SANS was invited by the Institute for Information Industry in October to hold a seminar on digital forensics in Taipei. Philip Hagen will be the main speaker with the theme Convergence Forensics: Leveraging Multiple Skills to Analyze Evidence.

The main speaker himself has been engaged in forensics for many years. Currently, he manages a team of 85 digital forensics experts from U.S. National Security Department and provides forensic consultation services to law enforcement authorities, government and business customers. He has many experiences and develops practical skills and concepts.

The purpose of forensics is lawsuit in large proportion. Of course, forensics activities consume a great amount of human resources, time and other resources. Maybe such activities are intended for studying the attacking acts in malicious programs to implement preventive actions and thus strengthen defense policies. There is a great opportunity to identify the source of malicious program acts. However, as such acts are from non-specific identifiable groups, finally such acts cannot be investigated for. The probability that the conclusion is reached on the case of records on the acts of use of the computer is higher.

 

Traces of material evidence for the occurrence of events

Maybe you will ask the question: “can’t we invoke the records?” We set a simple example to illustrate the relationship between logs provided by the system and the event itself. Such example is a true case. Abstracts of the records of the operating system (simplified) are as follows:

Connect usb

Found Device “Name”

Mount virtual CD drive

Assign driver letter X:

AutoRun Huawai.exe

It is very difficult to infer only from these records that what happened unless we had similar experiences before. Or the investigator is familiar with the Internet connection program and can provide a good deduction. This is actually about bypassing the network management by the company by PC leveraging USB 4G to connect an online network. However, at the same time many events occur on the system. Therefore, such events should be screened when we check these records and unnecessary noises should be filtered out. The subsequent analysis will be easily done. The above mentioned hardware connection records of course are screened in a classified manner and so they are so normalized.

Effective narrowing of evidence scope and filtering out unnecessary noises

If the event to be investigated is very unclear, this is the worst condition. It is expected that we may be trapped in endless evidence investigation and evidences cannot be confirmed or the evidence investigation cannot be completed. Today’s HDD capacity or information volume is usually measured in units of TB. If all of these need to be investigated, several months to several years may be taken. The significance of only finding traces of material evidences if we do not know what happened and when is not great. If obtained event information characteristics, phenomenon description and damage evaluation are more specific, the narrowing of evidence scope will be easier.

Organizing a forensic team. Individuals are not universal and professionals engaged in various fields are needed

Digital forensics include many fields. The computer system that we use includes the operating system, firmware, application software, network connection, peripheral, memory and storage system. Nobody is universal. To organize a forensic team, professionals engaged in various fields need to be recruited and they should process different types of evidences in a work divided manner. Even during the processing period, combination of professions may differ depending on the type of case.

Selection of exhibits to be retained and blind spots

It was previously perceived that a group of people rushed into the office, instantaneously controlled the scene and then detained physical evidences and packaged and returned them to the forensics lab. Such perception is changed. Compared to static materials, evidences that can be investigated for will be more complete. Therefore, live evidences are most valuable clues. After the computer is shut down, programs do not exist, the memory is also lost and obtained system information is not live. Data on the disk are records that are retained. Static records cannot be sufficiently describe the activity behaviors of the program.

However, there are technical problems with live forensics. After  the forensic tool is used, the status of the system memory is changed; the evidence contamination cannot be effectively eliminated. However, Philip Hagen mentioned a perfect case:

When his team entered the client’s office, the investigated person involved rapidly closed the laptop display and the system was hibernated. This is the most perfect. It can be imagined that the computer was instantaneously frozen and program activities on the memory were retained so that the forensics team can easily obtain evidences and did not need to worry about the loss or destruction of evidences.

Not every event necessarily can come obvious

Philip Hagen also shared such concept. Not every event becomes the case and not every case enters judicial proceedings.

The main cause is evidence insufficiency. As obtained information is insufficient although some cases are investigated to a certain extent, it cannot be proven that there are illegal acts. This is very common. The omission of evidences retained on the system causes the effect of evidences to be insufficient. Taking the 4G Internet connection as an example, we only demonstrated that 1. a USB device is connected, 2. A virtual disk drive is mounted, 3. There is autorun for virtual disk drive. Can the case be treated as Internet connection if the above mentioned three items are established? If it needs to be proven that an employee obtains access to the Internet by using a 4G card, then which records are we in the lack of?

1. This device must be used by the employee (login/logout/IP address/HostName/UserName/Account).
2. The program on the virtual disk must be executed (software execution records); AutoRun description does not represent that the program must be executed; and the program must be a connection program (records of connection to WiFi /4G).
3. Access records must be proven. For example, https://tw.yahoo.com is visited (history may only demonstrate the history but cannot be sufficiently prove the device, time or the access is truly made by the person?).
4. The completeness and non-repudiation of these records must be ensured.

Evidences cannot be more solid until the above mentioned evidences are used and some records may need to be supported by third-party software. If evidences are recorded and properly stored in a structured manner when the event occurs at time of the use of the system and there is no reliance on the system logs left on the local computer, it is believed that such evidences will be more useful to the investigation of the event.