The 411 on Digital Forensics

By Jacqueline Emigh | Feb 6, 2003 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_1580311_2/The-411-on-Digital-Forensics.htm

"Forensics" -- Few Companies Agree on What It Means

"Digital Forensics." When you see that word, who (or what) springs to mind? Sherlock Holmes' reincarnation in cyberspace? The latest advancements in network troubleshooting perhaps? More and more products now are claiming to help out with digital forensics. These products, though, can vary drastically in capabilities, experts say.

In the traditional sense of the word, digital forensics tools are used to help gather legal evidence after a network attack or similar incident has already happened, maintains John Pescatore, an analyst at IDC.

Speaking of Sherlock Holmes, Scotland Yard's Computer Crime Unit has now started using Guidance Software's EnCase Forensic Edition to glean evidence for submission to UK courts. AccessData is another company selling products in the investigatory forensics space.

Getting Sexy with Digital Security

"This is the sexy part of the computer security world," Pescatore said. "These products help to tell what occurred, what resources were affected, and who initiated an incident, in a manner that will support a legal action."

Increasingly, though, other types of diagnosis and security response products are also getting tagged with the "forensics" moniker, either intentionally or not. One kind of product is geared to administrators who are "drowning in alerts," Pescatore noted.

"These are really just tools to reduce the amount of data you're getting. They pull info from IDS (intrusion detection system) logs, server logs, and multivendor firewalls," according to the analyst.

A few vendors with products in this general category include netForensics, OpenService, Intellitactics, and GuardedNet.

Guidance's software and similar data filtering products might help you catch computer wrongdoers, but data filtering tools aren't intended to produce legally convincing evidence. On the other hand, information about incursions typically becomes available much more quickly -- possibly while there's still time left to thwart an attack.

"We can filter out a lot of the unimportant data. Then, after an attack, administrators can do a full log analysis," said Phil Hollows, VP of product marketing for OpenService.

"We let operators see what's happening in their environments across multiple devices -- in as near as real time as possible," according to Bill Oliphant, product manager at netForensics.

"If somebody has deleted a hard drive or downloaded something pornographic, we can reconstruct the incident. If a virus enters the network, we can recognize the propagation path," he added. The netForensics product also comes with over 100 canned reports, letting administrators drill down into information by device type, for instance.

netForensics

Hugh McArthur, information systems security officer at Online Resources Corp. (ORC), said netForensics has met most of his company's expectations.

"About a year ago, we were looking for something that would consolidate information from IDS, firewalls, and logs, and that would also do realtime monitoring and alerting. Everyone's complaining that when you use IDS, you get too much data. We'd been manually correlating information from independent resources like Network Flight Recorder and Snort," according to McArthur.

ORC decided on NetForensics after looking at several competing products. The company is running netForensics' engine and database on Linux. The netForensics agents, though, are distributed across a mainly Windows environment.

"netForensics seemed to have the most compatible agents for our environment. As with anything, though, it takes a little tuning. We had some training with netForensics, and the learning curve was less than a week," McArthur recalled.

Charles Watson, another netForensics user, has actually detected an incursion through use of the product. "The biggest benefit to netForensics is that you get a single view. You don't need to keep looking at multiple tools. It's also flexible. You can also filter it down to whatever you want. I can decide not to look at ICMP traffic, for instance, because ICMP comes only from me," said Watson, who is data network supervisor at Cellular South.

"The very first day I had netForensics, I noticed that some ports had been left open. An individual was using these ports, and he shouldn't have been."

Page 2: "Security Dashboards" and Threat Scoring

"Security Dashboards" and Threat Scoring

Yet another group of products -- also sometimes labeled as "forensic" -- deals with vulnerability threat analysis and/or risk assessment. "These are security dashboards," Pescatore said. "Are we 'OK' or 'not OK?' Are we meeting our security policies?"

Vendors moving into this territory include RealSecure, IBM Tivoli, Computer Associates, Internet Security Systems (ISS), and Symantec with its NetRecon product.

Industry conversion in the software tools market has further muddied the waters. OpenService and netForensics are a couple of vendors now straddling the line between data filtering and threat analysis/risk assessment.

"We do threat scoring already, too," said netForensics' Oliphant. "In the future, we're going to do more with risk assessment, letting companies understand the risks and prioritize more quickly."

In January, OpenService launched a product called Security Threat Manager Suite, which integrates its earlier SystemWatch and NerveCenter software.

OpenService's new suite also adds "new threat and forensic reporting, [as well as] new management and risk assessment Web interfaces," according to Hollows.

Guidance Software, too, has been extending its reach. The new "enterprise" version of Encase runs on distributed systems. "In the past, when companies conducted forensic investigations, someone from 'legal' usually needed to go directly to the location to see what had been comprised. This was expensive, given air travel costs and lost productivity time," according to director of Guidance Software Robert Shields.

Encase Enterprise Edition consists of three main components: a "safe" server for authentication and encryption, servlet software, and a GUI-based "examiner" client interface. "There are various permissions and roles -- so you can control who has access to what files," said Shields.

Guidance claims about 30 current customers for its enterprise product, most of them in the Fortune 50. Ernst & Young has also integrated the technology into its lineup.

Some of Guidance's enterprise customers are using the product to help protect against "hostile workplace" types of lawsuits -- to prove, perhaps, that an accuser willingly downloaded porn from the Internet, rather than receiving the porn involuntarily through e-mail.

Lack of Expertise and Training Limit Widespread Use

Some analysts, though, hardly see a huge market yet for investigatory forensics tools within the enterprise. For one thing, these types of products are almost impossible to use effectively without proper training. Instead, many companies interested in pursuing an incident still tend to work with consultants, often bringing in outside law enforcement agencies, too.

"(Investigatory) forensics products are becoming easier to use, with graphical displays. We do see some of the larger companies making investments in them. But most companies don't use these kinds of products enough to 'stay expert' with them. Also, 'non-expert' network managers are very unlikely be asked to use these tools. You need a lot of skills to be able to be able to preserve evidence," according to Pescatore.

Many, but not all, of the forensics experts at enterprises are former law enforcement officers, as opposed to computer security wizards or network administrators, according to Shields. "Some of the law enforcement people aren't that computer literate."

Training in investigative forensics is available through vendors and consultancies. Many observers, though, note a dearth of university-level programs. For people interested in expanding their skill sets, NTI is now holding a series of three-day forensics courses in Gresham, Oregon.

Grads get three credit hours, plus a professional certificate of completion from Oregon State University. Elsewhere, a company called CompuForensics is running courses through accredited colleges and universities in Pennsylvania, Ohio, Tennessee, and Texas.


» See All Articles by Columnist Jacqueline Emigh