Myself, I would probably have an additional question How do you know that your examination environment has not been contaminated with malware from mobile disks, CDs or DVD or even files extracted from examined evidence … etc.
After all, once the general idea of malware compromising an examination has been accepted, it does not really matter where the malware comes from. If the lab used Encase, a reasonable question would seem to be How do you know that the Enscripts and Enpacks you used do not contain code that compromised your examination? A bug is as good as virus for that purpose.
Absolutely! There are plenty of vectors for infection other than down an Ethernet cable! You can even get an infection from the forensic images you are examining, especially when you need to extract files from them for external examination outside of FTK/EnCase/other forensic tool.
The idea of never connecting them to the internet might be considered necessary and good practice by some but not all. Indeed I know of at least one force in Scotland that performs investigations using machines on their force domain. I personally don't see a problem with this, provided necessary safeguards are put in place.
In terms of a closed forensic network have you considered using a dedicated Windows Update and anti-virus server that has 2 network cards installed? One card (always on) connects to your forensic network. The other card which is enabled only when necessary is plugged into the Internet and used exclusively to download updates and virus definitions. The additional advantage of the Windows Update Server is that all other machines on your forensic network domain get the updates cascaded to them at a time of your choice, giving you the chance to virus scan the update server if necessary. You can also use the Internet options on your Windows Server to only allow it to access the Microsoft domain, and reject everything else outright.
There are other solutions too, such as using a dedicated firewall OS running in a VM, obfuscating control of the networking hardware away from the host OS, allowing the VM to control it, and providing Internet access to individual machines via that route. That way the only time you are connected is when you are running your dedicated VM firewall.
While it might be seen by some as ideal to never connect them to the Internet, I just think it is rather inconvenient and impractical to not do so from time to time. The never ever connected route almost seems like sticking your head in the sand to me! Surely a more open approach of well documented and thorough security procedures, up-to-date anti-virus, up-to-date OS, and other procedures as appropriate are better, and they will certainly stand up to legal scrutiny better!
Ben
Ben,
I think it boils down to this
Can you categorically say that nobody has been able to access your computer while you've been conducting the investigation? We often hear things about an 'unhackable' network. Is there such a thing? How can you guarantee that this is the case?
I don't believe it is even remotely inconvenient to have our forensic network isolated. We can get anti-virus and OS updates from the internet and install them on the forensic network from an external hard disk drive. The only way of completely securing a computer from attack is to disconnect it.
This is especially true with the type of work that we do. Can you imagine a suspect trying to gain access to your analyst machine in order to change/damage data? This might be beyond the scope of most criminals but not all.
Lee,
With the right set-up they can't access the forensic workstations used for investigation. The forensic workstations themselves cannot get access to the internet, only the update server can, and it is limited to only accessing known good sites. Plus, only putting it online when required to perform updates drastically minimises any risk.
Whilst being 'unhackable' as you say is never a guarantee, there is also no guarantee that there is not something stored within the forensic image files that you are performing your investigation upon. Think how often you may need to perform white or even black box tests on something during an investigation, that's a HUGE risk, particularly black box testing, but is required oh so often. Provided you take due care there is no problem!
Equally, there is nothing to stop your 'dirty network' used for downloading updates from being compromised, and you transferring the malware via the USB device or HDD that you use to migrate updates and virus definitions to your secure network.
Ensuring that there is no 'route' through your network, i.e. via the server that bridges the Internet and the safe network should be more than enough risk management, especially when it is coupled with disabling the network interface on the update server that connects to the Internet unless it is required to be in use. Making sure that the forensic workstations cannot touch the gateway or border is vital.
Even a computer that in itself is only indirectly connected to the Internet (i.e. via USB stick to transfer files) is an open system and therefore cannot be regarded as disconnected (more info Marshall (2008) Digital Forensics)
A formal risk assessment, even using the traditional risk-hazard-exposure models that ISO based audits promote shows that malware dangers can be managed appropriately, given proper safeguards.
At the end of the day, even with a disconnected network, you still need to maintain up-to-date software. However a significant downfall of the completely disconnected (transfer via USB) route is the human factor; because it needs doing manually, it relies on a person remembering to do it.
Using a Windows Update Server and proper Anti Virus server allows for scheduling and automatic updating; in other words the potential for human error is removed from the equation. Granted, there is still the need to check periodically that the software is functioning properly, but this is less problematic, less work, and is less open to being exploited.
Let me make a suggestion - do a risk analysis and consider the implications of the risk. Don't think about the technical controls that you may or may not have - technical controls have a rather annoying habit of going wrong for one reason or another. Then consider if you are willing to take that risk.
Let's take a single analysis machine as a small (and simplified) worked example, lets say that it is used for a CP exam so our risks are
1) That the machine is compromised in such a way as to obviously invalidate the investigation
2) That the machine is compromised in such a way as to non-obviously invalidate the investigation
3) That the machine is compromised in such a way that CP material is taken from it illegaly
4) That the machine is compromised in such a way that it has a knock-on effect on other machines
The impacts of the above could range from increased work ( redoing the investigation because of compromise ), wrongful imprisonment (tampering with evidence) or wrongful release (and with it the risk of ongoing offences against children), distribution of CP, significant damage to the network, impact on organisational reputation, loss of life (hacker identifies suspect from machine image and sends lynch mob round ) etc. etc. etc.
This took 2 mins, given more time, I'm sure that many more scenarios are workable.
Now, these, a few of them, are _very high risk_ - not high probability necessarily but high risk. You can potentially reduce the risk by technical controls, but all it takes is a misconfiguration, or a zero-day vulnerability and those are gone. On the other hand, if you never plug it into a connected system there is a much lower level of probability as the most likely vector for a significant number of risks is removed, disable USB ports, lock the case, put it in a faraday cage and you gradually reduce attack vectors.
Forgive the possibly not very well phrased response, but you should have an Information Security Officer for your organisation who can help you do this. If you _don't_, step one is tell your organisation that you need one, step two is get in a qualified external consultant to perform it for you. You shouldn't be left in a position where you are the one who has to make the risk decision ( unless you are the Senior Information Security Officer or whatever your organisations title is ) - you should have someone who can determine what level of risk is acceptable.
There is _no_ such thing as an unhackable network. The best security I can offer you on any given system is unplug it from _everything_ put it in a safe and never use it, and even then, someone can steal the safe.
The OP asked, "what are the best or accepted practices for proper forensic security as far as networks and the internet in a forensic environment?". With the emphasis being on the word "best", the answer is simply, don't do it.
As for updates, i suggest you have a separate client (100% similar in hardware) with a complete setup of everything, connected to the internet when you need to update, then creating a recovery image (i.e. Ghost) of that system to a DVD/Blueray disc and using that to wipe the none-net connected forensic environment between uses - and also getting updates as well.
You may need dual licenses, but that is another question.