When scientific methods are used in the process of preserving, collecting, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence from digital sources, then the process is called digital investigation. The evidence may be used to facilitate the construction of events deemed to be criminal or are in contrast with the laid down procedures.
Digital investigations for an organization differ to digital investigation for law enforcement because of the procedure adopted. Different models of operation have been suggested depending on the complexity of the situation.
Digital investigations arise as a result of an occurrence suspected, attempted or actual in an organization. The occurrences are triggered by internal and external factors and can cause considerable damage or loss to an organization directly or indirectly. For instance in this scenario the alleged network intrusion reported at Health Care Company HCC Partners in Life has adverse effects on the clients records and the company resources. These may include among others;
- Abuse of the organizations resources such as internet
- Fraud and distortion of clients and the company
- Unauthorized access by to the Health Care Company network
- Sexual harassment or display of indecent or pornographic material
- Breach of contracts of confidential information between the health care facility and its patients
- Departmental misuse
- Security breach such as theft of confidential data, unauthorized access by hackers, hacking of the hospital system and unauthorized modification of data.
A contingency plan should be put in place to mitigate such incidences. A framework is formulated within the organization to prepare for both low frequency/high impact as well as high frequency/low impact events.
This paper details investigation procedure carried out by XYZ Inc. on behalf of HCC Partners In Life. Our case study will focus on network and server intrusion at the health facility. An incident of network and server intrusion was reported to HCC Security Operations Center (SOC). The intrusion affected the intrusion detection systems logs. The IDS logs reported are unusual different and as such their integrity is questionable. Also affected was the HCC database through a mail attachment to the system administrator. His Microsoft Windows XP workstation behaved strangely after opening the attachment which was supposedly containing benefits but found to be empty. In order to ascertain the instances of attack at HCC, our team led by me will develop a contingency plan formulated to authenticate the suspicion, respond and analyze the incident.
HCC uses a Snorts IDS running on Linux systems. The system has a signature based detection that utilizes valid network data and signatures to detect and analyze suspicious and unwanted traffic. Anomaly based systems filters and alerts when the network traffic is incorrect or abnormal. This is the case for HCC since the IDS logs are of questionable integrity. The intrusion detection systems employ more than one signature in a NIDS library. This gathers for proprietary industrial controller data transmitted between discrete devices and often flagged in anomaly-based systems
The network- based intrusion and detection systems have an advantage of wide coverage where the entire network can be covered using a single NIDS. In addition, it has minimal install/upgrade effects on the network and avoids DoS that has the capability of affecting the host. It also has the benefits of identifying network layer errors as well as the independent operating environment.
- Initial suspicions or observations should be report to whom?
- How should the evidence be vetted to ensure that good evidence is acquired?
- What steps need to be taken to identify relevant digital evidence and how the acquired evidence can be preserved without contaminating it?
- How can the healthcare facility operate effectively during the course of the investigation without creating a crisis which might be worse than what is investigated
- The legal obligations of the healthcare facility needed during the investigation and association with external law enforcement agencies
- The role of the management in determining the direction of the investigation and possible incidence of biasness and how to deal with such scenarios.
A digital investigation is classified into different stages according to the model adopted. These stages can further be classified into smaller distinct and discreet sub-groups for easy execution.
Researchers at the U. S. Air Force studied various models and came up with common characteristics that are exhibited by these models. They then incorporated them in a single model known as Abstract Process Model. Considering the situation at hand, our company will use this model to carry out the investigation and reach a conclusion. It contains different phases; this model has 17 phases classified into 5 major groups.
- Preparation
- Deployment
- Physical crime scene
- Digital crime scene
- Analysis
The readiness operation phase involved the development of response mechanisms, operational infrastructure and hiring of a CFA. The healthcare facility contracted our company XYZ Inc. to determine the validity of claims of breach and if confirmed take appropriate steps to retrieve reliable digital evidence that can be used sufficiently to sustain a case at the court of law. Before the start of digital investigation, time on all the servers was synchronized with NTP.
Identification
Identification is the detection stage of a crime. The investigation is prompted by reports to the head system administrator that the HCC database servers and network system was compromised and vulnerable to a intrusion attack. The administrator reported suspicious activity and behavior of a workstation after opening a mail attachment which was found to be blank. Likewise, network logs indicate abnormal behavior and cannot be relied on unless a thorough investigation is done. Verification of the incident involved locating the affected workstation and plugging a laptop into the network so that a scan could identify the opened port. The administrator inserted a CD-ROM of the incident response tools into the system and logged in in order to copy data relating to running processes and open ports.
DATABASE ADMINISTRATORS COMPUTER
A preliminary inspection of the system revealed that intruder had installed a malware in the administrator’s workstation with a version that contained a sniffer. In addition the malware contained a root password for other neighboring computers. The logs show that intruder had gained the network through his own backdoor installed by the malware. The intruder gained access to the compromised computers without having to provide a password by entering his backdoor code with a word “benefits” at the login prompt. All the data were saved in his laptop and presented to the school healthcare facility to confirm an intrusion.
DATABASE SERVER
Forensic SQL server digital analysis was done to collect database artifacts bsafely and non-disruptively. Obtained data is analyzed to confirm or rule out database intrusion and retrace the actions of the intruder within the database. It is found that the intruder got into the system and managed to access HCC database and got patient confidential details. The forensic process included default logging identity, extracting, and analyzing database evidence from published and rootkits. It is revealed that the intruder tried to copy patient details from the database. This can be detrimental to the government.
PRESERVING EVIDENCE
The team acquired the evidence from compromised sources and saved audit logs of the intruder actions. A scan of the entire network revealed some degree of compromise which could be alter the organizations policy of data integrity, availability and confidentiality. The intruder got into the system but did not keep and audit log or trace of his actions and consecutively failed to determine which documents in the administrator’s computer belong to which department. The intruder managed to enter into the system several times even after an initial scan of the system and successfully sniffed the actions of the users. Of concern was the financial transaction the facility was conducting at the time. All the evidence collected regarding the system logs was were digitally signed and saved in the team’s laptop to be produced to the management.
Web browser histories would prove useful indetermination of the sites recently visited by the suspect. The computer stores this information in the history option of the web browser. Opening those sites can be crucial in evaluation what the suspect had been up to in the recent past. Download locations is another place that is necessary to check. If any data was downloaded from a particular site or server, the same will be found.
In order to immediately determine what the suspect was up to some few moments before his arrest, the list of recent documents can help. If one had been working on manipulating some records or accessing some form of documents prior to arrest, the same can easily be determined. This information provides an easy and fast opportunity to analyze information at hand and determine its relevancy to the case
Approach Strategy
This entails the development of a mechanism that is used in the collection of evidence and minimizing the association with the suspect. The health facility DNS might be compromised and the network hacked, and as a result, it is prudent to forego the use of the primary DNS and shift operations to the secondary. The HCC administrator gave permission for the team to sut down and rebuilds the primary DNS server once it was realized that the secondary DNS server was not compromised. The server was taken down for the shortest time possible without compromising the health care facility program.
Physical crime scene investigation yielded negative results for a physical evidence. The possibility of a physical insider was ruled out .During physical documentation, server configurations and serial numbers were documented (Kissa, 2009).
Digital collection and Preservation
Once the source of evidence had been known, it is important to secure it to reduce contamination and distortion. Preservation aims at maintaining the integrity of evidence during the investigation process and ensures that the availability and quality of evidence is not compromised. The digital data obtained in the crime scene was copied and saved in laptop using the trusted tools from the CD. The team lead by CFA determined the MD5 value of the disc and duplicated the data on disk over the network. A verification of the hash of the forensic image on the laptop was done.
Digital Analysis
It’s the analysis of the collected data. It’s the most complex and time consuming of all the phases. It serves to confirm or refute the allegations of existence of a crime. The data collected is surveyed and reconstructed to manageable quantities to be used to form an opinion of the occurrence and give answers to questions asked.
A team led by CFA come up with working copies and note the processes that change the data. An image obtained above was analyzed using analysis software. A comparison of the MD5 hash system binaries was made with the servers fingerprint database to determine the altered files. Logs were analyzed to determine suspicious logins.
The digital survey phase found a rootkit, an SSH that was installed and executable files. Further scrutiny identified the file modification timeline at the time of rootkit installation.
Reconstruction stage analyzed the evidence and concluded that the attack was as a result of a malware in the administrator’s workstation with a version that contained a sniffer. vulnerable version of the SSH server. The attacker gained remote control of the system through the suspicious open port which used a custom protocol. However no HCC sensitive information was accessed copied or transferred.
Presentation/ reporting
At these phase a summary highlighting the explanation of relevant findings was presented to the management, legal personnel and law enforcement agencies. A written detailed technical report was presented to the FCC management with recommendations to patch all systems and remain on high alert for some time.
Closure phase
After attaining the laid down objectives the investigation was closed. A critical review of the entire task was done to effect the decisions arrived at and apply the lessons learned. Evidence was returned to the Healthcare Company Partners for Life and all the information relating to the incident preserved.
Fig.2 Simplified Digital investigation framework
The framework highlights the repetition of some important stages .Preservation is continuous in both the collection, examination and analysis stages. This implies that such activity as imaging, custody and time synchronization are important in the entire period of investigation.
It can be concluded that this model allows the interaction of physical and digital investigations applied to corporate institutions. Because of the challenge faced with digital investigations alone physical investigation would add credibility to digital evidence in order to sustain a case in court.
Importance of the expert witness
After getting all the facts, the next step would be court proceedings for the culprits who have been got. Before proceeding to the court, it is important to have expert witnesses that will be of essence in the court proceedings. Expert witnesses are important in this case because the evidences that would largely be depended on come from the expert. It is to be noted that fact witnesses play little role here because electronic and digital information can be changed without, seeing or application of all other senses that play large role in factual witnesses. Expert witnesses are important in this case because the evidences that would largely be depended on come from the expert. It is to be noted that fact witnesses play little role here because electronic and digital information can be changed without, seeing or application of all other senses that play large role in factual witnesses.
Another important element in this is to have metadata of the database data that has been tempered with. It actually is data about data. It describes the containers of data and furthermore any individual instances of data. Metadata is important to computer forensics because it gives a clear indication of the environment and particulars associated with any data. The contents and quality of data can be determined by description of the same. A good example is a description describing the language in which data stored in a database is written in, the tools that were used to create files and when the files were created. Metadata also provides information relating to rights and administrative access to documents and data. This is most useful in determination of the people who has access to data any particular time.
Steps taken in the documentation
There are many steps that will be taken in the documentation process. There are folders that should be well documented so that they give the required information.
The first step is to document the content and the status of some folders in eth computers that are affected.
- “C:\$Recycle.Bin” directory:
This folder contains all the data or documents that have been deleted. They are documents that are no longer needed for use; however, the same might be needed in the future and hence can be retrieved. Some of the information that can be found here includes documents that the suspect might have deleted from the main folders of other partitions in the hard disk. This information might include records of transactions, reports, draft reports or even letters and memos.
- “C:\Program Files” directory:
The program files directory contains program files. These files are used in running out applications that are essential in the task performance. Such programs include office applications programs and other software. The same will be instrumental in determination of the software applications that are mostly used by the suspect. It will aid in the general reporting and determination of a standing point with regard to the investigations.
- “C:\Users\Roberts\Desktop” directory:
This folder is a folder that contains all the information stored on the computer desktop. Just like the folders, the information that can be gathered here include documents such as reports, Memos or any other documents that might have been stored in the folder.
- “C:\Users\Roberts\Documents” directory:
The folder named above is used to store documents. It contains all the documents saved by the client or just automatically saved by the system.
After the documentation has been done in these folders, the logs should be noted so that the whole process is undertaken.
Team preparation for court testimony
The team should be well prepared to give their testimonies while they are in eth court. It is important to understand the technical aspects of what went on in the computer systems. The human resource manager should tell the court what her normal day usually engage. She should list the policies that are in the department of the human resource department. The human resource management should understand well who should get access the benefits document and who should be allowed to send. This will help the court to determine where the breach and the suspicion came about. The database administrator should also be well versed with the log process and know what is regarded as suspicious in the whole process.
Ethical responsibilities
The whole process should be ethical. The data that is being dealt with in this process is that of healthcare institution. Patient data should be handled with integrity of the highest order. This is because patient information should be confidential. This should be the case in the whole process. Any evidence that is found that relates patient data should be kept as confidential.
One of the ethical requirements is that in the whole process, no one should be implicated and accused before proven evidence is obtained. All expertise in their fields should be accused of any wrong-doig because of an accusation that is pointing at someone. Is someone is found guilty, it should be after getting all the required evidence and information. This should be a way of getting information and improving the security of the network and database.
References
Carrier, B. (2005). File system forensic analysis. New York, NY: Addison Wesley
Carvey, H. (2005). Windows forensics and incident recovery. New York, NY: Addison-Wesley.
Ciampa, M. D. (2011). Security+ Guide to Network Security Fundamentals. Cengage Learning.
Kizza, J. M. (2009). A guide to computer network security. Springer.
Kruse, W. & Heiser, J. (2002). Computer forensics: Incident response essentials. New York, NY: Addison Wesley.