Computer Forensics – a Policy Decision

March 1, 2003

In an ideal world, the way in which any organisation carries out and responds to instances of misconduct or illegal activity relating to information technology needs to be directed by strict rules and pre-defined processes. The notion that incident management should be policy-led is increasingly under scrutiny as there is the potential for disciplinary or even legal action to be triggered as a result of an investigation. It is therefore absolutely key that the investigators work to defined parameters and with integrity of method as well as purpose.

The stakes are high. Poor investigative techniques that are not governed by a set of well defined rules can easily compromise evidence, miss vital information and even lead to unsafe and misguided conclusions. The implications for those affected can be very serious indeed.

Without the guiding hand of a well drafted policy and supporting procedures, the investigation of an IT-related security incident is rarely completed without error. This can of course seriously affect the outcome from a legal perspective and the bottom line is that the success of any forensic investigation is heavily dependent on sound policy setting.

Formulating policy relating to complex issues such as incident management and forensic investigation is not the most simple of tasks. Indeed many organisations, having taken the decision to try and make their policy position clear, have a great deal of difficulty in knowing where to start and end the process. But the most important point is that the policy needs to be as sound as the investigative procedure itself.

Policies should also be pragmatic as there is a great deal of scope to drill down into ever more detail and get seriously bogged down in the nuances of policy making. Complex policies always turn out to be ineffective as they are difficult to maintain and administer but, worst of all, the intended audience frequently ignore them when they are hard to understand or impractical.

An effective policy should be a long-term document that is designed to assist in providing a framework for decision-making on security incident issues and concerns. The policy should enable the business to manage security issues effectively and to minimise the legal liabilities they may expose themselves to. It should also seek to assign responsibilities and ownership levels and provide a budgetary framework and procedures for protecting the interests of the organisation. An important element is a clear statement of commitment and support from senior management, without which many policies are doomed to failure.

Thankfully, there already exists a tried and tested frame of reference that encompasses the requirements for incident management within the context of the overall information security needs of the organisation. That frame of reference is BS7799 – the recognised standard for information security, a British standard that is moving steadily towards global endorsement. The standard encourages a culture of security awareness based on risk assessment and management, throughout departments, businesses and organisations. It helps to put in place a comprehensive and consistent information security infrastructure that encourages a culture of constant review and improvement. Certification to the standard by an accredited third party also provides an independent assessment of the strength and coverage of the security infrastructure.

Policy and Incident Management

By implementing a standard such as BS7799, organisations should be able to avoid many of the risks associated with information security breaches. However, should an investigation become necessary, its effectiveness will be heavily dependent upon policy guidelines – the way in which each incident is managed must be governed in such a way as to maintain its legal integrity. Too many investigations are irreparably compromised through poor practices, avoidable errors or just basic naivety, when they could be supported and guided with the help of a well-considered policy.

A well-structured and disciplined investigation has a high chance of success and avoids the mistakes that many organisations have made in the past through ill-planned, hasty action. A few simple procedures can make all the difference between a discreet and successful investigation of the facts and an embarrassing, botched fiasco with serious repercussions.

When a potential breach of security is discovered, it is wise to follow some basic incident management procedures, such as the following:

* Document the facts, tip-offs, clues and any other useful information for constant reference.
* Research the background as much as possible. What computers are involved? What are the backgrounds of the main suspects (eg are they very technically able?).
* Establish who you need to speak to in order to get a clear picture of the situation.
* Establish the extent of the incident – what systems are involved and which departments?
* Establish whether the systems involved are vital to the running of the business. If so, the investigation may have to take place outside of normal working hours.
* Consider the legal position. Will the investigation be breaching the suspect’s rights under the Human Rights Act or Data Protection Act? Do you retain the right to monitor e-mail and Internet usage in your policies?
* Pull together a team of people with the desired expertise, and then allocate a team leader and responsibilities for each team member.
* Allocate team responsibilities.
* Liaise with the police if appropriate.
* Engage specialist help if necessary (check they understand law enforcement guidelines on forensic work).
* Make sure the investigation has access to a comprehensive set of software and hardware tools.

Look before You Leap

It is very important to take some time to consider the overall position before taking any action. For instance, should the investigation be overt or covert? If it is suspected that someone within the organisation has caused the incident, the investigation may have to be carried out in a very low profile manner to avoid tipping them off. Usually this means investigating the circumstances, and in particular any systems involved, outside of normal working hours.

When attending the scene of the incident, the initial actions are the most important. Ill-considered ‘rummaging around’ will most likely scupper all chances of a successful investigation of the circumstances. At best this means wasting a lot of time, while at worst it could destroy the very evidence required, leaving the distinct possibility of a repeat of the incident.

In addition, taking into account the apparent extent of the potential investigation plus the complexity, number and size of systems to be examined, consider whether there is sufficient time to complete the inquiry. If it is important not to alert anyone, consider whether the evidence can be secured and the investigation continued outside of normal working hours.

The overall success of an investigation can depend on securing any potential evidence as soon as possible, so it is vital to assess how any evidence that may be present is to be secured. Consider ‘imaging’ the complete system to freeze the evidence. This may not always be possible or necessary, depending on the particular circumstances encountered. (‘Imaging’ is an accepted forensic practice of taking a bit-by-bit copy of hard disks, and exchangeable media. This effectively clones the original media, and freezes the potential evidence at that point in time.)

It is rarely advisable to investigate the original system by just accessing it and having ‘a poke around’; there is a very high likelihood of this destroying any evidence, or making any evidence identified inadmissible in a court of law should it go that far. For example, a great deal of evidence can be uncovered from the free ‘unallocated’ space on disks. It is vital therefore that no-one loads any software on the system that may overwrite the free space. Just viewing files on most systems will change important date information that may be crucial in proving a chain of events.

Careful checking of the situation on-site and the facts is both prudent and wise. It is not unknown for someone with apparent ‘first-hand knowledge’ of the incident to come out with a different explanation of the chain of events when their initial panic has subsided.

The investigators need to consider whether the incident needs to be reported to the police or other law enforcement body (eg HM Customs & Excise or the Serious Fraud Office) at an early point in the process. This is extremely important as failure to notify the appropriate body could leave the business and its management criminally liable. If it is not apparent that a reportable offence has been committed at an early stage, then the issue should be reviewed throughout the course of the investigation in case circumstances have developed further.

If it is possible to consult other members of staff at the scene of the incident, without alerting any potential suspects, it should be done discreetly and you should be sure to make them aware of the need for secrecy. Ask open questions (who, how, what, when, etc.) and avoid leading the interviewee (eg by mentioning names or blaming people). A record should be made of all conversations and information received and you should look for logical and non-malicious explanations for the chain of events before considering deliberate acts. It is vital to rule out the obvious before investigating the improbable.

There are times when it is more prudent and timely to make use of standard system utilities or features. For example, the use of an operating system utility to search through large log files may be expedient in certain circumstances. If a back-up copy of the log is taken and worked upon this can be an acceptable and expedient method of investigation. Care must be taken however to ensure that you never work on the original of any record if there is any likelihood of it being needed as evidence in a potential prosecution.

Back-up devices – tape drives, CD Writers, Optical disks, floppy disks, etc – are all valuable mediums on which to secure copies of files for subsequent investigation. CD-ROMs are a particularly good medium for investigation work as they are a ‘write once’ medium and secure for evidential purposes. It is obviously possible to write-protect other mediums also, but in most cases it is wise to take two copies of any potential evidence on separate media, duly witnessed and validated – this will counter any accusations of tampering or ‘planting evidence’ later.

It is often expedient to copy files to other systems on the network, or by making a direct connection from a laptop to the system under investigation. If it is intended just to gather intelligence information on what has happened, this can be sufficient. However, even if it is not envisaged that disciplinary or legal action will be taken at that point, it is important to maintain the chain of evidence all the way along the line.

In serious cases it is vital that any potential evidence is secured in a forensically sound manner. There are a number of good, specially designed, computer forensic systems on the market and in common use throughout law enforcement and the private sector.

There are recognised law enforcement guidelines on securing computer-related evidence. Developed by a group of the major law enforcement agencies in the UK, these guidelines are designed to ensure consistency in the handling of computer-related evidence. The guidelines were published by the Association of Chief Police Officers (ACPO) and have formed the basis of similar initiatives in other countries.

The biggest danger in most cases is that the investigator(s) will make hasty assumptions and act upon them before the incident has been thoroughly investigated. If this happens, there is a danger that the wrong conclusions will be drawn, and the wrong people will be confronted.

If it is not clear what precisely has happened and who was involved, the investigators should consider the next course of action. Does the scope of the investigation need to be broadened? Can the computer systems provide more evidence by using lower level search tools? (eg searching for deleted data and file signatures using forensic software).

In some circumstances it may be necessary to seek the assistance of a full-time computer forensic investigator or a security specialist may be required. Has all of the available evidence been found, or is there still ‘a golden nugget waiting to be mined’?

Final Stages

When a conclusion has been reached as to the chain of events, the cause, the implications to the organisation, and the steps necessary to contain the situation, it is time to report, take action and follow up with any remedial action identified as necessary.

The final stages of an investigation of an IT security incident are varied, but commonly include reporting to senior management on the outcome, conclusions, and lessons to be learnt for the future, as well as reporting the incident to the appropriate body (internal/external – eg internal audit, the police, ISPs etc.).

It is only by following procedures such as these and by adopting a sound security policy encompassing the disciplines behind forensics, that an organisation can hope to reach sound conclusions should an investigation be required. However, the adoption of a standard such as BS7799 should help to reduce overall security risks, prevent incidents from occurring and minimise the need to perform such investigations in the first place.

Further information can be found at