporate information, and collecting evidence for industrial espionage or breach of contract cases. Forensics can also evaluate damage assessment following any kind of incident.
Any expert can investigate a computer, but it's difficult to search through gigabytes of information, and if evidence uncovered is to be valid, no changes at all can be made to the hard disks or storage media.
To achieve this, many software vendors offer forensic products.
One of the tools widely used by police forces is EnCase Forensic, from Guidance Software, a program that offers an integrated set of forensics utilities. This software can safely make a complete image of the information on a drive from a Windows, Macintosh, Linux or DOS machine and can help users examine areas of the disk hidden from the operating system and present the results in a legally valid form.
Unfortunately, online criminals have access to exactly the same expertise on computer forensics as do the legal investigators. In extreme cases, people with incriminating information to hide may 'booby trap' their PCs, so that any attempt to turn them on, or copy the hard disk results in the deletion of the sensitive information.
In important cases, forensics specialists will be aware of such strategies and take precautions against them. But suspects who delete incriminating information may be out of luck. Files deleted from hard disks can still be read easily. Even if files are completely overwritten several times, trace magnetism in the disk can be read by specialised equipment.
Surprisingly, the same is true of RAM memory. Vital cipher keys that are left in RAM for an extended period, for example, will disappear if the machine is turned off. But the chemical changes to the oxide films that store the binary information can be detected by forensics experts. These techniques are explained in Secure Deletion of Data from Magnetic and Solid-state Memory by Peter Gutmann, department of computer science, University of Auckland. Up until recently, to recover evidence from computers in criminal cases, the forensics specialist would often shut down the computer and take away the hard disk for imaging and analysis.
"The integrity of the hard disk would be protected by booting it from a CD using software that would block any writing to disk," says KP Chow, associate professor, centre for information security and cryptography, the University of Hong Kong. "But in enterprises, especially financial institutions, it would cost a great deal of money to shut the system down. So there is an increasing need for forensics people to retrieve evidence from computers that are still running. We need to work out a strategy to preserve the integrity of information retrieved from a live system. At HKU, we are doing research on how to achieve this."
For in-house work, CIOs and IT managers are under pressure to respond to their legal departments' requests for software tools to assist with the e-discovery process, but they need to choose carefully. "The e-discovery market (for software) is immature, over-hyped, over-crowded and uncertain," says Debra Logan, Gartner analyst. "Rapid functional consolidation is both desirable and inevitable." This was a key finding in the Gartner report: Choosing an E-Discovery Solution in 2007 and 2008.
Who uses it?
Computer forensics services were originally offered by specialised vendors, but the in-house forensics skills were soon adopted by police forces, intelligence services, large accountancy and law firms and universities. Nowadays, many enterprises are introducing in-house forensics.
The Singapore Police were early adopters of forensics methods, in 1996, and today, the technology crime division (TCD) has branches for investigation, forensics and research. "The division has successfully investigated and prosecuted a number of offenders under the Computer Misuse Act (CMA) for offences such as hacking, wi-fi mooching, Internet fraud, unlicensed online distribution of intellectual property and posting of fallacious and seditious comments," says Danny Tan, Singapore Police Force spokesperson. "TCFB's expertise in computer forensics has also brought about stronger evidence for prosecution."
Studying forensics can be a good career move for IT professionals. Many colleges teach computer forensics as part of computer studies and there are also both bachelor's and master's degrees in the subject in some universities. Accountants and lawyers may find computer forensics covered in their studies, and there are vendor-specific qualifications such as those from Cisco and Microsoft.
A key international professional body in the field is the ISACA, which claims to have 75,000 members in 160 countries. The main qualifications are: Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM); and most recently, Certified in the Governance of Enterprise IT (CGEIT).
The Information Security and Forensics Society (ISFS) was set up in 2000 to regulate and standardise the practice of information security and forensics professionals in Hong Kong and the surrounding region. In conjunction with local universities, it supports a wide range of qualifications ranging from graduate diploma in computer forensics to a variety of master's degrees that can be studied part-time or online.
Another significant professional body is the International Information Systems Security Certification Consortium (commonly known as ISC²), which covers security policies, including forensics and grants various professional qualifications. It claims more than 50,000 information security professionals in more than 120 countries.
All organisations large enough to have an IT staff will need computer forensics skills occasionally, either in-house or outsourced to forensics service providers.
"At the heart of computer forensics is e-discovery, the collection of evidence that will stand up in court," says Logan. "Enterprises that are involved in a significant number of criminal or civil court cases annually need to decide whether to outsource this work to the specialist vendors, or to develop their own in-house resources. Organisations that are new to the e-discovery process, that have always done it manually, that are at the beginning of or in the middle of legal proceedings, or that only have a few matters per year, should first look to the vendors."
Outsourcing is expensive, but a good option in the early stages, especially if the e-discovery involves material that is difficult to work with such as CAD/CAM drawings. But in the long run, in-house skills are cheaper: "Gartner believes the balance will slowly shift from these outsourcers to the enterprise software vendors," says Logan, "as more law firms, regulators and end-users become aware of the options and the software matures. Companies with more than 10 pending matters, or that anticipate more than 10 matters per year, should consider in-sourcing at least part of the e-discovery process."
There are pros and cons to these two approaches. Internal staff may be well-versed in the organisation's structure and security provisions, including such things as user access rights and security policy. But external computer forensics specialists have one big advantage: "They are well-trained and work with many companies," says Steven Chew Lai Keat, senior lecturer, computer science department, Singapore Polytechnic, "So they may be familiar with the whole spectrum of threats facing computer and Internet users."
In enterprises, the cost of computer forensics may be a limiting factor as to what can be investigated. "The supply of computer forensics experts is limited, so their time is expensive," says Chow. "It's standard practice to examine hard disks, which may hold a few hundred gigabytes, so it takes a long time to examine them. We have software tools but a lot of data needs to be examined and analysed. If there are thousands of e-mails, for example, it could take days to analyse them. You need to know exactly what you are looking for, and your search keys must be as focused as possible."
If we consider the three main drives for computer forensics activity: incident investigation, intrusion documentation and e-discovery, it is obvious that the difficulty of these tasks has an inverse relationship to the quality of management of enterprise data. If network security is more thorough, then there will be fewer security breeches to investigate. Likewise, if corporate data is stored for easy retrieval, e-discovery will require less forensics effort.
Better data management and retrieval is a profitable strategy. Unsurprisingly, compliance with regulations and legislation has raised the whole issue of how enterprises manage their data, and especially how they can guarantee to retrieve it on demand.
For many enterprises, the most relevant data for e-discovery is e-mail, and it's also the hardest to archive and retrieve well. Gartner does not recommend a standalone e-mail archiving solution, but "we do recognise that e-mail is the most voluminous and problematic content type for many enterprises," says Logan.
"Companies that are required to keep e-mail for regulatory reasons absolutely need archiving solutions," says Logan. "E-mail archiving can reduce e-mail volume, make search easier and generally aid the efficiency of searching for e-mail as part of the discovery process." Gartner recommends specific e-mail archiving vendors.
It's a sad reflection, but one driver for enterprise forensics is the increasing need to investigate employees as security risks. In 2007, employees past and present have taken over from hackers as the most likely source of an information security event, according to a worldwide study by CIO, CSO magazines and PricewaterhouseCoopers, entitled Global State of Information Security 2007. In fact, Singapore respondents believe that external hackers constitute only 38 per cent of their security risk.
"Like it or not, the trend is for IT managers to monitor staff activities to find out how and when they use their computers," says Chew. "There is no privacy issue when employees are using company computers in company time. The same applies to students."
As investigative tools become more sophisticated, so do computer users. "Even only comparatively computer literate enterprise employees may use "anti-forensic" utilities (For example, Webroot Software's Window Washer) when they suspect they may be investigated," says John Bace, Gartner analyst, in a report entitled What Every IT Manager Should Know About Digital Forensics. "Strong encryption software is widely available, as is steganographic software that hides the existence of data files from investigators," adds Bace.
Chew sees a lot of cases of employees being reprimanded and fired because of abuse of IT resources. "To avoid this problem, it is important to provide internal training and education and make them aware of the threats facing the network and the company's security policies to deal with them. The key is to persuade employees to buy into the idea."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.