CHAPTER 1: THE ROLE OF FORENSICS WITHIN ORGANISATIONS – Computer Forensics: A Pocket Guide

CHAPTER 1: THE ROLE OF FORENSICS WITHIN ORGANISATIONS

The importance of information security within an organisation is becoming better understood. Regulation, legislation and good governance are all motivators for organisations to consider the role information security plays in protecting data. Whilst better understood, the adoption of good information security practices is far from uniform across all organisations, with enterprise companies faring better than many smaller organisations who are trailing in their knowledge and deployment of secure practices. With the significant growing threat arising from cybercrime and related activities, it is increasingly important that all organisations address the issue of ensuring good information security.

In order to appreciate the need for computer forensics within an organisation, it is important to look at the nature and scale of the threat that exists. Unfortunately, truly understanding the scale of the threat is difficult as the reporting of cybercrime is relatively patchy. Many organisations see such reporting as something that will affect their brand image and reputation. Whilst discussions are being held in some countries about implementing laws to force organisations into reporting incidents, at this stage the industry relies upon survey statistics to appreciate the threat. Many such surveys exist, but four in particular, used together, provide a good oversight of the cybercrime landscape:

  • Computer Crime and Security Survey1 by the Computer Security Institute (CSI) – an annual survey that typically has over 500 respondents with a focus upon the United States and a skew towards Enterprise organisations. This survey is a regularly cited source for understanding the nature of the threat.
  • Global Information Security Survey2 by Ernst and Young – another annual survey, but with a wider perspective. In 2009, the survey had almost 1900 organisations from over 50 countries across all major industries.
  • Information Security Breaches Survey3 by the UK Department for Business, Enterprise and Regulatory Reform (BERR) – a UK-focused survey with over a 1000 respondents (in 2008). In comparison to the previous two surveys, the nature of the respondent group in this survey is far more focused upon SMEs rather than Enterprise organisations. It is possible, therefore, to appreciate a different perspective on the problem.
  • Global Internet Security Threat Report4 by Symantec – once a twice-yearly publication, the report is now published annually. This report differs from the previous three in that it does not rely upon people to report the findings. Instead, Symantec acquire the information from a variety of sensors and systems deployed throughout the world. The report therefore provides a far more statistically reliable picture on the nature and scale of the threat; however, it fails to illustrate what the consequences are of those threats and what efforts are being made to better secure systems.

Taking a snapshot of the most current surveys at the time of writing, it is clear that the nature and seriousness of the threat is considerable. Looking at the mainstay of cybercrime, malicious software (malware), it can be seen that they still provide a significant threat to systems. The CSI survey in 2008 reported that 50% of respondents experienced a virus incident (which includes other forms of malware). The BERR survey reports this as lower at 35% in 2008 overall; however, notably when analysing for Enterprise organisations only, this number shoots back up to 68%. This demonstrates at present, Enterprise organisations are a far larger target for attackers. Indeed, Symantec’s report has identified that threats are increasingly being targeted to specific organisations or individuals, and the CSI survey also reported that 27% of respondents had experienced targeted attacks within their organisation.

An underlying theme in this changing threat landscape is the move towards financial reward. Symantec reports that the underground economy is generating millions of dollars in revenue from cybercrime-related activity. Previously, financial reward was infrequently a key driver of cybercrime. Hackers would break into systems in order to demonstrate their technical ability over those administrating the systems, and malware writers created viruses and worms that would maximise their infection and spread throughout the Internet. However, since the beginning of the millennium the surveys have shown an increasing focus being given towards threats that provide a financial reward to the attacker. Advanced-fee fraud and phishing or 419 scams are two examples of widespread threats aimed at providing financial reward. As awareness of these widespread threats increases, so the threat evolves towards more targeted threats, such as spear phishing.

Whilst the previous two trends are focused upon the threats that enter the system from outside the organisation, the surveys point to a considerable threat coming from inside. The CSI survey put this second to virus incidents at 44% of respondents, with the BERR survey at 21%. Moreover, the BERR survey in particular noticed a significant swing from external to internal threat, with over two-thirds of the worst incidents coming from inside misuse. Organisations, therefore, may face a considerable threat from their own employees.

This becomes more concerning when you appreciate that much of the traditional information security mechanisms are focused upon ensuring that attackers from outside the system cannot get in. Little consideration is frequently given to the attackers from within the system.

Whilst the nature of the threat has changed significantly, it is essential to realise that it is still evolving. Although it is difficult to predict what form the threat will take in the future – largely by doing so will itself ensure the threat evolves in a different direction – it is important to ensure information security is not simply a reactive system that deploys new countermeasures upon identification of new threats, but proactively seeks to develop controls, practices and policies to assist in their identification and prevention.

The discussion up to this point has focused upon cybercrime. However, it is also important to appreciate that information systems are not simply the target of crime but are frequently used as a tool for crime. Many forms of traditional crime, such as money laundering, fraud, blackmail, distribution of child pornography and illegal drug distribution, can all be facilitated by the use of computers. Indeed, given the ubiquitous nature of information systems and the efficiency gains achieved in using them for financial record keeping and communication, it is difficult to envisage many crimes of this nature not using computers. Within an organisational perspective, it is important to ensure you do not simply protect your systems from cybercrime threats, but also ensure they are not being used to facilitate traditional crime.

Digital forensics is a growing specialism that assists organisations in the identification of misuse. In comparison to many areas of traditional information security, such as authentication and access control, it is relatively new, born out of the need to be able to identify exploitation of electronic systems in a manner that would be deemed acceptable by the juridical system. Within digital forensics, a number of more specific subcategories exist, such as computer, network and embedded forensics. Each in turn seeks to understand their specific technology platform to capitalise upon the evidence being captured. For instance, within computer forensics, tools, techniques and procedures have been developed to extract evidence from hard drive and volatile media. Significant time has been focused upon understanding the nature of file systems in order to ensure all artefacts are identified, and to appreciate the nature of the data. Within embedded forensics, such as mobile devices or game consoles, the nature of the underlying architecture means that different tools and procedures are required in order to extract relevant artefacts in a forensically sound manner.

A key driver to date for the use of computer forensics has been from law enforcement and the identification of traditional crime. This quickly moved on to cybercrime, but is still largely within the sphere of law enforcement and their need to analyse systems in a legally acceptable manner in order to bring the guilty to justice. However, although this driver has not changed, organisations are increasingly identifying the importance of establishing a computer forensics expertise. Whilst organisations might not always seek criminal or civil compensation for the attacks against their systems, it has become accepted that the tools, techniques and procedures developed for digital forensics provides an effective and sound methodology for analysing systems. The primary motivation for using forensics is incident management and the ability to identify which files have been affected and how the malware has infected the system, with a view to closing the vulnerability. Forensics within the organisation can also be used to identify possible insider misuse of systems or information. An organisation equipped with a well-trained computer forensic capability is able to both reactively and proactively defend against attacks from both inside and outside the organisation.

The primary focus within the digital forensic industry has been on computer forensics and as such the focus of this pocket book will largely be on computer forensics. However, many of the processes and procedures documented within the forthcoming chapters are also appropriate for use within the other areas. In addition, a chapter has also been included to discuss specific aspects of network and embedded forensics as both of these are becoming increasingly important within a world where mobile devices are ubiquitous and anti-forensic techniques are more commonplace. The next three chapters focus upon the core procedural aspects of computer forensics: the proactive stance, acquisition and analysis.

 

1 CSI Computer Crime and Security Survey, Richardson R, Computer Security Institute (2008).

www.gocsi.com

2 Outpacing Change: Ernst & Young’s 12th Global Information Security Survey, Ernst & Young (2009).

http://www.ey.com/Publication/vwLUAssets/GISS Report 2009 (English)/$FILE/12th%20annual%20GISS AU0 383 en.pdf

3 Information Security Breaches Survey, BERR (2008), Crown Copyright.

www.berr.gov.uk/files/file45714.pdf

4 Symantec Global Internet Security Threat Report: Trends for 2008, Symantec (2009).

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper internet security threat report xiv 04-2009.en-us.pdf