- Email: [email protected]
Computer forensics: Are you qualified?
FORENSICS SKILLS
Computer forensics: Are you qualified? Dario V Forte CFE, CISM, founder and CEO of DFLABS Italy Industry literature is full of references and diagrams that indicate the level of technical skill required to perform digital investigations in general and computer forensics in particular. When an organisation (enterprise, government office, or judiciary office) is considering digital investigation, the first thing it should do is distinguish between public and private sectors. While the private sector may exercise wide discretion when choosing consultants due to the fact that it is mostly concerned with incident response and corporate governance, the public sector, including the police and judiciary offices, needs to follow criteria exactly to avoid challenges in court. One of the most successful case histories in this field is the UK project ‘Skills for Justice’.1 According to its literature, an operator needs to know and understand certain legal and organisational
requirements and practices for investigating electronic evidence.
Legal and organisational requirements In order to apply high-level principles of digital forensics, operators should have a wide knowledge of relevant legislation and policies, procedures, codes of practice, and guidelines for investigating electronic evidence. They also need a firm understanding of the relevant legislation and organisational requirements regarding race, diversity, human rights, health, and safety. Operators should understand the limits of their responsibility and be aware of the
Figure 1: The Skills for Justice website – one of the most interesting initiatives in the field of justice-related skills initiatives.
18
Computer Fraud & Security
Dario Forte
level of competence they require. They should also be aware of situations and circumstances for which authority is required and how to obtain the authority. Finally, they need to know why risk assessments are required and how to carry them out.
Investigating electronic evidence In order to apply the technical aspects of digital forensics, operators should have strong knowledge (theoretical and practical) of the following aspects of electronic evidence investigations: • Scientific principles that underpin investigations and the conducting of an investigation • Establishing the scope, parameters, and objectives of an investigation • Constraints for electronic evidence investigations • Types and use of available equipment • Meaning, strengths and weaknesses, and application of evidentially sound forensic tools and techniques • Conducting a cross tool validation of results and the reasons why this is necessary • Research activities and consultation with third parties to obtain additional information • Creating a working product including subsets of the data and interim reports • Documentation of the investigation and the reasons why this is important • Problems which may occur and how they can be resolved December 2008
FORENSICS SKILLS • Conducting an oral presentation of findings While the Skills for Justice project is helpful in discovering the need for skills, it is less so in establishing what kind of education a computer forensic operator should have. Common practice suggests that computer forensic operators should have three qualifications. First they should have an academic diploma (the equivalent of an associate degree) in computer science or similar. This should provide the operator with a minimum skill level on the computers and systems/networks that are going to be investigated. Second, following a diploma, computer forensic operators should obtain certification in the field of operation. Certification poses a dilemma. Best practices suggest that people should be certified in the field, regardless of the vendor of the technology being investigated. Common practices also suggest following this with a second certification related to the technology itself. Third, an internationally recognised certification is a must. Local training can be taken annually.
A scientifically structured computer forensic lab is also valuable for training. Every lab should be equipped with the latest technologies and staffed by several experts, each of whom should be specialised in a specific field (e.g. mobile phones and log analysis).
Budgeting and technicalities The computer forensic field is growing and includes several sub-fields. The investment required is reasonably great and must be made gradually. Although some prefer to rent the equipment needed, best practices suggest buying it. The choice of equipment is determined by the field of operation and the number and complexity of managed cases. If the field of operation of a lab is entry level (e.g. child pornography investigation and small to mid-sized cases) we suggest starting with forensic hardware and an exploration of the open source forensic field. The Open Source Digital Forensics site is a reference for the use of open source software in digital
investigations (a.k.a. digital forensics, computer forensics, and incident response).2 Open source tools are free and may have a legal benefit over closed source tools (proprietary and commercial) because they have a documented procedure and allow the investigator to verify that a tool does what it claims. Both closed and open source tools are widely recognised in court but open source forensics is an important emerging field. The number of people involved in this field is growing for both budgetary and court recognition reasons. An illustration of this growth is the almost 10 000 units of PTK software that have been downloaded worldwide since its release by IRItaly at the end of March 2008.3 The software, which allows effective and concurrent digital investigations at very low cost, is in English but can be localised in several languages.
“Open source forensics is an important emerging field.” The second criterion for choosing equipment is the number and
Figure 2: The CFTT – one of several open computer forensic projects the American NIJ has released.
December 2008
Computer Fraud & Security
19
CALENDAR complexity of managed cases. If the number of cases managed is over 200 annually it is better to organise the investment more thoroughly. A preliminary study should be conducted to determine the type of laboratory and technology to be used. It is generally better to avoid technology that has not been used before by the rest of the community, as this will avoid challenges in court.
Conclusions: The future The author of this article does agree with ISACA, which recently published a position paper about the future of this discipline. The science of computer forensics has a seemingly limitless future and as technology advances the field will continue to expand. Such evidence has to be handled in the appropriate manner and must be documented for use in a court of law. According to ISACA, “Any methodology, process or procedural breakdown in the application of forensics can jeopardise the cases.” Organisations, both governments and those in the private sector, are beginning to rely on the findings that computer forensics specialists gather when a cybercrime is committed. Computer forensics is quickly becoming standard protocol in corporate and judiciary investigations by expanding beyond the realm of specialised, computer incident response teams and police investigative squads. While the corporate world uses computer forensics only for managing security incidents, judiciary offices need it for a wide range of crimes from child pornography to fraud, terrorism, and organised crime. As the overwhelming majority of documents are now stored electronically, it is difficult to imagine any type of investigation that does not warrant a computer forensic investigation. Thus, computer forensics is becoming a standard for electronic crime investigations. 20
Computer Fraud & Security
The techniques and methods are also adopted for non-investigative purposes. Examples include data mapping for security and privacy risk assessment, and the search for intellectual property for data protection. Computer forensics is transitioning from an investigation and response mechanism to one of prevention, compliance and assurance. By utilising computer forensics techniques, companies can better protect themselves against potential threats from hackers and angry employees. Additionally, computer forensics schemes can be used when critical files have been deleted accidentally or through hardware failure. Thus, there are several additional applications pertaining to the science of computer forensics in addition to utilising the methods to investigate computerrelated crimes.
About the author Dario Forte, CFE, CISM, former police detective and founder of DFLabs has worked in information security since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference, and the US Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com
References 1. Skills for Justice. 15 Nov. 2008. 2. Open Source Digital Forensics. 15 Nov. 2008
Calendar 27–30 December 2008 25th Chaos Communication Conference Location: Berlin, Germany Website: http://events.ccc.de/congress/ 2008/
29–31 December 2008 WSEAS ISP 2008 Location: Cairo, Egypt Website: http://www.wseas.org/ conferences/2008/egypt/isp/
15–16 January 2009 3rd ETSI Security Workshop Location: Sophia Antipolis, France Website: http://portal.etsi.org/ securityworkshop/
18–20 January 2009 Intersec Location: Dubai, UAE Website: http://www.messefrankfurtme. com/intersec/site/index.php
19–21 January 2009 e-Forensics 2009 Location: Adelaide, Australia Website: http://www.e-forensics.eu/index. shtml
26–30 January 2009 US DoD Cyber Crime Conference 2009 Location: St Louis, Missouri, USA Website: http://www.dodcybercrime. com/9CC/
16–19 February 2009 Black Hat DC 2009 Location: Arlington. VA, USA Website: http://www.blackhat.com
18–20 March 2009 Fraud & Corruption Summit 2009 Location: Brussels, Belgium Website: http://www.mistieurope.com
December 2008
Computer forensics: Are you qualified? Dario V Forte CFE, CISM, founder and CEO of DFLABS Italy Industry literature is full of references and diagrams that indicate the level of technical skill required to perform digital investigations in general and computer forensics in particular. When an organisation (enterprise, government office, or judiciary office) is considering digital investigation, the first thing it should do is distinguish between public and private sectors. While the private sector may exercise wide discretion when choosing consultants due to the fact that it is mostly concerned with incident response and corporate governance, the public sector, including the police and judiciary offices, needs to follow criteria exactly to avoid challenges in court. One of the most successful case histories in this field is the UK project ‘Skills for Justice’.1 According to its literature, an operator needs to know and understand certain legal and organisational
requirements and practices for investigating electronic evidence.
Legal and organisational requirements In order to apply high-level principles of digital forensics, operators should have a wide knowledge of relevant legislation and policies, procedures, codes of practice, and guidelines for investigating electronic evidence. They also need a firm understanding of the relevant legislation and organisational requirements regarding race, diversity, human rights, health, and safety. Operators should understand the limits of their responsibility and be aware of the
Figure 1: The Skills for Justice website – one of the most interesting initiatives in the field of justice-related skills initiatives.
18
Computer Fraud & Security
Dario Forte
level of competence they require. They should also be aware of situations and circumstances for which authority is required and how to obtain the authority. Finally, they need to know why risk assessments are required and how to carry them out.
Investigating electronic evidence In order to apply the technical aspects of digital forensics, operators should have strong knowledge (theoretical and practical) of the following aspects of electronic evidence investigations: • Scientific principles that underpin investigations and the conducting of an investigation • Establishing the scope, parameters, and objectives of an investigation • Constraints for electronic evidence investigations • Types and use of available equipment • Meaning, strengths and weaknesses, and application of evidentially sound forensic tools and techniques • Conducting a cross tool validation of results and the reasons why this is necessary • Research activities and consultation with third parties to obtain additional information • Creating a working product including subsets of the data and interim reports • Documentation of the investigation and the reasons why this is important • Problems which may occur and how they can be resolved December 2008
FORENSICS SKILLS • Conducting an oral presentation of findings While the Skills for Justice project is helpful in discovering the need for skills, it is less so in establishing what kind of education a computer forensic operator should have. Common practice suggests that computer forensic operators should have three qualifications. First they should have an academic diploma (the equivalent of an associate degree) in computer science or similar. This should provide the operator with a minimum skill level on the computers and systems/networks that are going to be investigated. Second, following a diploma, computer forensic operators should obtain certification in the field of operation. Certification poses a dilemma. Best practices suggest that people should be certified in the field, regardless of the vendor of the technology being investigated. Common practices also suggest following this with a second certification related to the technology itself. Third, an internationally recognised certification is a must. Local training can be taken annually.
A scientifically structured computer forensic lab is also valuable for training. Every lab should be equipped with the latest technologies and staffed by several experts, each of whom should be specialised in a specific field (e.g. mobile phones and log analysis).
Budgeting and technicalities The computer forensic field is growing and includes several sub-fields. The investment required is reasonably great and must be made gradually. Although some prefer to rent the equipment needed, best practices suggest buying it. The choice of equipment is determined by the field of operation and the number and complexity of managed cases. If the field of operation of a lab is entry level (e.g. child pornography investigation and small to mid-sized cases) we suggest starting with forensic hardware and an exploration of the open source forensic field. The Open Source Digital Forensics site is a reference for the use of open source software in digital
investigations (a.k.a. digital forensics, computer forensics, and incident response).2 Open source tools are free and may have a legal benefit over closed source tools (proprietary and commercial) because they have a documented procedure and allow the investigator to verify that a tool does what it claims. Both closed and open source tools are widely recognised in court but open source forensics is an important emerging field. The number of people involved in this field is growing for both budgetary and court recognition reasons. An illustration of this growth is the almost 10 000 units of PTK software that have been downloaded worldwide since its release by IRItaly at the end of March 2008.3 The software, which allows effective and concurrent digital investigations at very low cost, is in English but can be localised in several languages.
“Open source forensics is an important emerging field.” The second criterion for choosing equipment is the number and
Figure 2: The CFTT – one of several open computer forensic projects the American NIJ has released.
December 2008
Computer Fraud & Security
19
CALENDAR complexity of managed cases. If the number of cases managed is over 200 annually it is better to organise the investment more thoroughly. A preliminary study should be conducted to determine the type of laboratory and technology to be used. It is generally better to avoid technology that has not been used before by the rest of the community, as this will avoid challenges in court.
Conclusions: The future The author of this article does agree with ISACA, which recently published a position paper about the future of this discipline. The science of computer forensics has a seemingly limitless future and as technology advances the field will continue to expand. Such evidence has to be handled in the appropriate manner and must be documented for use in a court of law. According to ISACA, “Any methodology, process or procedural breakdown in the application of forensics can jeopardise the cases.” Organisations, both governments and those in the private sector, are beginning to rely on the findings that computer forensics specialists gather when a cybercrime is committed. Computer forensics is quickly becoming standard protocol in corporate and judiciary investigations by expanding beyond the realm of specialised, computer incident response teams and police investigative squads. While the corporate world uses computer forensics only for managing security incidents, judiciary offices need it for a wide range of crimes from child pornography to fraud, terrorism, and organised crime. As the overwhelming majority of documents are now stored electronically, it is difficult to imagine any type of investigation that does not warrant a computer forensic investigation. Thus, computer forensics is becoming a standard for electronic crime investigations. 20
Computer Fraud & Security
The techniques and methods are also adopted for non-investigative purposes. Examples include data mapping for security and privacy risk assessment, and the search for intellectual property for data protection. Computer forensics is transitioning from an investigation and response mechanism to one of prevention, compliance and assurance. By utilising computer forensics techniques, companies can better protect themselves against potential threats from hackers and angry employees. Additionally, computer forensics schemes can be used when critical files have been deleted accidentally or through hardware failure. Thus, there are several additional applications pertaining to the science of computer forensics in addition to utilising the methods to investigate computerrelated crimes.
About the author Dario Forte, CFE, CISM, former police detective and founder of DFLabs has worked in information security since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference, and the US Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com
References 1. Skills for Justice. 15 Nov. 2008
Calendar 27–30 December 2008 25th Chaos Communication Conference Location: Berlin, Germany Website: http://events.ccc.de/congress/ 2008/
29–31 December 2008 WSEAS ISP 2008 Location: Cairo, Egypt Website: http://www.wseas.org/ conferences/2008/egypt/isp/
15–16 January 2009 3rd ETSI Security Workshop Location: Sophia Antipolis, France Website: http://portal.etsi.org/ securityworkshop/
18–20 January 2009 Intersec Location: Dubai, UAE Website: http://www.messefrankfurtme. com/intersec/site/index.php
19–21 January 2009 e-Forensics 2009 Location: Adelaide, Australia Website: http://www.e-forensics.eu/index. shtml
26–30 January 2009 US DoD Cyber Crime Conference 2009 Location: St Louis, Missouri, USA Website: http://www.dodcybercrime. com/9CC/
16–19 February 2009 Black Hat DC 2009 Location: Arlington. VA, USA Website: http://www.blackhat.com
18–20 March 2009 Fraud & Corruption Summit 2009 Location: Brussels, Belgium Website: http://www.mistieurope.com
December 2008