Join Us!

Incident Response v...
 
Notifications
Clear all

Incident Response vs Forensic Evidence  

  RSS
Bagarre
(@bagarre)
New Member

Good morning.

This is something that is causing some heated debate in my office.
When is something considered evidence?

I've written a piece of software for incident response and threat analysis that collects a tremendous amount of data from each computer on a network (windows). In order to do this, I push a 200k client to the target computers, the client collects the data and sends it back (encrypted) to the server piece of the software. We make every attempt to preserve the files as they were before we got there (change last access times back to whatever it was before we were there….) but, I know some things are changed (unallocated drive space… and times lower in the mft).

The tool is incredible at giving the analyst a detailed comparison of every computer on the network in a very short time. We use is mostly for incident response but, it's also very good at finding things you might not have been looking for in the first place.

The question is, if there is no evidence of a crime and no investigation going on at the time of data collection, is this considered evidence? If my software finds something and that kicks off an investigation, did my software corrupt evidence (the computers) by running on it?

Antivirus software changes more things on a network than I do when it scans a hard drive but, the hard core folks here argue that if my software finds anything that shows a crime as been committed, it would be thrown out of court because the evidence is not sound. I argue that it wasnt evidence until I found it.

Is there any case studies of where someone swept a network in support of incident response looking for one thing and then found another and it held in court?

I would appreciate any directions you can point me in to help me find a solid answer to all of this.

Quote
Posted : 04/02/2005 2:19 pm
gmarshall139
(@gmarshall139)
Active Member

The Field Intelligence (Enterprise) version of Encase works in much the same way. I haven't used it so I'm not sure what else it touches, if anything, but it does place a client on the target machine. They claim that this has withstood challenges in courts. Maybe they have a white paper on the subject.

To answer your original question, it's definately evidence whether or not it's ever found. You can't justify excavating a crime scene with a bulldozer just because it's the easiest way to find the evidence. Courts ask for best practices, not cheapest practices, or perfect practices. If you can argue that your tool is the best way (currently available) to gather the evidence, be it perfect or not, then your fine. If the opposition can argue that tool x was available, and protected the evidence better, regardless of the cost, then you may have a problem.

Sorry for using another analogy, but I just couldn't resist.

ReplyQuote
Posted : 04/02/2005 2:29 pm
jeffcaplan
(@jeffcaplan)
Member

I concur with Greg.

To give you the applicable case law that applies to your question, I think the most appropriate case would be Gates Rubber Company v. Bando Chemical Industries, Ltd.. In this case, sanctions were imposed against the plaintiff of the case (Gates) because they failed to "utilize the method which would yield the most complete and accurate results" and the "best technology available."

The fact that there are other methods available which can obtain this information in such a way as to preserve the contents of the drive (taking the computer off-line and creating an image, or using a 'widely-accetped' utility such as Guidance Software's EnCase Enterprise Edition) is something that opposing counsel could argue in cort.

Though I'm no lawyer, I'd imagine that with competent counsel, your evidence would still be accepted in court, assuming that the client app you referred to was a well-written and documented application.

In case you're curious, I found the full text of the Gates v. Bando case here

Jeff Caplan

ReplyQuote
Posted : 04/02/2005 6:04 pm
Bagarre
(@bagarre)
New Member

In this case, sanctions were imposed against the plaintiff of the case (Gates) because they failed to "utilize the method which would yield the most complete and accurate results" and the "best technology available."

From what I read in the link. It sounds like the technology wasnt the issue but the use of the technology. The people didnt know how to use the tools properly.

Also, this is all pertaining to the collection of evidence to support an investigation. I'm dealing with the situation of no investigation has been started.

Although my software isnt a 'widely-accetped' utility, the methods and API calls we use are and the process is very well documented.

For example.
Network A has 100 computers. A back door is found on computer A1. We sweep the whole network with my software to see if the back door resides anywhere else. In the resultant data, I find out on computer A56 that a user has a directory with with a battery of hacker tools in it (identified by md5 signature). From this discovery, an investigation is started but some say it wont hold in court because of the way it was found.

We didn't bulldoze the crime scene because it wasnt a crime scene when we were there. For that matter, no one knew the crime existed until our tool found it.

Another analogy (everyone likes them) is the bleeding man on the street. Paramedics get on scene first, treat the wound and take the guy to the hostpital. At the hospital, they find a bullet in his leg. Should they have let him bleed out on the street until the police were able to collect evidence or treat the patient?

We have the same issue. Our network has been compromised! "Dont touch anything until we can EnCase the 100 computers in question!" (I've gotten that response before).

Sorry for the long posts but, this is a complicated issue.

Thanks for the input!

ReplyQuote
Posted : 04/02/2005 7:00 pm
jeffcaplan
(@jeffcaplan)
Member

In this case, sanctions were imposed against the plaintiff of the case (Gates) because they failed to "utilize the method which would yield the most complete and accurate results" and the "best technology available."

From what I read in the link. It sounds like the technology wasnt the issue but the use of the technology. The people didnt know how to use the tools properly.

Well in this particular case, it was both, but mostly the issue was the technology used. The 'expert witness' for the plaintiff used Norton UnErase to recover deleted files as opposed to making a forensic duplicate of the drive, thus capturing unallocated space in addition to files, etc. So ie. he didn't utilize the "best technology available" to recover deleted files.

Also, this is all pertaining to the collection of evidence to support an investigation. I'm dealing with the situation of no investigation has been started.

Although my software isnt a 'widely-accetped' utility, the methods and API calls we use are and the process is very well documented.

For example.
Network A has 100 computers. A back door is found on computer A1. We sweep the whole network with my software to see if the back door resides anywhere else. In the resultant data, I find out on computer A56 that a user has a directory with with a battery of hacker tools in it (identified by md5 signature). From this discovery, an investigation is started but some say it wont hold in court because of the way it was found.

Who says that? As long as you're legally allowed access to this data (ie. on a corporate network and you do not make any warranties of privacy of data, or on an ISP and require users to agree to terms & conditions). If you're legally allowed to capture the data, then it doesn't matter how it's captured really.

As far as evidence goes, there are really only two issues. Whether or not evidence is admissible (ie. is it relevant? is it reliable?) which is either yes or no, there is no in-between. And then to what extent the evidence has on the case, and what it's credibility is. This is up to counsel to argue and up to the jury/judge to decide. In your particular scenario, the evidence would be admissible (assuming you were allowed to capture this data on the network in question) and as far as it's effectiveness, as long as the application was documented & tested then the evidence should be pretty valid.

Like I said before, I'm not a lawyer, so if we have one on the board, please feel free to correct me if I'm wrong. I'd appreciate it.

Jeff Caplan

ReplyQuote
Posted : 05/02/2005 6:55 am
reverendlex
(@reverendlex)
New Member

In this case, sanctions were imposed against the plaintiff of the case (Gates) because they failed to "utilize the method which would yield the most complete and accurate results" and the "best technology available."
From what I read in the link. It sounds like the technology wasnt the issue but the use of the technology. The people didnt know how to use the tools properly.

If I remember my federal rules of evidence and Daubert/Kumho correctly, an expert's testimony needs to be from an expert in a reliable methodogy, and using those methods. If the Gates expert didn't use generally accepted methods of evaluation, then the expert's testimony is inadmissible.

Also, this is all pertaining to the collection of evidence to support an investigation. I'm dealing with the situation of no investigation has been started.

Although my software isnt a 'widely-accetped' utility, the methods and API calls we use are and the process is very well documented.

If the method uses the same/similar methods as other acceptable packages, you should be OK.

Also, realize that you don't need perfect evidence to be admissible. The very nature of the incident will damage material evidence. It's preventing spoliation that's important. Once you know or should have known of an incident is when you should start preserving evidence. If what remains is good enough for a specialist to determine what has happened, you have evidence.

(standard disclaimers apply. I'm not a lawyer yet, nor am I a computer forensics expert

ReplyQuote
Posted : 12/02/2005 9:40 pm
Share: