Developing a Response Plan for Computer Forensics - Page 2
Evidence Handling & Documentation
Once your evidence has been identified and isolated, network managers are usually the first line of defense in an evidence-handling chain, which is when you arrive at step 6. Sure, law enforcement officials should manage this process, but in reality it will most often fall onto network and systems administrators simply because their priority is to first protect and stabilize the network and then involve law enforcement.
Indeed, this is best from the network manager's point of view as law enforcement will often impound compromised machines and data for analysis off-site; you don't want to be scrambling to initiate a back-up system as investigators are yanking important resources off the network. Those resources should already be running when investigators arrive, so that removal of any evidence has no further adverse affect on network performance or productivity.
Proper documentation should be exhaustive. Always err on the side of too much, and use as much automated documentation as possible. By that, we mean documentation that already exists including asset management data, for example. Affected resources will require brand names, model numbers, serial numbers, MAC addresses and similar data. Accessing an asset management database can pull up this information in seconds. Proper network documentation will provide IP addresses, domain names, resource permissions, drive paths and more. Use these resources, append this information to your investigative documentation and make sure to authenticate the material with signatures and, if possible and relevant, digital time stamps.
The rest of your documentation must include all your investigative actions, the reasons for those actions, the methods used for investigation and always when and where everything took place. Make sure to use only legal means for investigating a situation (another good thing to discuss with an attorney during the response planning phase) and document this as well. This should cover not only when and why you accessed certain corporate or user resources, but also the tools you used in the process.
Forensic Tools & Intrusion Detection
What should be in an electronic forensic tool kit? Again, this will vary from network to network, but some general suggestions include:
- Hard drive partitioning tools. PartitionMagic, for example, will allow not only the booting of practically any PC off its base floppy, but will also be able to identify and picture almost any OS file partition.
- File viewers. These are faster and more efficient than tracking down the appropriate file application. A single image viewer can cross not only application but OS boundaries, and they offer the added benefit that they don't tamper with the data in any way. Opening a Word file in a viewer usually changes nothing, for instance, but opening it in Word can change the modification date and other Properties-style information.
- CD-R and ZIP disc utilities. Creating these disks is often the task of specialized software, which must be in your tool kit for full access to such discs.
- Unerase and System Recovery utilities. Norton is the most popular vendor of such tools for Windows environments, but more tools exist for other operating systems. Hard drive imaging tools are another goody in this category.
- Resource snapshot utilities. Fcheck is a file integrity checker usually reserved for intrusion detection systems on Unix hosts. Using it standalone, however, can allow administrators to take snapshots of directories or file systems and then use those snapshots as benchmarks for later comparisons of proper use and tampering.
- Text searching utilities. There are a number of these applications, such as dtSearch, that are designed to search large gobs of text data (documents, presentations, data stores, email stores, etc.) for key words and phrases.