Would be interested in people's thoughts regarding remotely accessing your forensic workstation (for example in your office lab) from an external location (such as from your home office).
I would be interested in hearing what people consider is the most secure way to do this in a reasonable manner (i.e, not how the military or governments would do it!).
Sorry but my only thoughts would be
No, never, not in a million years
If a defence expert caught wind of you having an internet connection to your PC they would confuse the jury with so much jargon about backdoors, trojans and malware it could kill even the strongest of cases
And plus no matter how secure YOUR connection may be , for all of the reasons mentioned above if you plug it into the internet there is now way you could ever know how how secure it it. You never know a trojan could simply leak out of a mounted disk and put a back door on your machine.
Forensic Machine + Internet = Can of Worms D
You've a point regarding the 'opposition' raising doubt with a jury but I know this practice is done by some very reputable forensic outfits (including law enforcement) who use point to point encrypted links to carry out such work.
Jonathan,
As far as you're aware, is the reasoning behind such access usually related to a general policy of time/cost-saving measures rather than some other operational necessity assessed on a per-case basis?
Jamie
Hi Jamie, yes my reasoning for it would be based on general time and cost saving. If you're running scripts/searches/indexing, etc then you can get results back to your client/OIC a lot faster if you can dial-in to check how the the script/whatever is doing and if applicable start the next step of your analysis. E.g., you get home from work on a Friday and a 5 minute check that evening can save 48hrs + on the job's progress.
Thanks Jonathan. I should have been clearer that I was really referring to the reasoning (if any) you've seen offered by other organisations - cheeky, I know - but I suspect it would be along the same lines (i.e. general policy for efficiency rather than something implemented now and again for other reasons).
Think this is a good topic for discussion. Are we moving away from the air gap policy which was once so prevalent?
Jamie
In my experience, it is possible (and sometimes even preferable), to access a system, remotely, especially if the alternative is to carry the system with you and risk theft. One of my clients had his forensic expert's system stolen from a courtroom even though the bailiff had insisted that the room was secure.
There are a number of technologies which can be applied to securing such communication that my concern is less whether it can, technically, be done but whether it is done right.
That having been said, there are two risks that I see. First, the cost to your client, employer, whatever, if you have to argue the issue of whether the data could have been corrupted, in court. Clients don't like spending money defending the sloppy practices of their experts and this would be a concern, especially since the opposing expert could point to the numerous opinions posted in this and other fora in which someone states that you should NEVER attach evidence to the Internet.
The second, more theoretical risk is that some heretofore unknown flaw might be uncovered in one or more of the technologies used to secure your connection. Consider, for example, the debate about MD5.
As for how to do it, I do a combination of the following (actually, I get a little more tricky than this but these are the general rules)
1. I use at least dual password/ two step authentication with one password randomly and frequently generated using something like RSA SecureKey.
2. I require assigned certificates that I have generated for securing the channel.
3. I use only end to end encrypted protocols and require secure channels for all communications.
4. I use non-standard ports for the technologies that I intend to employ (RDP or whatever).
5. I make sure that ALL of my office forensic systems are behind a firewall.
6. I do not allow outbound web or other, non-essential traffic from my forensic machines.
7. I open ONLY those ports on the firewall required to support my access.
8. I only allow access from specific, fixed IP addresses which means that I have obtained these from my wireless card providers who usually ask for an additional fee.
9. My firewall is updated, daily, to not accept connections from or initiate connnections to any block of IPs which are not under my control.
10. I log everything and I inspect those logs, daily, for any hint of unauthorized access.
11. I keep a copy of everything off the network and under lock and key such that should I need to verify that the evidence has not been corrupted, I can.
12. I change destination ports and port mapping, frequently.
13. I only allow access when I know that I am going to need it.
Thanks for that, it's a very useful list. I think one thing I'd add (and this isn't in any sense a criticism of what you've posted - I'm sure it's something you already do as a matter of course) is appropriate security procedures/policy for the remote access machine and environs - perhaps reflecting a shift of emphasis away from just unauthorised access to the main analysis machine to also cover information disclosure from the remote machine and work area (I'm thinking malware, surveillance, theft, etc.)
With that said, I'm not sold on the idea that remote access as a rule (rather than an exception) is good policy. Anyone care to argue the case?
Jamie
The usual classification similar to Secret, Sensitive, and Unclassified seems to be a logical way of dealing with this. If there is sufficient (how much is sufficient though) security, I would have no issue to remotely connect to and work on the 'Unclassified' Job. I can’t imagine doing it for kidnapping or witness protection cases, no matter how secure my home computer or remote access server is.
It all comes down to the organisational policies, available resources and acceptable risks.
Thanks for that, it's a very useful list. I think one thing I'd add (and this isn't in any sense a criticism of what you've posted - I'm sure it's something you already do as a matter of course) is appropriate security procedures/policy for the remote access machine and environs - perhaps reflecting a shift of emphasis away from just unauthorised access to the main analysis machine to also cover information disclosure from the remote machine and work area (I'm thinking malware, surveillance, theft, etc.)
Well I did say that it was a little trickier than what I posted. The field system from which I connect boots a custom HLFS Linux image from a DVD-rom and doesn't mount the local hard drive. Too many details to discuss, here, which is why I avoided mentioning it.
With that said, I'm not sold on the idea that remote access as a rule (rather than an exception) is good policy. Anyone care to argue the case?
No I would agree with you. As a matter of policy, this is not what we do.
But there have been cases where I have been in the field for weeks at a time and in the process of pre-trial discovery and motions and the opposing "expert" has introduced "evidence" not contained in prior reports or testimony. Sometimes this is done for the purposes of re-opening discovery.
Whether the judge ultimately decides to allow the evidence to be heard by a jury is less important than the prejudicial effect of the evidence on the judge if the testimony cannot be effectively rebutted.
In these cases, I'm not always able to rely on people back in the office to get me the answers that I need before cross examination the next day.
One might argue that the judge should not allow the admission of testimony or evidence that has not been seen by the other side, but the reality is that sometime judges do, especially in pretrial hearings where there is no jury.
In fact, in the civil cases in which I have been involved, the majority of the time where the interpretation of digital evidence is involved (and an issue), neither side is keen to get to a jury trial where the question often becomes who the jury believes rather than what is true.
In such cases, the pretrial motions and hearings are intended as much to show the other side what you are prepared to do in the hopes of reaching a settlement favorable to you. In such settings, the expert needs to be able to advise his or her client as to the impact of the evidence in near real time.
When the office is 2000 miles away, there aren't many options (unless you can get a continuance, which may be costly and, itself, prejudicial if the judge perceives it as being a sign that your case is weak).