How to be a digital detective

What every network manager should know about computer forensics

It could be an insider suspected of a security breach. It could be a case of sexually harassing phone calls and e-mails. It could be an employee violating company rules on visiting gambling or porn sites.

The bad news is that most of these are stand-alone systems. Camera systems don’t know about network firewalls, which are separate from printer logs, which are separate from PBX-based phone records, which are separate from cell phone records.

While many of these systems keep detailed internal logs with time and date stamps, the logs are often only stored for a week or two, which means a forensic investigation needs to happen fast.

One of the most difficult parts of pulling together information is getting permission from the process or content owners. Frequently, it requires a quick trip to different corporate groups, including the security desk, the PBX administrator, network administrators, administrative services group and the employee’s supervisor.

The search can get bogged down by organization bureaucracy, so it’s important to have a policy in place that spells out what to do in case of an incident.


So, what should those policies and procedures be?

1. Have an action plan.

Ideally, IT managers should have actively developed a checklist of corporate systems, log information, duration of active logs and the person who controls access to the system.

2. Don’t contaminate the crime scene.

Keep it clean

An external computer forensic expert might be called in, particularly if the incident is expected to result in some type of court action. Often, someone on the IT staff becomes a first responder and needs to be trained on what to touch and what to turn off.

“Unless you have the right tools, it’s important not to touch the PC," says Karen Stein-Ferguson, an attorney and certified computer examiner in Franklin, Ind. "Even copying a file will change some of its attributes.”

She says it’s best to keep all equipment turned off until the forensics examiner arrives. Evidence can be easily contaminated, such as a file’s “last accessed” timestamp, which changes by simply opening or copying a file.

A forensic image of a disk should be created if there is a need to look at computer data before a forensics professional arrives. This type of duplication captures an image of the disk with all files including original timestamps and hidden files, which can be viewed instead of the original disk.

Case closed

Recent cases show the importance of computer forensics

In a recent wrongful-termination suit, the company prevailed and avoided unemployment fees for a terminated employee. The employee had poor work skills and a ravenous appetite for porn. The company traced his e-mail and phone records showing he frequently ignored his assignments. When given an assignment, the employee often did nothing.

A timeline showed that he did not e-mail, phone, print documents or even send snail mail to anyone about the assignment. Instead, he spent work time sending e-mail jokes to personal friends. Phone records showed only conversations with personal acquaintances. Even the printer log showed no records of printing anything about his assignment, only that he printed personal pictures (such as, my_son_7birthday.jpg).

The timeline was enough to convince the state that the firing was justified.

In another case, a claim of sexual harassment threatened a manager’s position. He was accused of sending sexually explicit e-mails and was completely surprised when he was presented with copies. He denied writing them and a computer forensics professional was called in to investigate.

The answer was found in the header record of the suspect e-mails. The accuser sent the e-mails to herself, using a third party e-mail service where she falsified the name record. Because most e-mail systems don’t automatically display the header record, the e-mails looked authentic to everyone, except the forensic professional.

3. Take physical possession of the equipment.

Hands on!

The PC or laptop of the employee suspected of wrongdoing should be taken off-line immediately. Some terminated employees will ask for permission to remove personal items from the computer; if access is granted, they should be watched carefully during the time spent on the PC.

4. Secure server logs.

Once the PCs are confiscated, it is important to look carefully at systems that might have been used. Then run -- don’t walk -- to all servers that maintain logs.

5. Get phone logs.

Business PBX or telephone systems can provide detail such as call records, date, time, duration and caller ID information. Systems track call transfers and whether the call was incoming or outgoing. Because organizations usually don't store these records very long -- sometimes only a week or two -- it’s best to get them immediately.

6. Get cell phone records.

Logs from company-provided cell phones are another place to look. If the company is paying for the cell phone, it probably has access to the phone itself or use logs. The amount of data a device holds varies by model, so get to these records early.

The National Institute of Standards and Technology offers a set of draft forensics standards for cell phones. It advises turning off a cell phone and putting it in a static-free bag. Some also recommend putting the phone into a second radio frequency isolation bag to attenuate a device’s radio signal. Be sure to tag the phone and record when and where it was confiscated to start the chain of custody.

On the other hand, smart phones should be left on and powered up so no data gets lost. The best way to do so is to use a bag with a small slit so the charger can be plugged in. Tag the bag and put the phone into an RF isolation bag.

Keep in mind that the cell phone itself carries complete logging information. It may also contain GPS or other location tracking information. The phone timestamps each time it moves from one cell area to another.

7. Handle PDAs with care.

Take it easy now

Like cell phones, PDAs store many time and date records, and the amount of information varies by product. Security measures are built into some PDAs. For example, the BlackBerry follows policies initiated at setup. By default, after three failed logon attempts, users are sent warning messages. Depending on configuration, after three to 10 failed logon attempts, the phone deletes all data and shuts down.

Palm operating system devices running third-party software InfoSafe Plus also can be configured to destroy data after a series of failed logon attempts. PDAs have volatile memory and no disk, so a user could booby trap the device with key remapping software. If the wrong keys are tapped, it could trigger the phone to delete data or run a program to scramble information.

PDAs that are frequently synced with a PC may store a complete copy of its data on the PC. It is important to check the host PC to determine if a recent copy of the PDA data exists.

8. Confiscate portable storage devices

Flash ram products, Secure Digital cards, USB storage keys and external drives should be confiscated. Generally, these items can be inspected with standard PC forensic tools that inspect hard drives. It is important, as with hard drives, to make a bit-for-bit image of the portable storage device.

Some USB flash drives come with additional capabilities, such as a wireless interface. ZyXel’s AG-225H, for example, is a three-in-one product with an USB Wi-Fi Finder, Wi-Fi adapter (with 802.11a-b-g) and an access point that will share an Internet connection.

9. Check printer logs.

Track those logs

Network printers also are tattletales that keep detailed logs of who printed what file. They time and date stamp every action and some even measure how much toner was used on each print job.

Color laser hard copy may also carry a unique identification tag. Several years ago, federal agents grew concerned about the increased resolution of color printers and wanted to do something to prevent people from counterfeiting money. The project was called the machine identification code and several large printer makers such as Xerox and Canon placed a digital fingerprint on each printed page.

In 2005 people at the Electronic Frontier Foundation cracked the code on Xerox printers. They published the secret code, which can still be found on its Web site. After a flurry of comments from the public and press, both positive and negative, the issue has fallen off the map, though the EFF believes many printers are still marking each page.

10. Check card key logs

If your organization uses badges or card keys to access garages or doors, check the logs. This information will tell you when someone entered, but not necessarily when they exited. Still, it is powerful information to build the timeline.

Overall, there are many places to look to find seeds of evidence. The best policy is to create a plan that lists the type of equipment with recoverable information used in the organization. If an asset inventory exists, it should give the product names and models.

Make sure the plan includes the names and locations of content owners so that information from their systems can be secured quickly. This plan takes only eight to 12 hours of research and writing. It’s a small price to pay for being at the ready.

Cheryl Currid is president of Currid & Co., a Houston technology research and consulting firm. (She lives in a house with more than 20 security cameras that record to several DVRs, so don’t throw trash in her front yard.)

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022