Be Prepared for Computer Forensics - Page 2
For network managers, then, this means devising means to secure machines that have become compromised. The optimal state of security is simply to freeze a compromised machine until the proper authorities can examine it. This becomes tricky, however, if the compromised machine is, for example, an important server. Systems administrators will need to determine first whether the system has been compromised (but without destroying important evidence), then determine whether its backup has been compromised, and finally isolate the infected machine from the network (and activate a backup system) without shutting it down.
There are a number of forensic software tools that can aid in determining compromised systems and their state. But sometimes you're not simply looking for malevolent code; you may be investigating whether a user's workstation has been used for illegal purposes. This can be exceptionally delicate for a number of reasons. First, you don't want it to look as though your company bungled the investigation and destroyed valuable evidence; second, you don't want to give a future defense attorney any loopholes; and, third, you may not want to tip off the suspect prior to the arrival of law enforcement investigators.
What this really means is think ahead. Windows 2000 network administrators, for example, need to examine their network resources with an eye towards criminal behavior and response. Take Win2K's encrypted file system (EFS) resource. Left unchecked, this is a powerful tool for not only external hackers, but internal criminals as well. If an outside hacker manages to log into a workstation as that workstation's primary user, then all EFS files are automatically readable -- by default no additional password or authentication process is required.
Internally, EFS cannot be used unless the system names a key recovery authority. Typically this is a dedicated network administrator -- but network administrators need to be especially careful about who gets appointed to this role as he or she has exceptional power when it comes to reading sensitive corporate information. Smart users can also dictate that recovery keys be exported off the system, which will require the recovery administrator to insert an appropriate floppy or CD containing the key in order to access encrypted files. Without it, you're helpless.
Surreptitious investigation of a suspected user's workstation is also tricky with regards to EFS because encrypted files will generally be readable only when that user is logged into the machine. Should anything interfere with that session -- a power failure, a password-equipped screen saver, or the user logging out -- then EFS files may be locked up forever. Similarly, yanking a user off his machine and pulling the plug on the box may also result in the entire hard disk becoming encrypted (a popular booby trap) and the contents becoming useless. A smart move here might be to access Microsoft's Management Console first and creating a backup key recovery certificate. That way, even if the files are copied to another system they'll still be accessible.
Obviously, EFS is only one possible variable in a cyber-crime scenario -- and then only a Windows 2000-based scenario. Unix, OS X, Linux and even handheld OSes all have their own quirks in this regard and the relatively recent birth of computer forensics really hasn't caught up as yet. That means there are no hard and fast procedures that will cover every contingency under any operating system. Network and systems administrators simply need to become as educated as possible about all the resources on their networks and then implement their own response plans to criminal incidents.
In the conclusion of this two-part article, we'll look at what it takes to set up your response plan,evidence handling and documaentation, and forensic tools and intrusion detection.
Oliver Rist is a technology journalist and vice president of technology at AIC Inc. Additionally, he is former technology editor of InternetWeek and expert in the Microsoft Windows and BackOffice product family.