Hello,
I'm fairly new to the field and now conduct CP investigations, as well as forensics for entire department. I'm about to replace the 6-7 year old PCs and update to FTK 3. Currently, both of the forensic machines are directly connected to the city network; apparently my predecessor only plugged them in for updating (the last time he did was 2007!)
I was thinking of setting up a network, so I can share a printer and a NAS RAID for case files and images. I would also like to be able to connect to the internet for OS, anti-virus, and software updates and a frequent basis.
What are the best or accepted practices for proper forensic security as far as networks and the internet in a forensic environment? This oddly hasn't been mentioned in my meager forensics classes, but I suspect I would find out in FTK Bootcamp.
Thanks!
Do you mean that you are connecting computers containing CP to the internet? If you are I recommend you cease this practice immediately.
All three companies that I have worked for have had two networks, one for internet use and one that is isolated. That way there is very little chance of anything mistakenly making its way out onto the internet.
Also, if you're looking at FTK3 you're going to need some expensive machines. I use an HP z600 with 12GB RAM and even that is slow at times when running FTK3.
I agree. My forensic machines have never touched the internet. All updates are downloaded from another non-forensic machine and installed via a thumb drive.
That's what I was afraid of - required updates through downloads onto a HD or DVD. Tedious and I suppose necessary.
What if the NAS containing the CP images and case files is disconnected, then and only then physically connect the PC to the firewalled network only long enough to download updates, then unplugged again? Is the issue because of the CP, or because of the forensic security of the PC?
Thanks for the replies!
I would say both. I, personally, wouldn't connect the computer to the internet at all. Even if you disconnect the NAS there could well be traces of evidence stored on your computer like in temp folders or thumbnails. Its just not worth the risk in my opinion.
The updates are quite simple really, just have a device that you use for transferring necessary files between your internet network and your forensic network and put the updates on their. The benefit of that is that you can update all of your computers from the same device and save having to download the same update time after time for each computer.
Defense How do you know that your examination computer has not been contaminated by malicious software from the internet thereby compromising the results of your examination?
Examiner Because the examination computer that I use has NEVER been connected to the internet.
Defense I have no further questions for this witness.
The forensic machine (and network) should never go near the internet, or your employer's main network - this is for the reasons already given, but also because you never know what nasties are going to come onto your machine from the exhibits you're examining. You could be opening it up to anyone.
It's a nuisance, but you can get used to it with a second machine for the internet, a USB stick and a KVM. If you think about, connecting a sensitive computer to the internet for updates is unwise - you're connecting it because it's unpatched and therefore vulnerable!
In some govt circles, the best practice is 3 networks
Forensic network
Internet accessible network
Internal police/govt network
Never the twain shall meet.
I saw a lab setup where they had 3 different coloured RJ45 connectors at each workstation bench to clearly differentiate what you were plugging into.
Defense How do you know that your examination computer has not been contaminated by malicious software from the internet thereby compromising the results of your examination?
Examiner Because the examination computer that I use has NEVER been connected to the internet.
Defense I have no further questions for this witness.
That borders on magical thinking on the part of the defense.
Myself, I would probably have an additional question How do you know that your examination environment has not been contaminated with malware from mobile disks, CDs or DVD or even files extracted from examined evidence … etc.
After all, once the general idea of malware compromising an examination has been accepted, it does not really matter where the malware comes from. If the lab used Encase, a reasonable question would seem to be How do you know that the Enscripts and Enpacks you used do not contain code that compromised your examination? A bug is as good as virus for that purpose.
Defense How do you know that your examination computer has not been contaminated by malicious software from the internet thereby compromising the results of your examination?
Examiner Because the examination computer that I use has NEVER been connected to the internet.
Defense I have no further questions for this witness.
I'm with athulin on this one for various reasons. Even though your examination computer has never been connected to the internet it does not mean that it is not riddled with malware - from infection from previous examinations, from USB-born malware (Stuxnet, anyone?) or from other devices on your 'protected' network. I've worked for a major forensic supplier whose whole non-internet connected forensic network was infected in a matter of minutes from an examiner plugging a USB stick into his PC on his return from a short visit to Kazakhstan! The use of hash verification of disk images and dual-tool verification of results also shows the integrity of your findings.
Let's not be side-tracked by the technical ignorance of some lawyers. We do what we do because it is practical, reasonable and we understand and can explain the consequence of our actions. This includes not connecting any resource on your forensic network to the internet that contains contraband or client confidential material. However, if your forensic machine does not have access to such material, has a good AV installed and is behind a decent firewall, I don't see a problem connecting it to the internet for updates or for downloading new apps.