±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32098
New Yesterday: 0 Visitors: 120

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Science and Incident Response

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Science and Incident Response

Post Posted: Mon Feb 05, 2007 4:57 pm

In light of the thread created by Harlan relating to classification of incidents and artifact libraries, I've begun some work on the subject. Granted my time is short these days but it's a start.

I've begun an outline of applying the scientific method to incident response in an attempt to assist investigators reach an accurate and scientifically based conclusion. While there is a lot of uncertainty in incident response & forensics(Casey scale of certainty), using a method that meets specific qualifications should be able to bolster the investigator when their conclusion faces scrutiny.

While I'd love to be a member of FIRST (hint if there are any active members here....I could use a nomination or "sponsor") I am not, so I'm not privy to any closed communications or methods used by members.

So..I've begun with two well known and used incident response methodologies.

NIST
SANS

NIST uses a method of P(D&A)(CER)F - per SP800-61
SANS uses a method of PICERF - per GCIH

Both methods fall a little short in one area, which is the impetus behind my work.

Preparation is pretty straight forward.
Containment, Eradication, and Recovery are pretty straight forward.
Follow up is pretty straight forward.

The gray areas of incident response are the I and (D&A) - Identification, Detection & Analysis.

ID&A is an area of great debate as there are many different schools of thought. What I'm attempting to develop is a trusted method to arrive at a conclusion that meets not only daubert, but the challenges of peers.

To do this I figure the following is needed:
A taxonomy
A technique
An artifact library


The question currently on my mind is:
How do you scientifically test your assumptive hypothesis in a live situation without destroying evidence or minimizing your impact? Answers outside of the norm would be greatly appreciated. This method of testing must be cost effective, efficient, and accurate.

How do others do this?  

hogfly
Senior Member
 
 
  

Re: Science and Incident Response

Post Posted: Mon Feb 05, 2007 8:46 pm

> While I'd love to be a member of FIRST...

As a member, be very careful what you wish for. There's absolutely nothing on the list. I've had conversations with several members off-list...there are one or two folks who actually *do* "IR", and the rest just watch. The vast majority of the posts are by one or two people who simply link to articles that they find.

> How do you scientifically test your assumptive hypothesis in a live situation
> without destroying evidence or minimizing your impact?

How is it done in the medical community? Or maybe another question would be, what "evidence" would you be destroying?  

keydet89
Senior Member
 
 
  

Re: Science and Incident Response

Post Posted: Mon Feb 05, 2007 11:55 pm

That's a shame about FIRST. The conference must be a bore.

> How is it done in the medical community? Or maybe another question
> would be, what "evidence" would you be destroying?


Which medical community are you referring to? ER Doctors, Coroners, Forensic scientists/specialists?

I think we'd have different answers from each group and I'm afraid I don't know exactly how they do it.

I suppose there is nothing in incident response that says "Thou shall not modify the system", but applying forensic techniques to incident response means we need to minimize our impact if modification can't be helped but a pristine system is preferred. I know how I handle incidents, and modification of a system is ok, as long as you can anticipate the outcome of your actions, document the action, the benefit of the action outweighs what will be lost, and if I can explain the reason why it was done. Only then is the action justifiable and it's only done on rare occasions.

As far as the use of the word "evidence" goes, I mean it as in collected data that could be used in legal proceedings(either prosecution or defense).  

hogfly
Senior Member
 
 
  

Re: Science and Incident Response

Post Posted: Tue Feb 06, 2007 7:21 am

> Which medical community are you referring to? ER Doctors, Coroners, Forensic scientists/specialists?

Yes.

Imagine that you're walking down the street, and you hear a moan from behind a pile of rubbish in an alley. Investigating, you find a man laying there, and in the light of the street lamp, you see that he's been stabbed. You try to see if he's okay, but then call 911. The EMTs arrive, examine the victim and then stabilize him, place him on a gurney and into the ambulance. They continue working on him in the hospital. Once at the hospital, surgeons work on him to save his life. If he dies, the police can still find and convict the perp for murder; if he lives, they can do the same (lesser charges, of course).

Following traditional computer forensics, after your call, the Chief Surgeon would show up and kill the victim, and from there they would begin investigating the crime, without moving the body.

> I suppose there is nothing in incident response that says "Thou shall not
> modify the system",

Correct. IR doesn't have a "10 commandments".

> but applying forensic techniques to incident response means we need to
> minimize our impact if modification can't be helped but a pristine
> system is preferred.

If the system is live, it will never be pristine...even if you don't touch it. A live running system is in a constant state of change. Don't believe me? Install Process Monitor and run the Registry Monitor...just run it, don't do anything to the system, don't even move the mouse.

Modification to the system will happen, regardless, and documentation is the key.

> As far as the use of the word "evidence" goes, I mean it as in collected
> data that could be used in legal proceedings(either prosecution or
> defense).

I doubt that this will be the case for a while.  

keydet89
Senior Member
 
 
  

Re: Science and Incident Response

Post Posted: Tue Feb 06, 2007 8:03 am

"How do you scientifically test your assumptive hypothesis in a live situation without destroying evidence or minimizing your impact?"

One approach is to build a similar system and attempt to duplicate the incident from there. Of couse, this assumes you have the time to do this. . . Naaah, never mind. Smile
_________________
Dennis 

ddow
Senior Member
 
 
  

Re: Science and Incident Response

Post Posted: Tue Feb 06, 2007 8:37 am

In some ways, a follow-on question would be along the lines of, "how do you prove that in your actions you haven't destroyed evidence?"

And I don't think that's really the issue...the results of your actions when performing live response are quantifiable, to an extent. As ddow pointed out, using a similar system for testing will provide some insight into what your tools and techniques do as far as leaving artifacts on a system. At that point, its a matter of documentation and process, which is not unlike what EMTs and crime scene investigators do.

More so than anything else, there needs to be a move away from the traditional view of computer forensics, which in essence says that in order to investigate a crime you have to "kill" the victim.  

keydet89
Senior Member
 
 
  

Re: Science and Incident Response

Post Posted: Tue Feb 06, 2007 9:40 am

I've never been sure of why we have "had" to treat computer incidents different than physical crimes. After all, way before CSI people of the coroner show up a crime scene has been entered and "handled" by many people, witnesses, victims, police etc. The police have procedures for documenting who entered a scene, why it was entered, what was done etc that will later be a part of the record and possibly court testimony. Its only the undocumented or negligent actions that cause evidentiary problems (assuming a rational judge).

Computer forensics HAS to move to this system. I for one would not take down a running system without checking for encryption, rootkits, malware and if the incident lends itself to acquiring the memory. The possible evidence to be obtained far outweighs the risks of damaging other data or the inconvenience of having to document your actions and explaining yourself on the stand.
_________________
Replicants are like any other machine - they're either a benefit or a hazard. If they're a benefit, it's not my problem 

deckard
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 2
Go to page 1, 2  Next