Tools in Wide Distribution Computer Forensics in Taiwan
Back in the days when all computers are pretty much standalone entities in the world, each unit is self-contained and does not pose much threat. Similarly in politics, when patches of little disgruntle tribal groups here and there are kept in isolation, there was not much threat to a dominating foreign government. However, when the internet becomes available to all computer users around the world, it is like uniting all the little tribal groups under one umbrella and the potential threat is much greater. Now the disgruntled group can pool resources and recruit an army to overthrow the foreign government. The government will react to impose more security measures and bring in more knights and better artillery to maintain order. Similarly, cyber criminals can now have access to the world and can communicate with other criminals across the globe in conspiring against certain institute for whatever purposes. Then internet security communities will impose more secure measures such as network secure configurations (DMZ), honey-pots (traps or bait for the unknowing cyber-criminal), or implement more secure software so that cyber attacks is mitigated. These security measures taken both by the government and the internet security community provide preventive measures, at best. What happens when this line of defense is breached? One can take all the vitamin c to prevent from getting a cold, but what happens on the day when a cold is caught? One goes to the doctor and gets antibiotics and cold medicine to combat the virus; the government will try to bring in more troops to combat the rebellion. However, what of the inter world? That is where computer forensics comes in, to treat/fix the hole and bring the culprit to justice. Therefore, where software security bring forth prevention, computer forensics, incidence response, calls for treatment. What exactly is computer forensics? It is a toolbox of science, which contains tools and methodologies to recover both passwords and deleted data, to analyze network traffic and logon/logoff times, to snoop and sniff out, as undercover agents do, rotten apples in the barrel. Due to the nature of each incident, the nature of the case may be legal, political, business, or technical oriented. Consequently, one could gather how much a computer means in people's lifestyles nowadays. Nevertheless, computer forensics team (aka: incident response team) are popping up around the world, due to the global nature of the internet, which makes it a lot harder for local law authorities to oversea and prosecute local crimes executed remotely outside the country. These may be addressed briefly as well. The ethics of computer forensic science can be traced to the ethics of private eye or law enforcement institutions, much debate can be seen on a case by case basis; however there is an overall sense of ethics that may encompass all the little injustices which may encompass each case.
The Basics
Incident Response Methodology consists of seven components: Pre-incident preparation, detection of incidents, initial response, formulate response strategy, investigate the incident, reporting, and finally, resolution. 1
Pre-incident preparation constitutes taking actions to prepare the organization and the cert (computer emergency response team) before an incident occurs, cert can be either in-house or outsourced.1 With the tools in hand, the next thing is to have the ability to detect an incident; detection of incidents involves both the knowledge of known attacks and the nose to sniff out unauthorized, unacceptable, or unlawful events. This stage is the most critical and the experts in computer forensics have the least control.11 Once the incident is detected, then investigators performs an initial investigation, recording the basic details: interview system administrators, interviewing business personnel and other relevant people, understand the topology of the environment, and record any logs and data related to the incident, assembling the team with appropriate expertise towards the nature of the incident, and notifies the people who needs to know about the incident.12 Thereafter, the assembled team will need to formulate a response strategy base on the findings in the initial response stage to obtain approval from the authority and to determine what civil, criminal, administrative, or whatever appropriate actions to take.13 This stage determines the severity of the incident by asking the questions: how critical are the affected systems? What is the apparent skill of the attacker? Who might be the potential perpetrator? Last but not least, What is the overall dollar and productivity loss?14 Much like a business proposal, one determines the ROI of this venture before investing further resources and manpower into this incident, quite an interesting approach given that it is driven by capital, rather than morality.
Once the general direction is set, the investigation efforts (base on what the severity of the incident) begins. The five W's: who, what, when, where, and why of the incident will be determined here. Investigators will collect evidences from pertinent hosts, networks and social environment via traditional and non-traditional means.15 "No matter how you conduct your investigation, you are responding to an incident caused by people. People cause these incidents using things to destroy, steal, access, hide, attack, and hurt other things. As with any investigation, the key is to determine which things were harmed by which people."16 The two processes associated with this step are data collection and forensic analysis. Pertinent data from the host machine may include any logs, deleted or backed-up records, and the state of the host machine: the system date and time, current applications running, current network connections, current sockets, and the state of the network interface (promiscuous or not). From the network, logs from web server, router, firewall, authentication servers, monitor mechanisms, and nonconsensual wiretaps should all be frozen in time. All data collected have to be handled in a forensic-sound manner, meaning that the integrity of the data is protected and that more data than needed is collected.17 Duplication of a whole hard drive is very common, which means other non-pertinent information may be collected if the computer at hand is shared with other members in the house hold. Would it be ethical for the investigators to poke into diaries, financial statements, personal memos, and IRS returns belonging to the other members justified by "better safe than sorry" in terms of looking for relevant evidences? These people's privacy rights are being violated without their knowledge. It is for the common good that these proceedings take place, one would argue. The people surrendered their rights when one of the users on the same hard drive is allegedly accused; what if the hard drive came from an internet cafe? Bottom-line, the authority can trump individual rights when a violation is "suspected"; therefore, not everyone has equal rights, there is a greater entity that trumps all individual ones; namely the rights of everyone else. Sadly, this toggle of rights between individual and authorities still exists today and will forever remain this way, because they are weights on the same scale; there's always a balance. Consequently, the best compromise, as we have seen in the U.S. legislative branch, the law is judged on a case-by-case basis. Armed with the collected data, investigators proceeds with forensic analysis, where all the potential evidences are diced and examined. For example, the list of all the files created, deleted, modified, and printed will be available, most of it anyways. In addition, any email sent, sites browsed, logs deleted, and known techniques to hide data (e.g. in an allocated space on the hard drive not visible to the operation system) will all be available and exposed if utilized. Thereafter, the problem found is discovered and plugged, however, the culprit may not be pursuit base on the monetary value of the loss; because anonymity in cyber space via encryption, spoofed IP addressed, fake email accounts, and anonymous logins makes it expensive to track down the "wolf". Is it ethical to let the bad guys go free because it costs too much for this company to track down? This will be detrimental to the greater good of the internet community; not to mention the dollars lost as a whole. However, one can argue the other way, is it fair for one company to bear the costs, while the others benefit? It would be both utilitarian and ethically fair. The old saying "what goes around comes around" will bring a positive note to this argument; since one will eventually benefit from other companies benevolence, as the other companies once did from this company. Unfortunately, this optimism is not prevalent due to the fact that it is invisible to most people in the capitalistic mind-set; "I really don't see the dollars to support this fact".
With all the findings in hand, the investigators need to file reports of all their hard work. Part of reporting is an ongoing process. For instance, whenever a step is performed or any findings discovered, it is to be documented, not way later since investigators are humans also; humans tends to forget things. The reports have to accurately describe the details of the investigation. Most importantly, it has to be both in a language that the decision makers can understand and be able to withstand legal scrutiny.18 Finally, there is a conclusion, a resolution from this incident. More security measures (preventive) are to be in place, as well as a new security policy.
Tools of the trade
There are many tools that a forensic expert will use base on the system they work upon. In general, there are more tools for Unix/Linux environment than there are for windows. First, the most basic ones is hard drive duplication; there are two types of hard drive duplication mechanisms: one is implemented via hardware; two: via software. The hardware implementation virtually is linking the two hard drives together and the information between them is copied bit by bit in raw format. Some of the software disk duplications tools I have used are Safeback6 for windows and dd6 for UNIX. Safeback is a dos driven program that executes upon computer startup, since raw data are easily captured in dos. The image is stored somewhere else on the system, it could be on the same or different drive (preferable on a different drive). On the other hand, dd comes with any Unix system and does not need to be installed. This command makes a raw bit copy of the drive at hand.
The next most important tool is the checksum tools. These tools are important for two reasons. Firstly, they can be used to validate the tools a forensic expert uses upon arriving to a incident site are not compromised prior to use; otherwise, all the data he/she will be collecting via this set of tools will be invalidate and dismissed. Secondly, these checksum tools can be used to validate the data collected when transporting from one site to another; as to enforce the validity and the integrity of the collected data. Checksum tools, such as md5sum4, works by feeding the desired files into an algorithm (Md5 in this example), and a unique string of code (checksum) is generated for that file. (e.g. 9513f20fed28ee074221066f85da4465 is such a checksum) Any changes to that file, even if it is just one more space in the file will alter this checksum.
Another tool that computer forensic personnel cannot leave home without is the hex editor/reader. Since all data are stored on hard drives as 0's and 1's, that means all the partition information (both visible and invisible to the operation system), and all the data both deleted and undeleted are all stored as such. Then one can use a tool that translates these 0's and 1's into hex numbers that human can understand and interpret. Such tools are Win Hex, binText2,3, and disk investigator2,3. They all work the same way, but some are more user-friendly than others in that the tool will parse the raw hex code for you and you can just jump to a file that you are interested, instead of locating the file via the disk format convention/standards. Using these tools, one can discover deleted file entries and even the content of deleted files as well as files that was just recently printed (in the print spool). In addition, criminals who hide information in the hidden sectors of the hard drive with a hidden partition will be disappointed because the hex editor also displays how many partitions are available on the hard drive. A good question to ask here, are the rights of the file owner violated here? Legally, the file owner owns the file, however, to them the file does not exist anymore, so does this make the file ownerless and is up for the grab? Between the hard drive duplications and the hex editor, one can pretty much have access to everything on the hard drive. A funny thing to notice, same proceeding under two different conditions yields different result in the real world. Say a criminal got a hold of CEO's laptop and duplicated everything that was on it, and proceeded to extract and utilize the information for self-gains. Upon arrests, everyone would think that the rights of the company the CEO represent are violated, as well as the privacy of the CEO (due to personal stuff on the laptop). Now same procedures are done with a husband and a wife in interests of monitoring the spouse's activities for personal reasons. Would anyone yell violation of privacy? The only one is probably the wife. Between a husband and a wife, the boundary of individual rights becomes kind of fuzzy; for good reasons, it should not be ponder too much upon.
Another set of tools that will upset the wife are winDump5 and Snort4, both of these tools attempts to keep track of what the sites served were, as well as capturing passwords. These logs reveal even the email that is sent in some cases. Anything the wife denies have had done, can be viewed in black and white in the logs as well as the time stamp associated with the request. On the other hand, the wife can keep a tab on the sites that the husband goes on late at night, I will just leave the rest of this sentence to your imagination.
However, the husband is smart and clears the cache on the browser before he logs off. He thinks that the coast is clear. Little did he know that the smarter wife has a set of tools: galleta4 and pasco4. These tools can open and view the details of all the cookies that ever existed since the first web address the browser served. This way, the wife will know exactly what time the husband logged on to whatever site, at some instances if the activities done at that site requires a cookie, the wife will have full access to those as well.
Now one has so much data gathered from all different source, be it the wife who wants to sue her husband or the investigator who has the evidence to convict in the law of court, what is one to do to organize all these information? FTK4 to the rescue! FTK is a massive storage and organizing program that was made just for this purpose. In addition to the storage functionality, it also offers analysis capability for the data collected.
Tools in wide distribution
One might think that the scenario with the husband and the wife is just fictional. Not quite so, these tools are available for downloads both paid and non-paid on the internet! I believe it is there for educational purposes, to which I am grateful, since I was able to be exposed to them; thereby introducing them here. However, one has to ask the question, it is available to EVERYONE. That includes the not-so-good people in this country as well as out of the country. In theory, the former is less of a worry because there are laws that governs such things here in the States, however, the same jurisdictions does not extend overseas. What is there to prevent other people overseas to do damage with the very tools that were meant to protect against? One common practice is people would "Trojan" these tools and put them back, then when someone else downloads these "trojaned" tools, valuable information are sneaked back to the modifier. In this scenario, everyone's rights, including the attacker; only the attacker benefits the most - making it unjust and un-utilitarian. Now consider Robert T. Morris, who made the internet worm in 1998 and had brought down the whole DARPA Net (former self of the internet).7 If these tools are used to track down the originator, the whole argument can be turn 180 degrees. So, if the tools are made only available to the few, then problem is solved. Well, that is not quite the case, it will create an environment that the masses will not benefit readily. Furthermore, it will choke competition, and make the few richest people in the world; very unethical. As one can see, it is like a double edge sword where there is still this "balance" to be maintained. However, it would be more fair and better for the common good that these tools are readily available so that people can actually diagnose and catch the bad guys, trusting that everyone is virtuously righteous. The mass will benefit, which is exactly what any utilitarian would like to see.
Computer Forensics in Taiwan
As mentioned earlier, the internet belongs to no one country, person, or thing. Therefore, if computer forensics is bound by the internet (in most cases, not all though) then it becomes a global issue; many countries can be affected. For example, the internet worm of 1998 brought down the whole DARPPA Net (internet's predecessor), it not only affected the States, but also around the world, wherever there is a computer connected to the DARPPA is infected and the worm self replicates the distributes itself; bringing vital servers in other countries to a halt as well. That was the basis for Taiwan and other countries to established organizations such as TWCERT.7 TWCERT was established in September 1998, in an attempt to safeguard against anymore devastating attacks such as the internet worm. Now TWCERT is responsible for incident responses, vulnerability analysis, security assessment, security auditing, and educational training to better serve the people of Taiwan and its government. According to statistics from TWCERT, the number of malicious attacks between Taiwan, China, and United States increased over three hundred percent within four months on windows platform.8 Most people think that Linux is a safer bet will be surprised to know that the number of attacks for Linux servers increased eight hundred percent in the same period of time.9 These figures prompted the need for a computer forensics department in the respective countries. No doubt, other countries encounter such plague as well if the analysis is done. In addition, vulnerability analysis of all the systems is a very important tool in forensic analysis and assessment, which are available for further study at: http://www.cert.org.tw/document/docfile/large%20scan.pdf. On a side note, it is interesting to track the ongoing process of a smaller country in undertaking new technology, such as computer forensics; for the same reason that one can track things in more detail in a smaller startup environment, rather than a bigger company where bureaucracy alone can overwhelm oneself.
A common example
"Last year, a software package came on the market that allows employers to monitor their workers' Internet use. It employs a database of 45,000 Web sites that are categorized as "productive," "unproductive," or "neutral," and rates employees based on their browsing. It identifies the most frequent users and the most popular sites. It's called LittleBrother."10 This particular piece of software at hand utilizes exactly the same techniques used in computer forensics, the employee can monitor and find out what files are on the hard drive of its employees as well as what websites has been served. When privacy issues are raised in courts: "Often, court opinions take the point of view that when the employees are using employers' property-the employers' computers and networks-the employees' expectation of privacy is minimal." 10 One such case is Smyth v. Pillsbury Co., Michael Smyth was wrongly discharged from work when his employer read his personal mail with offensive remarks. When the case was brought to court, the court ruled that Smyth had "no reasonable expectation of privacy" at work and that the "inappropriate and unprofessional conduct" outweighed Smyth's privacy rights.10 On a personal note, a similar situation happened to a close friend, where the message "Did you delete that message you sent about his incompetence? Not good enough. The e-mail trash bin probably still exists on the server, and there are plenty of computer consultants who can retrieve the incriminating message." rings true even today.10 The friend critiqued certain aspects of the manager directly above; mainly his incompetence. This was a mail exchanged between her and another friend outside the company. However, the company read the email and came up with alleged excuses to let her go. In a consultation with an attorney, the battle seemed a lost battle even before it begin due to the statistics of how court favors the employer more times than not. Why is this the case? The company argues that is it on their time using their equipments, of course they can monitor what they like. Then does that mean employees are just part of the company's property at work as well, since they did PAY for the workers. That is treating people as in-animated objects and tossing individual rights out of the window. Making the same argument, do you see people being tossed out of the United States just because they disagree with some of the government's policy? That seems absurd, right? However, that is exactly what is happening here. It is the right of the employee to maintain their alienable rights as constitute by the United State's constitution, be it freedom of speech, or privacy. The employer have the rights to make sure that their properties are not damaged and can implement policy to encourage its employees to be more productive as a parent fosters productivity and learning in children, not by snooping around personal belonging and letters. This will give a better balance to both sides and will achieve goals for both parties, and make both parties happy. Let's look at the fairness approach, is a distribution of balance of benefits and burden? Of course not, people who are higher up tends to have more power and they are not subject to the same scrutiny/monitoring, because the materials involved may be too sensitive. In the case of my friend, she was released due to the manager's revenge against her (to save face?). This occurrence shows that some people are devious and power is one thing that should not be given too freely, especially to those people. Her case is not unique, there must be so many other similar cases, and people would categorize them under politics at work. Sadly it has become an accepted way of life, which will most certainly upset any Utilitarian. The majority of the company is subject to, although not always, people with more power, and such dismissal will make other employees feel restricted and less free at work; which has a counter-productive sense to the "original" intent on paper; in reality, it is just vengeance. The common good is not served.
Conclusion
How does computer forensics measure up with the code of ethics in regards to common good, rights, just/fairness, utilitarian view, and virtue? As a whole, this technology/science brings about a double edged sword; its evaluation really depends on the intent of the user, as have mentioned earlier in the paper. However, on a grand scheme of things, computer forensic techniques is something that every country's CERT should adapt as a defense measure, because they are part of the network-the internet.
Therefore, it is for the common good that this type of technology continues to develop and mature. Though many rights may be violated such as in the case of the employee, and other victims who fall prey to the malicious attacks made using information captured with these very readily available tools. In fact, there are documents available online at http://www.cert.org.tw/document/docfile/ScanTool.pdf that instructs people on how to use these tools. However, on the other side of the same coin, many more people's rights are preserved with governmental agencies like CERT, which utilizes the same techniques to capture criminals and "pull the plug" on them. Consequently, utilitarian would be quite happy, because more people seems to benefit. Since forensic tools are available to everyone, there is fairness in the sense that the benefits and burden associated with this technology are available to everyone. Computer Forensics definitely more prominently brings the good and bad nature in human beings. One sees deviousness to exploit other people, and one sees righteousness to prevent such exploits.
No comments:
Post a Comment