First step into security?

I have my Security+ and I've been studying the CEH for a little while and I had a client come to me today(an investigator), asking if I could remove some material that he could use in his case. He wants log files, IP address, emails, etc

I'm just going to start by grabbing whatever I can find. Any tips on what I should look for? The guy who's being investigated is some sort of child molestor.

KG

Find more posts tagged with

Comments

JDMurray

If this material will be used in any legal context then the way it is sampled, logged, and stored is critical. This operation would best be left to a professional forensics service, otherwise the defense attorney will have a field day tearing apart you and your amateur detective procedures in front of a judge and jury. I'm surprised that a prosecuting attorney would ask that such a critical operation be performed by a non-professional.

KGhaleon

That's what I told my client, since I have had no real experience with forensics. He still seems bent on relying on me for some reason...it's rather frustrating.

While on the topic, are there any good IT forensic agencies out there that I could recommend people like this too? I've been looking for places local to me(in Orlando), but I'm not have a lot of luck.

There's the National institute of justice(http://ncfs.ucf.edu/home.html), but I'll have to contact them and see if they accept these jobs.

KG

supertechCETma

The scenario you present is laughable.

First, that little thing called ethics should prevent you from even considering this job. Second, this "investigator" sounds like an idiot. IF you find anything, I doubt that it would be admissible in a court of law. All methods of evidence collection and discovery must be legally defensible in a court of law. The chain of custody must be maintained in a contiguous stream from seizure to courtroom. Are you working under a warrant? Are you bonded? Is your level of "expertise" recognized by the court? Third, the question of liability comes into play. If you discover evidence of child pornography or molestation, you are bound, by law to report it or you could face prosecution yourself.

You should run screaming from this "client".

I just graduated summa cum laude with a BS in Criminal Justice. I begin work toward my Masters in Forensic Science next month. The Federal Rules of Evidence are quite clear in these matters. You don't want to get involved unless you are sufficiently qualified.

supertechCETma

Key Computer Service, Inc. is a privately owned Florida corporation that has specialized in computer forensic examinations since 1993.

http://www.keycomputer.net/index2.htm?

keatron

Your biggest problem in court wouldn't exactly be the defense attorney, it would be the expert witness the defense attorney hires to discredit the information (I've been on both sides of the table).

1. First of all, you need to treat ALL forensics investigations as if they are going to be presented in court. As far as legal context goes, a civil prosecution will go differently than a criminal one will. Keep in mind the burdent of proof in a criminal trial (child **** for example) will be much greater than in a civil case (company trade secret violation).

2. There could be several circumstances that could dictate why the investigator considers your work good enough. Tearing apart corroborating evidence wont do the defense much good at all if all of the primary evidence says the defendent did it. Most times this evidence is used as supporting evidence and usually presented in a context similar to..."your honor in addition to the hundreds of printed pictures, recorded dvd's and vhs tapes, and the witness testimony that the defendent invited her to have sex, we also have records of his internet history and several hundred emails sent and received which support our other findings". I watched a CFO get put away a few months back in a similar case. All of the forensic evidence collected was collected by company IT staff. If I had been on the other side (the CFO's side), I would have picked the IT team apart, however I was the expert witness for the company and the integrity of the digital evidence never came into question as other evidence was a lot more damaging and solid.

3. As JD has already pointed out, the measures that are put in place proactively are usually the strongest weapons in collecting digital .evidence. Not only that, what he's trying to prove will almost always have a strong bearing on how the evidence is collected. For example, an attack from a hacker might rely heavily on volatile stores (ram for example) whereas catching a kid **** pervert might rely more heavily on data written to permanent storage (web history, email logs, etc.). In forensics we always struggle constantly with this, do you immediately unplug the machine (which destroys all hopes of collecting any volatile information), do you allow Windows to shutdown properly (which means you now have to do 10 times as much documentation and what not since Windows writes tons of crap to hard drive if allowed to shut down following it's normal routine), or do you try to connect and get live forensics data (now you run an extremely high risk of contaminating any evidence you might collect by using whatever connect and collect method you use). We probably have over $100,000 in equipment for doing just forensics. Because in court, what matters most is proven and tried methods, tools, techniques, and previous court decisions. So if Encase has the best success track record in court (and it does), then you'd best be having it in your arsenal. There are hardware components you need as well for things such as bit to bit copies of the drives or bit to image copies of the drives (which you'll need to **** into encase, however I don't get too much into advertising products on here. I would suggest you contact a company like Encase and let them point you to a reputable and skilled firm in your area. We do a good bit of this for the midwest but don't do much outside of this area (laws are so different in different parts of the country concerning warrants, evidence collection, etc.

4. If this investigator is investigating a child molestation case, then I'd suggest you not think of touching anything until he produces a warrant, as these cases 90% of time end up at the defendents home, and you definitely don't want to end up being a co defendent with this investigator when the original defendent pops him for an illegal search + breaking and entering. If all of the equipment you're proposing to investigate is owned by the company then it might be a moot point, but better safe than sorry.

5. I'll address the things you called out and explain why there's more to it than just "gathering it".

A. Log files; You have to try and prove that they haven't been modified and verify integrity

B. IP Addresses; My 11 year old knows how to spoof IP addresses, and anyone willing to take a little time searching google and other places can figure it out as well. Again, you're stuck with validating the integrity of IP's you collect.

C. Emails: Did he actually send those emails, or did someone else logged in as him send them? Were they spoofed? Do you have other evidence that can actually put him at that machine during those email communications? (Auditing/Accounting). Is there real Identification and Authentication mechanisms in place (or does everyone know everyone's password and login).

You've studied for C|EH and Security+, so the importance of the CIA triad in real world scenarios should become a little clearer to you now. I'll quote a forensics friend who works for one of the worlds largest insurance companies in the world here. "If they're not syslogging, they're in trouble and not gettin a dime of claim money" I recently had him in a forensics class I was teaching and we were having an open class discussion about log files, having them written remotely in real time and in more than one place.

Sorry for the long answer, but since I've been traveling most of the year, I go through Techexams withdrawals, so when I do get a chance to get on here, I'm on a high

KGhaleon

Good points. I never actually accepted the job, but rather, I explained to the client that I would take a look at it and see what I could do. I told him that I didn't think it would be a good idea to bring the work to me, but he simply replied saying that it wouldn't break the chain of custody if the man's wife presented the computer to me. She dropped it off.

I don't know enough about Law or computer forensics to turn the client away, since I never turn clients away without first attempting to help them. I'm going to contact him and see if he would be willing to try one of these other businesses.

though hasn't he broken the chain of custody by leaving the machine with me?

I don't have any real plans to work in Forensics or security. I just run a small business dealing with virus removal, data-recovery, computer repair/network maintenance, etc
I can see where people might misunderstand.

KG

keatron

KGhaleon wrote:

Good points. I never actually accepted the job, but rather, I explained to the client that I would take a look at it and see what I could do. I told him that I didn't think it would be a good idea to bring the work to me, but he simply replied saying that it wouldn't break the chain of custody if the man's wife presented the computer to me. She dropped it off.

Mistake number one. This has many negative implications and to keep from using up all the hard drive on Johan's webserver, I wont go into detail.

KGhaleon wrote:

I don't know enough about Law or computer forensics to turn the client away, since I never turn clients away without first attempting to help them. I'm going to contact him and see if he would be willing to try one of these other businesses.

though hasn't he broken the chain of custody by leaving the machine with me?

Did you sign and have a witness sign a chain of custody form notating date/time conditions etc? And is the chain of custody form notarized? Probably not, so it's pretty safe to say the chain is broken. What was the checksum of the hard drive when she unplugged the box? Does it match the checksum now? Probably not right?

KGhaleon wrote:

I don't have any real plans to work in Forensics or security. I just run a small business dealing with virus removal, data-recovery, computer repair/network maintenance, etc
I can see where people might misunderstand.

Which is more reason you should understand how much changes on the hard drive just from Windows sitting there running idle. Go to sysinternals.com and download diskmon and filemon and install them. Go to start, then run, type msconfig, use the diagnostic startup option to disable all but the "needed" cough cough... Windows processes and files. Now reboot as prompted (after applying this). Once you're back up, load filemon and diskmon and take a look at all the file activity and drive write operations going on. If you remove/detect viruses for a living and monitor networks and activity you should already be pretty familiar with these tools.

I would say your chain of custody is pretty much not a chain anymore but rather a long line of chain links that are not connected at all. Good luck, and again my advice would be to refer this person to a professional, there's to much already gone wrong for someone without extensive experience to come close to salvaging this and actually using it in court.

KGhaleon

Yup, it came back and bit me in the ass. Yesterday she came back and asked me to testify that I was the one who aquired the data found on the system.

I refused and told her that the invoice she paid for specifically states that we aren't responsible for the data. This morning I got a notice commanding me to appear or be held in contempt.

I'm going to call the attorney and argue, but I'll probably be forced to go anyway.

KG

Non-Profit Techie

just go there and tell them what you told us. he will be upset he shot his own case down, lol

JDMurray

I just had a very similar thing happen to me. A friend asked if I could recover erased files from an MP3 recorder. Having a copy of File Scavenger, I was confidant that I could. I plugged the recorded in my computer's USB port and browsers through its file system noting that there were no MP3 files on it (the Erase button had been used to delete it's contents). I ran File Scavenger on it and saw that no files were recovered. I assumed that the recorder's Erase button completely over-writes the file table, making recovery only possible by imaging the disk and locating files using an image editor.

Anyway, the surprising part of this to me is after I tell my friend that I can't recover any data from the recorder, he tells me that the recordings are being requested by a law enforcement agency as part of criminal litigation against his former employer, and that a law enforcement officer asked him to retrieve the MP3 files himself. I informed my friend that the officer should have immediately collected the device and sent it off to a forensics lab for a proper data recovery procedure, but he was certain that the agents he was working with didn't want to go to all that trouble.

Who do you blame for this situation? The field agents who don't have easy access to the resources for handling digital forensics data? Or the case mangers at the three-letter-agency that is attempting to nail the perp?

KGhaleon

Obviously the agent. In my case, the investigator for having his client take the computer to my company and requesting that I do the work. I warned them about the chain of custody, but then didn't really seem concerned.

I contacted the attorney and warned her that I most likely wouldn't be testifying in her favor...so I'll see how things play out.

KG

keatron

jdmurray wrote:

I just had a very similar thing happen to me. A friend asked if I could recover erased files from an MP3 recorder. Having a copy of File Scavenger, I was confidant that I could. I plugged the recorded in my computer's USB port and browsers through its file system noting that there were no MP3 files on it (the Erase button had been used to delete it's contents). I ran File Scavenger on it and saw that no files were recovered. I assumed that the recorder's Erase button completely over-writes the file table, making recovery only possible by imaging the disk and locating files using an image editor.

Anyway, the surprising part of this to me is after I tell my friend that I can't recover any data from the recorder, he tells me that the recordings are being requested by a law enforcement agency as part of criminal litigation against his former employer, and that a law enforcement officer asked him to retrieve the MP3 files himself. I informed my friend that the officer should have immediately collected the device and sent it off to a forensics lab for a proper data recovery procedure, but he was certain that the agents he was working with didn't want to go to all that trouble.

Who do you blame for this situation? The field agents who don't have easy access to the resources for handling digital forensics data? Or the case mangers at the three-letter-agency that is attempting to nail the perp?

Sad thing is, that three letter agency would more than likely easily get away with it and be successful in court. People have the misconception that because a three letter agency is after you, you don't stand a chance in court. I can tell you for certain, if I were the expert witness in that particular case for the other party, I would chew that three letter agency up and spit them out. But in her case, it would most likely go like, "we recovered these mp3's from the computer you used when you worked at company xyz, they were downloaded on such and such day, records show you were logged into the system at the time of the download, your timesheet records also show that you were at that computer working on such and such project" (timesheets are often considered your official and legal statement as to where you were at a given time).

The guy would probably see all this seemingly solid evidence and break.
Just think about all the criminal and civil cases where the obvious guilty defendent ended up walking scott free (OJ), because of contaminated evidence and mis-handling of evidence. The rules of evidence are very similar for digital evidence as well. The main difference is the fact that it's much much easier to contaminate digital evidence.

damsel_in_tha_net

wow, i'm dying to know how this ended.

veritas_libertas

damsel_in_tha_net wrote: »

wow, i'm dying to know how this ended.

Yeah, how did it end?

tpatt100

He probably got shipped off to Gitmo

unsupported

I'm dying to know who the lawyer was. I'm in Orlando and I DO NOT WANT him to even have the chance to represent me in any situation, even for jay walking.

Paul Boz

As others have said (and I appreciated the great info in here), forensics really isn't the best way to get into infosec.

Anyone got any good "quick reads" on digital forensics? I'm not really looking for a SANS level review, just something to keep me interested

dynamik

Paul Boz wrote: »

Anyone got any good "quick reads" on digital forensics? I'm not really looking for a SANS level review, just something to keep me interested

SANS InfoSec Reading Room - Forensics Suck it up, sissy...

Dude, I started reading my Hackers Challenge books this weekend, and now I'm totally enthralled. I can't went to get into the IA and IH material

Paul Boz

Kinda wanted something a bit smaller that I could check out on airplanes

I am looking forward to the GCIH, assuming that our training budget is solid enough next year.

veritas_libertas

dynamik wrote: »

Dude, I started reading my Hackers Challenge books this weekend, and now I'm totally enthralled. I can't went to get into the IA and IH material

I saw those on Amazon the other day and wondered if they were any good.

dynamik

Paul Boz wrote: »

Kinda wanted something a bit smaller that I could check out on airplanes

I have something that should be plenty small for you...

veritas_libertas wrote: »

I saw those on Amazon the other day and wondered if they were any good.

I'm digging them. I got the old 1 and 2 books for dirt cheap used. They're a bit dated, but they're still interesting.