In light of the thread created by Harlan relating to classification of incidents and artifact libraries, I've begun some work on the subject. Granted my time is short these days but it's a start.

I've begun an outline of applying the scientific method to incident response in an attempt to assist investigators reach an accurate and scientifically based conclusion. While there is a lot of uncertainty in incident response & forensics(Casey scale of certainty), using a method that meets specific qualifications should be able to bolster the investigator when their conclusion faces scrutiny.

While I'd love to be a member of FIRST (hint if there are any active members here....I could use a nomination or "sponsor") I am not, so I'm not privy to any closed communications or methods used by members.

So..I've begun with two well known and used incident response methodologies.

NIST
SANS

NIST uses a method of P(D&A)(CER)F - per SP800-61
SANS uses a method of PICERF - per GCIH

Both methods fall a little short in one area, which is the impetus behind my work.

Preparation is pretty straight forward.
Containment, Eradication, and Recovery are pretty straight forward.
Follow up is pretty straight forward.

The gray areas of incident response are the I and (D&A) - Identification, Detection & Analysis.

ID&A is an area of great debate as there are many different schools of thought. What I'm attempting to develop is a trusted method to arrive at a conclusion that meets not only daubert, but the challenges of peers.

To do this I figure the following is needed:
A taxonomy
A technique
An artifact library


The question currently on my mind is:
How do you scientifically test your assumptive hypothesis in a live situation without destroying evidence or minimizing your impact? Answers outside of the norm would be greatly appreciated. This method of testing must be cost effective, efficient, and accurate.

How do others do this?

> While I'd love to be a member of FIRST...

As a member, be very careful what you wish for. There's absolutely nothing on the list. I've had conversations with several members off-list...there are one or two folks who actually *do* "IR", and the rest just watch. The vast majority of the posts are by one or two people who simply link to articles that they find.

> How do you scientifically test your assumptive hypothesis in a live situation
> without destroying evidence or minimizing your impact?

How is it done in the medical community? Or maybe another question would be, what "evidence" would you be destroying?

That's a shame about FIRST. The conference must be a bore.

> How is it done in the medical community? Or maybe another question
> would be, what "evidence" would you be destroying?


Which medical community are you referring to? ER Doctors, Coroners, Forensic scientists/specialists?

I think we'd have different answers from each group and I'm afraid I don't know exactly how they do it.

I suppose there is nothing in incident response that says "Thou shall not modify the system", but applying forensic techniques to incident response means we need to minimize our impact if modification can't be helped but a pristine system is preferred. I know how I handle incidents, and modification of a system is ok, as long as you can anticipate the outcome of your actions, document the action, the benefit of the action outweighs what will be lost, and if I can explain the reason why it was done. Only then is the action justifiable and it's only done on rare occasions.

As far as the use of the word "evidence" goes, I mean it as in collected data that could be used in legal proceedings(either prosecution or defense).

> Which medical community are you referring to? ER Doctors, Coroners, Forensic scientists/specialists?

Yes.

Imagine that you're walking down the street, and you hear a moan from behind a pile of rubbish in an alley. Investigating, you find a man laying there, and in the light of the street lamp, you see that he's been stabbed. You try to see if he's okay, but then call 911. The EMTs arrive, examine the victim and then stabilize him, place him on a gurney and into the ambulance. They continue working on him in the hospital. Once at the hospital, surgeons work on him to save his life. If he dies, the police can still find and convict the perp for murder; if he lives, they can do the same (lesser charges, of course).

Following traditional computer forensics, after your call, the Chief Surgeon would show up and kill the victim, and from there they would begin investigating the crime, without moving the body.

> I suppose there is nothing in incident response that says "Thou shall not
> modify the system",

Correct. IR doesn't have a "10 commandments".

> but applying forensic techniques to incident response means we need to
> minimize our impact if modification can't be helped but a pristine
> system is preferred.

If the system is live, it will never be pristine...even if you don't touch it. A live running system is in a constant state of change. Don't believe me? Install Process Monitor and run the Registry Monitor...just run it, don't do anything to the system, don't even move the mouse.

Modification to the system will happen, regardless, and documentation is the key.

> As far as the use of the word "evidence" goes, I mean it as in collected
> data that could be used in legal proceedings(either prosecution or
> defense).

I doubt that this will be the case for a while.

"How do you scientifically test your assumptive hypothesis in a live situation without destroying evidence or minimizing your impact?"

One approach is to build a similar system and attempt to duplicate the incident from there. Of couse, this assumes you have the time to do this. . . Naaah, never mind.

In some ways, a follow-on question would be along the lines of, "how do you prove that in your actions you haven't destroyed evidence?"

And I don't think that's really the issue...the results of your actions when performing live response are quantifiable, to an extent. As ddow pointed out, using a similar system for testing will provide some insight into what your tools and techniques do as far as leaving artifacts on a system. At that point, its a matter of documentation and process, which is not unlike what EMTs and crime scene investigators do.

More so than anything else, there needs to be a move away from the traditional view of computer forensics, which in essence says that in order to investigate a crime you have to "kill" the victim.

I've never been sure of why we have "had" to treat computer incidents different than physical crimes. After all, way before CSI people of the coroner show up a crime scene has been entered and "handled" by many people, witnesses, victims, police etc. The police have procedures for documenting who entered a scene, why it was entered, what was done etc that will later be a part of the record and possibly court testimony. Its only the undocumented or negligent actions that cause evidentiary problems (assuming a rational judge).

Computer forensics HAS to move to this system. I for one would not take down a running system without checking for encryption, rootkits, malware and if the incident lends itself to acquiring the memory. The possible evidence to be obtained far outweighs the risks of damaging other data or the inconvenience of having to document your actions and explaining yourself on the stand.

keydet89 wrote:

> How is it done in the medical community? Or maybe another question would be, what "evidence" would you be destroying?

I am a forensic medicine specialist. Well we don't have to deal with "live" systems.

All the other evidence can be stored, such as DNA, fingerprints, blood chemistry and pathology specimens.

The question is "Do we change the course of a case, as we are investigating a live system?" Or the changes are only ignorable?

Have a good day

keydet89 wrote:

Imagine that you're walking down the street, and you hear a moan from behind a pile of rubbish in an alley. Investigating, you find a man laying there, and in the light of the street lamp, you see that he's been stabbed. You try to see if he's okay, but then call 911. The EMTs arrive, examine the victim and then stabilize him, place him on a gurney and into the ambulance. They continue working on him in the hospital. Once at the hospital, surgeons work on him to save his life. If he dies, the police can still find and convict the perp for murder; if he lives, they can do the same (lesser charges, of course). Following traditional computer forensics, after your call, the Chief Surgeon would show up and kill the victim, and from there they would begin investigating the crime, without moving the body.

That's exactly the scenario I needed. It just wasn't coming to me. Thanks.
Have one for catching the criminal in the act?

Many EMT's would destroy the useful evidence while attempting to save the life of the victim. That's their job. Collecting forensic evidence falls far behind that in the priority list. There are courses for EMT's or other medical personnel that teach them how to preserve evidence while saving a life.

Unfortunately we aren't talking about life or death with computers.
Incident Responders are akin to EMT's and there is an obvious connection between Computer forensics and criminal forensics. However, as we know, we are the only "science" that is required to freeze the scene if for no other reason than it can be done. As someone who does IR and Forensics, I think there are qualities of both that need to be applied.

I think it really comes down to one simple question. What is the goal of responding to the incident?
Is it to complete an RCA? Prevent it from happening again? Gather evidence for prosecution/defense? These are some traditional goals of IR. IR hasn't changed that much, but forensics has, and therefore IR is forced to adapt.

Forensic analysis is the second act in the play of IR, so our IR methods must support our forensic analysis, especially if we are doing both.

keydet89 wrote:

If the system is live, it will never be pristine...even if you don't touch it. A live running system is in a constant state of change. Don't believe me? Install Process Monitor and run the Registry Monitor...just run it, don't do anything to the system, don't even move the mouse. Modification to the system will happen, regardless, and documentation is the key.

Yes of course. It is never pristine, but it is in so much as I haven't done anything to modify it. Documentation is the key, but good documentation isn't a justifiable excuse if someone makes a bonehead mistake that jeopardizes the entire investigation.

> I doubt that this will be the case for a while.

There have been cases where lawsuits occured because of compromises dealing with sensitive data loss, and the state laws and soon to be federal laws will require notification, which will undoubtedly bring even more lawsuits of this nature.
www.watchyourend.com/2...ata-theft/


Deckard,
I'm a firm believer of criminalistics being applied to computer forensics and Incident Response. The difficulty is due to the inherent transient nature of what we are dealing with. DNA doesn't disappear from blood evidence. But, unless we specifically have something in place to capture it, the network evidence in a case will disappear just as soon as it is sent. What if your IR process destroys the physical hard drive(head crash, platter scraping etc..)?

Maybe it's just me, but computer forensics seems to be held to a higher standard than other sciences. Whether we like it or not, anything we do in IR can be called in to court. We face civil litigation every time we investigate. We can be sued because someone doesn't like what our report says.

>DNA doesn't disappear from blood evidence

True, but then again, DNA has always been present but it wasn't "discovered" that long ago, and really hasn't been accepted in courtrooms as scientifc evidence and used very long at all. Same applies for Live Forensics, until it is USED and an attempt and attempts are made to get it inroduced as valid evidence, it won;t become mainstream. But that day will come. The sheer size of Hard drives and increased use of encryption are just two events that will make it necessary, the pervasiveness of networks being another.

>computer forensics seems to be held to a higher standard than other sciences

I would like to think they are held to higher standards, just that the standards can be adjusted to what is realistic. The Duke lacrosse case points out that ALL DNA evidence must be used,. It is the standard of what can be proven to be justified among several choices of actions. Again, clear documentation of properly used methodologies.

>We face civil litigation every time we investigate. We can be sued because someone doesn't like what our report says.

Sure, we can be sued by anyone because we are ugly and our momma dresses us funny too. But if we are not negligent, have a good contract that says things like we are independent and will report exculpatory evidence, and stick to a good methodology with proper documentation of our procedures, that chance is mitigated. Oh and I carry good insurance <G>