Using VPN in a fore...
 
Notifications
Clear all

Using VPN in a forensic environment

17 Posts
11 Users
0 Likes
1,280 Views
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

I'm just doing some research on whether using VPN to remotely login to a forensic environment is good or bad practice.

An example would be that you only need to pop into the office to set a quick process going on a recent case, if you used VPN to login you wouldn't need to drive to the office etc etc thus saving you time/money.

In contrast, a question by the defence could be "Could anyone of have hacked in and changed the data?", and you would have to answer with a yes, and then explain encryption to the Judge/Jury…

Does anyone use VPN in their environment? and if you don't, why?

 
Posted : 09/06/2010 5:54 pm
(@Anonymous)
Posts: 0
Guest
 

"Could anyone of have hacked in and changed the data?"

Or… "Could your forensic workstation have become contaminated with malware?"

The malware issue concerns me more than the VPN one. I mean, the whole idea of a VPN is "security," right?

But… because there are always those potential questions (not to mention the possibility of future zero-day exploits), my practice is to isolate my forensic workstations from any and all network connectivity. I disable the wireless adapter and I don't use the Ethernet port.

 
Posted : 09/06/2010 6:14 pm
(@inspectaneck)
Posts: 57
Trusted Member
 

Great topic. While I do not use VPN, I have spent some time thinking about your question.

Dr. Phillip Craiger of NCFS was a professor of mine at UCF, and he performed research on the creation of a Virtual Digital Evidence Lab (funded by NIJ). While I have not seen the report (which I am told is in draft stage), I would recommend contacting him and asking about it with respect to your question.

The project page is at http//ncfs.org/research_digital.html.

Without stringing this conversation into another direction, I think we'll see a lot more of off-site virtual forensic resources in the not-to-distant future. It would certainly enable a lot more small law enforcement agencies to perform their own forensics.

 
Posted : 09/06/2010 6:54 pm
(@seanmcl)
Posts: 700
Honorable Member
 

In contrast, a question by the defence could be "Could anyone of have hacked in and changed the data?", and you would have to answer with a yes, and then explain encryption to the Judge/Jury…

Whoa! Not so fast. Reasonable doubt needs more than hypotheticals. Brian Carrier has suggested in a paper on the applications of scientific methods to digital forensics that we should employ the notion of falsifiability, i.e., that for a theory or conclusion to be scientific, there must be the possibility that it can be shown to be false through an observation or experiment.

So how would you falsify the claim (in the absence of any data to support it) that someone might have "hacked in and changed the data?" By not finding any evidence of it? But that would be absurd. That would be like suggesting that the absence of someone's intellectual property on your computer is evidence that you effectively wiped it without leaving a trace.

While I agree with AWT (and with myself, in the past), that operating in a setting with no connection to the outside world takes a lot of things off the table in terms of refuting your findings, this is often neither practical nor desirable.

So the question becomes whether it is possible to operate in a setting which would make it virtually impossible for someone else to corrupt the work environment and yet allow access from the outside world and the answer is "yes".

For example, our offices operate behind a firewall using public IPs which are registered anonymously so that there is no association with our business (the mail servers and web servers are on another network not associated with our production network). Our EVDO enabled laptops have fixed IP addresses and the firewall blocks incoming traffic from all but these. We use non-standard ports for our VPN services and RSA SecureID two-factor authetication for logins. All inbound connections are logged as is any outgoing data and we do not allow Web, e-mail, ftp or other traffic from our analysis machines. We do permit traveling employees to use WiFi even if it is secure.

As for zero-day exploits, we follow the NASA principle of using only tried and tested software and hardware rather than the latest and greatest, which reduces the risk of zero-day attacks.

We don't do this for most cases. But we have had cases where the other investigators or the legal team is located in different geographic territories and we all need to be on the same page with respect to the evidence. Or there may be an e-discovery issue where we need to set it up so that the client can determine which files, e-mails, etc., will need to be produced.

And if I had to go into court and be asked the question that you posed my answer would be "I can't see how but if you have something more concrete than an unsupported hypothetical put it on the table and we can discuss it."

 
Posted : 09/06/2010 7:29 pm
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Great answer, seanmcl. Extremely valid points.

I think the way forward is definately going to be the virtual, hybrid labs; mixing the best of both worlds.

 
Posted : 09/06/2010 7:43 pm
fornzix
(@fornzix)
Posts: 35
Eminent Member
 

Within the legal realm (criminal), this is precisely where your hash of the image is going to help you. If you image your drive 'off network' and hash it, and you hash that image again at the end of the case, and the hashes match, your going to be sitting pretty. It doesn't really matter what happened to it in between the acquisition and the end, as long as it is the same.

If someone questions what data you extracted from the image, then give them a copy of the image and they can see for themselves where you got it from.

 
Posted : 09/06/2010 7:59 pm
(@ronanmagee)
Posts: 145
Estimable Member
 

I was just going to post on the same topic - iPhone VPN

 
Posted : 09/06/2010 8:11 pm
(@jonathan)
Posts: 878
Prominent Member
 

In contrast, a question by the defence could be "Could anyone of have hacked in and changed the data?", and you would have to answer with a yes, and then explain encryption to the Judge/Jury…

It's the same as if they asked 'could someone have broken into your lab and changed the data?' The answer would also have to be yes, and using your analogy you'd have to explain what triggers your alarm system, how the biometric ID system works, etc

What it boils down to is this is an event possible? Almost always, yes. Is an event likely? It depends.

The likelihood of something having happened is what you need to be able to convince a jury on, based on the evidence of the event and your past experience and knowledge of such events.

Regarding the use of VPNs, if the end points of the VPN are secure and protected to a standard acceptable to most forensic practitioners and the link itself is of the same robustness, then why not?

 
Posted : 09/06/2010 8:59 pm
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

a question by the defence could be "Could anyone of have hacked in and changed the data?", and you would have to answer with a yes, and then explain encryption to the Judge/Jury…

Does anyone use VPN in their environment? and if you don't, why?

That same question can be (and in fact it is) raised for a variety of cases in both civil or criminal litigation, not just for a forensic environment. Imagine lawyers questioning a public company's financial statements because the finance team used the VPN.

Asking that if using VPN remote access could result in your case results being challenged is the wrong question. In fact using VPN may be even more secure than what you think since you open an encrypted tunnel from the client to the local LAN where all users have access - this is the typical architecture in most entities. You can configure a VPN to actually allow only specific users in a group to a specific subnet in the LAN - where your forensic workstation resides.

In regards to your main question, you seem to ignore the concept of layered security. Even if you get break into the server and managed to exploit the OS or DB, the forensic software has user access controls at the application level, and may also have them at the case/project level as well.
Unless you are not using an image in your analysis, how can you change an image without changing the hash value?

You may want to redefine the objective of your research.

 
Posted : 10/06/2010 10:24 am
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

This is just personal research for myself, as I was having this discussion with my fellow students. It could be a great dissertation idea for anyone!

I wonder if, after securing your VPN to extremely strong standards, examiners ofter overlook the physical security of their labs - but I suppose that is another topic entirely. Good answers though.

 
Posted : 10/06/2010 2:26 pm
Page 1 / 2
Share: