Cyber Forsensics … Still a Way to Go

Governments, academia and high tech companies are all well aware that with cyber-crime on the increase so the need for cyber investigations similar to those carried out by real-life CSI scientists are becoming more important. What kind of investigations will a cyber-forensics team carry out? For instance they will want to have the capabilities to trace back network connections, analyze file systems to determine what has been changed, match users against actions taken, determine what specific bits of software – for example viruses – do, determine the modus operandi of intruders and match digital images against their sources.
“When systems are abused or something goes wrong, we need to find out what happened, how it happened, and – if possible – why it happened and who caused it,” said Purdue University’s Professor Eugene Spafford. Gartner’s research director, information security and risk, Rich Mogull stated cyber forensics is definitely an area of growing interest globally. “On the criminal side computer forensics is playing a very large role in some very big cases,” he claimed. “On the corporate side it’s cropping up in lawsuits and government investigations, like Enron.” Mogull’s associate, Gartner analyst Jay Heiser pointed to two high profile child pornography busts, ‘Wonderland’ and ‘Blue Orchid’ were cyber forensics success stories.
Seven British members of a global child pornography ring named Wonderland were among more than 100 men arrested in raids across three continents in the police operation. In the Blue Orchid case, roughly 100,000 websites worldwide were thought to be involved in some way with child pornography, according to police estimates. The US customs officials say they helped Moscow police dismantle the ring operating over the Internet after a lengthy digital investigation. The officials posed as customers to pursue the trail back to the pornographers.
So far cyber forensics has been best understood to be a discipline belonging to the Law Enforcement community. For example, most academic research and commercial tool development in this field have focused on assisting the police investigator in a post facto evidence-gathering process to meet the perceived minimal evidentiary requirements.

A discipline in its infancy

Cyber forensics, while established as both an art as well as a science, is at its infancy. New techniques and procedures are designed to provide infosecurity professionals a better means of finding electronic evidence, collecting it, preserving it and presenting it to for potential use in the prosecution of cyber criminals. While the ongoing evolution of technology has compelled business and the critical infrastructure to become increasingly dependent on the Internet, criminals have followed the same course, expanding their illicit activities to the virtual world.
Police and prosecutors are depending more and more on digital evidence as the sight of hard drives, Internet files and emails as evidence plays an increasingly significant role in trials. Computers, for example, were among the items authorities in California seized during their search of Michael Jackson’s Neverland Ranch. There are a number of companies in the private sector offering cyber forensics software and services.

Offerings from the private sector…

For instance Guidance Software’s EnCase software helped local authorities in Missouri close in on a stolen baby and make an arrest. EnCase Enterprise software for computer investigators and information security professionals has been designed for those who need to investigate computer breaches and other incidents. The forensics system provides immediate and thorough forensic analysis of volatile and static data on compromised servers and workstations anywhere on the network. According to the company, without EnCase Enterprise Edition, organizations must resort to cumbersome and insufficient manual processes using stand-alone utilities that extend the response and investigation process by several days if not weeks. Guidance Software authorities emphasized the July 2004 terror threats against the US and the Martha Stewart and SEC fraud investigations are among some of the nation’s most prominent stories that all revolved around electronic evidence found on computers.
Martha Stewart, founder of Martha Stewart Living Omnimedia, which includes magazines and a homemaking television show, was investigated for insider trading when she sold shares of stock in drug company, ImClone Systems, just before news was released that the US Food and Drug Administration was rejecting the company’s application to market a colon cancer drug. Part of the investigation revolved around the examination of a phone message log maintained on a computer by her assistant. It is believed deleted messages from around the time of the sale of the stock were found.
Taking a slightly different approach, Cyber Forensics, a provider of expert forensic investigation services, traces its origins to work carried out for senior police authorities during the 1980s. Cyber Forensics defines itself as experts in finding evidence as well as experts in deleting evidence from a system permanently. The company has worked on murder, fraud, blackmail and Internet pornography cases as well as in areas of intellectual property theft. According to Cyber Forensics, sometimes the company finds evidence for or against an alibi, sometimes for or against a motive and in one instance the company was asked to check the integrity of an alleged suicide note. Cyber Forensics also has trained more than 1,000 investigators throughout the world on sound forensic principles, such as to collect, analyze and present evidence to a court of law.

…and research in academia

In academia, Purdue University’s Center for Education and Research in Information Assurance and Security recently produced a study on the state of the computer forensics’ science. The study found forensic investigative procedures at present were still constructed in an informal manner that could impede the effectiveness or integrity of the investigation. Unfortunately, the study pointed out informal nature of the procedures could prevent verification of the evidence collected and might diminish the value of the evidence in legal proceedings.
Kate Seigfried, author of the study, commented: “Both the law enforcement community and the private sector/academia are concerned with the lack of a standardized or even a consensus approach to training forensic practitioners.” According to Siegfried, what is less obvious is a consensus approach to tackling the identified issues and needs. “A framework needs to be developed which includes input from the private sector, public sector, law enforcement and research community,” she urged. “Attention can then be focused on using the technology to gather information on potential targets/victims or targeting the technology and the underlying infrastructure itself.” The study noted the recent CSI/FBI Computer Crime Survey estimated that the cost to US businesses in 2003 was about $200 million.
Purdue’s Spafford is also worried about the ad hoc nature of cyber forensics today. “I am concerned that we develop a more scientific and rigorous approach so that we may have confidence in the results,” he stressed. “It is unfortunate if we are unable to prosecute a criminal because we are unsure of our analysis; it is a greater tragedy if we wrongly accuse an innocent person of malfeasance because we have not appropriately gathered and analyzed the evidence.”

Formalizing the process of evidence gathering

He wants to answer two key questions:

  • How do we formalize the process of cyber forensic evidence gathering and analysis using appropriate and rigorous scientific method.
  • How do we augment information systems so as to produce better audit and evidentiary trails while at the same time not exposing them to additional compromise.

Seigfried has another concern. She sees computer forensics at a crossroads in its journey to become a recognized scientific discipline. “The continued lack of a professional certification, investigative standards and peer reviewed method, may ultimately result in cyber forensics being relegated to a ‘junk science,’ as opposed to a recognized scientific discipline,” she said.
Like several governments around the world, the US Government has recognized to some extent the value of the science and has established the National Cyber-Forensics & Training Alliance (NCFTA) as a partnership between the public and private sectors to try and train perople to work in the field. NCFTA, which includes the FBI, the National White Collar Crime Center, Carnegie Mellon, Microsoft, Cisco Systems, KPMG, RAND, Lucent Technologies, Mellon Financial, IBM, AT&T, Seagate and others, recognizes the problem but so far the funds to fix it have not been substantial.
The Alliance is working to change that.

Barbara Gengler