Developing a Response Plan for Computer Forensics
In this conclusion of a two-part article, Oliver Rist covers what you need to know to develop a forensic-based response plan, evidence handling and documentation, and forensic tools and intrusion detection.
Similar to a disaster recovery plan, a criminal response plan simply documents general procedures in case of a criminal incident involving corporate IT resources. In fact, many cyber-crime response plans are actually a part of an overall company disaster recovery plan. The primary objective here is to instigate a set of procedures that will effectively:
- Determine the nature of the crime be
- Determine the number and location of affected resources
- Determine the extent of damage to corporate resources, customers and partners
- Isolate affected resources from the production network
- Identify and isolate affected users from the network
- Document all processes and evidence for law enforcement officials.
Determining the nature of a crime, even if it is IT-related, cannot always be the sole responsibility of the network and systems admin staff. An electronic embezzling scheme, for instance, will probably need to be identified by the financial staff. As such, while network admins may write most of a cyber-crime response plan, they will need to involve other department heads in this process as well. Further, systems and processes will need to be in place to help pinpoint a criminal determination.
Again using a Windows 2000 network scenario, this could mean using a central file viewer (see next page), intrusion detection software, central encryption authority, and detailed knowledge of the Windows Registry. But these are just the tools. What will determine whether a criminal act has taken place can be summed up in a single word: "Documentation." Network administrators now more than ever need to effectively document the fair use and state of their networks. What should be running, where, how long, accessed by whom and why?
Such a benchmark is critical in determining criminal behavior, especially when an internal criminal is making illicit use of corporate resources or accessing data he or she shouldn't. All the investigative tools and procedures in the world are useless unless network administrators are fully aware of what should and should not be going on within the network environment. And if you think not knowing this information down to the last detail is embarrassing when a senior manager is looking over your shoulder, just wait until it's an FBI investigator or, worse, a defense attorney during cross examination.
With such information, however, it should be relatively simple not only to figure out whether a crime has been committed but also what resources have been affected and possibly even who was responsible. This is great news for both network admins as well as law enforcement officials, but here is where the two begin to diverge. Law enforcement is aimed strictly at catching the criminal and prosecuting the case. If that means impounding evidence immediately, so be it. Network administrators need to be concerned with keeping the network up and running. Losing a workstation is no big deal, but losing an important server, sensitive or essential corporate data or similar resources, however, is a big deal.
Once you've determined steps 1, 2 and 3, steps 4 and 5 must revolve not only around law enforcement's requirements but also corporate requirements. Network administrators will need to sit down with corporate counsel and senior management to determine the best procedures for tracking cyber-criminals; determining corporate damage and exposure; informing customers, clients and partners; and maintaining network up-time while still isolating damaged or criminally affected resources and users for investigative purposes.
The exact steps will differ for every company, but the goal will always be to give law enforcement all the tools they need to properly handle an investigation, while simultaneously protecting your network, your company and your customers or partners. Often this means additional back-up resources. On the software side, this can mean additional data stores and backup application resources. On the hardware side, it means even more uses for mirrored hardware resources even if they're just sitting in a store room waiting for a rainy day.