CISSP考试指南笔记：7.8 调查

When a potential computer crime takes place, it is critical that the investigation steps are carried out properly to ensure that the evidence will be admissible to the court if things go that far and that it can stand up under the cross-examination and scrutiny that will take place.

Computer Forensics and Proper Collection of Evidence

Forensics is a science and an art that requires specialized techniques for the recovery, authentication, and analysis of electronic data for the purposes of a digital criminal investigation.

At one time computer forensic results were differentiated from network and code analysis, but now this entire area is referred to as digital evidence.

The people conducting the forensic investigation must be properly skilled in this trade and know what to look for.

Digital evidence must be handled in a careful fashion so it can be used in different courts, no matter what jurisdiction is prosecuting a suspect. Within the United States, there is the Scientific Working Group on Digital Evidence (SWGDE), which aims to ensure consistency across the forensic community. The principles developed by the SWGDE for the standardized recovery of computer-based evidence are governed by the following attributes:

• Consistency with all legal systems
• Allowance for the use of a common language
• Durability
• Ability to cross international and state boundaries
• Ability to instill confidence in the integrity of evidence
• Applicability to all forensic evidence
• Applicability at every level, including that of individual, agency, and country

The SWGDE principles are listed next:

1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied.
2. Upon the seizing of digital evidence, actions taken should not change that evidence.
3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
4. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
5. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
6. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

Motive, Opportunity, and Means

Motive is the “who” and “why” of a crime. The motive may be induced by either internal or external conditions.

Opportunity is the “where” and “when” of a crime. Opportunities usually arise when certain vulnerabilities or weaknesses are present.

Means pertains to the abilities a criminal would need to be successful.

Computer Criminal Behavior

Computer criminals have a specific modus operandi (MO,pronounced “em-oh”).  The difference with computer crimes is that the investigator  must have knowledge of technology.

Psychological crime scene analysis (profiling) can also be conducted using the criminal’s MO and signature behaviors.

Incident Investigators

Incident investigators are a breed of their own. The good ones must be aware of suspicious or abnormal activities that others might normally ignore.

The investigator could identify suspicious activities, such as port scans, attempted SQL injections, or evidence in a log that describes a dangerous activity that took place.

There are four general types of assessments performed by investigators.

Network analysis

• Traffic analysis
• Log analysis
• Path tracing

Media analysis

• Disk imaging
• Timeline analysis (modify, access, create times)
• Registry analysis
• Slack space analysis
• Shadow volume analysis

Software analysis

• Reverse engineering
• Malicious code review
• Exploit review

Hardware/embedded device analysis

• Dedicated appliance attack points
• Firmware and dedicated memory inspections
• Embedded operating systems, virtualized software, and hypervisor analysis

Types of Investigations

Administrative

An administrative investigation is one that is focused on policy violations. These represent the least impactful (to the organization) type of investigation and will likely result in administrative action if the investigation supports the allegations.

Criminal

A criminal investigation is one that is aimed at determining whether there is cause to believe beyond a reasonable doubt that someone committed a crime. The most important thing to consider is that we, as information systems security professionals, are not qualified to determine whether or not someone broke the law; that is the job of law enforcement agencies (LEAs).

Civil

A civil investigation is typically triggered when a lawsuit is imminent or ongoing.

Regulatory

A regulatory investigation is initiated by a government regulator when there is reason to believe that the organization is not in compliance.

The Forensic Investigation Process

Each team or company may commonly come up with their own steps, but all should be essentially accomplishing the same things:

• Identification
• Preservation
• Collection
• Examination
• Analysis
• Presentation
• Decision

During the examination and analysis process of a forensic investigation, it is critical that the investigator works from an image that contains all of the data from the original disk.

The following are just some of the steps that should take place to protect the crime scene:

• Only allow authorized individuals access to the scene.
• Document who is at the crime scene.
• Document who were the last individuals to interact with the systems.
• If the crime scene does become contaminated, document it.

The original media should have two copies created: a primary image (a control copy that is stored in a library) and a working image (used for analysis and evidence collection).

Before creating these images, the investigator must make sure the new media has been properly purged, meaning it does not contain any residual data.

To ensure that the original image is not modified, it is important to create message digests for files and directories before and after the analysis to prove the integrity of the original image.

Great care and precision must take place to capture clues from any computer or device.

Acquiring evidence on live systems and those using network storage further complicates matters because you cannot turn off the system in order to make a copy of the hard drive.

The following are some of the common items in the forensics field kits:

• Documentation tools Tags, labels, and time-lined forms
• Disassembly and removal tools Antistatic bands, pliers, tweezers, screwdrivers, wire cutters, and so on
• Package and transport supplies Antistatic bags, evidence bags and tape, cable ties, and others

The next crucial piece is to keep a proper chain of custody of the evidence.

A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court.

When copies of data need to be made, this process must meet certain standards to ensure quality and reliability.

Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case number if one has been assigned.

The next step is the analysis of the evidence. Forensic investigators use a scientific method that involves

• Determining the characteristics of the evidence, such as whether it’s admissible as primary or secondary evidence, as well as its source, reliability, and permanence
• Comparing evidence from different sources to determine a chronology of events
• Event reconstruction, including the recovery of deleted files and other activity on the system

Finally, the interpretation of the analysis should be presented to the appropriate party. This could be a judge, lawyer, CEO, or board of directors.

What Is Admissible in Court?

Computer logs are important in many aspects of the IT world. They are generally used to troubleshoot an issue or to try to understand the events that took place at a specific moment in time. When computer logs are to be used as evidence in court, they must be collected in the regular course of business.

It is important to show that the logs, and all evidence, have not been tampered with in any way, which is the reason for the chain of custody of evidence.

When evidence is being collected, one issue that can come up is the user’s expectation of privacy.

The life cycle of evidence includes

• Collection and identification
• Storage, preservation, and transportation
• Presentation in court
• Return of the evidence to the victim or owner

It is important that evidence be relevant, complete, sufficient, and reliable to the case at hand.

For evidence to be relevant, it must have a reasonable and sensible relationship to the findings.

For evidence to be complete, it must present the whole truth of an issue.

For the evidence to be sufficient, or elievable, it must be persuasive enough to convince a reasonable person of the validity of the evidence.

For evidence to be reliable, or accurate, it must be consistent with the facts.

Surveillance, Search, and Seizure

Two main types of surveillance are used when it comes to identifying computer crimes: physical surveillance and computer surveillance. Physical surveillance pertains to security cameras, security guards, and closed-circuit TV (CCTV), which may capture evidence.

Computer surveillance pertains to auditing events, which passively monitors events by using network sniffers, keyboard monitors, wiretaps, and line monitoring.

Search and seizure activities can get tricky depending on what is being searched for and where.

In some circumstances, a law enforcement agent may seize evidence that is not included in the warrant, such as if the suspect tries to destroy the evidence.

Enticement is legal and ethical, whereas entrapment is neither legal nor ethical.