Join Us!

Science and Inciden...
 
Notifications
Clear all

Science and Incident Response  

  RSS
hogfly
(@hogfly)
Active Member

In light of the thread created by Harlan relating to classification of incidents and artifact libraries, I've begun some work on the subject. Granted my time is short these days but it's a start.

I've begun an outline of applying the scientific method to incident response in an attempt to assist investigators reach an accurate and scientifically based conclusion. While there is a lot of uncertainty in incident response & forensics(Casey scale of certainty), using a method that meets specific qualifications should be able to bolster the investigator when their conclusion faces scrutiny.

While I'd love to be a member of FIRST (hint if there are any active members here….I could use a nomination or "sponsor") I am not, so I'm not privy to any closed communications or methods used by members.

So..I've begun with two well known and used incident response methodologies.

NIST
SANS

NIST uses a method of P(D&A)(CER)F - per SP800-61
SANS uses a method of PICERF - per GCIH

Both methods fall a little short in one area, which is the impetus behind my work.

Preparation is pretty straight forward.
Containment, Eradication, and Recovery are pretty straight forward.
Follow up is pretty straight forward.

The gray areas of incident response are the I and (D&A) - Identification, Detection & Analysis.

ID&A is an area of great debate as there are many different schools of thought. What I'm attempting to develop is a trusted method to arrive at a conclusion that meets not only daubert, but the challenges of peers.

To do this I figure the following is needed
A taxonomy
A technique
An artifact library

The question currently on my mind is
How do you scientifically test your assumptive hypothesis in a live situation without destroying evidence or minimizing your impact? Answers outside of the norm would be greatly appreciated. This method of testing must be cost effective, efficient, and accurate.

How do others do this?

Quote
Posted : 06/02/2007 2:57 am
keydet89
(@keydet89)
Community Legend

> While I'd love to be a member of FIRST…

As a member, be very careful what you wish for. There's absolutely nothing on the list. I've had conversations with several members off-list…there are one or two folks who actually *do* "IR", and the rest just watch. The vast majority of the posts are by one or two people who simply link to articles that they find.

> How do you scientifically test your assumptive hypothesis in a live situation
> without destroying evidence or minimizing your impact?

How is it done in the medical community? Or maybe another question would be, what "evidence" would you be destroying?

ReplyQuote
Posted : 06/02/2007 6:46 am
hogfly
(@hogfly)
Active Member

That's a shame about FIRST. The conference must be a bore.

> How is it done in the medical community? Or maybe another question
> would be, what "evidence" would you be destroying?

Which medical community are you referring to? ER Doctors, Coroners, Forensic scientists/specialists?

I think we'd have different answers from each group and I'm afraid I don't know exactly how they do it.

I suppose there is nothing in incident response that says "Thou shall not modify the system", but applying forensic techniques to incident response means we need to minimize our impact if modification can't be helped but a pristine system is preferred. I know how I handle incidents, and modification of a system is ok, as long as you can anticipate the outcome of your actions, document the action, the benefit of the action outweighs what will be lost, and if I can explain the reason why it was done. Only then is the action justifiable and it's only done on rare occasions.

As far as the use of the word "evidence" goes, I mean it as in collected data that could be used in legal proceedings(either prosecution or defense).

ReplyQuote
Posted : 06/02/2007 9:55 am
keydet89
(@keydet89)
Community Legend

> Which medical community are you referring to? ER Doctors, Coroners, Forensic scientists/specialists?

Yes.

Imagine that you're walking down the street, and you hear a moan from behind a pile of rubbish in an alley. Investigating, you find a man laying there, and in the light of the street lamp, you see that he's been stabbed. You try to see if he's okay, but then call 911. The EMTs arrive, examine the victim and then stabilize him, place him on a gurney and into the ambulance. They continue working on him in the hospital. Once at the hospital, surgeons work on him to save his life. If he dies, the police can still find and convict the perp for murder; if he lives, they can do the same (lesser charges, of course).

Following traditional computer forensics, after your call, the Chief Surgeon would show up and kill the victim, and from there they would begin investigating the crime, without moving the body.

> I suppose there is nothing in incident response that says "Thou shall not
> modify the system",

Correct. IR doesn't have a "10 commandments".

> but applying forensic techniques to incident response means we need to
> minimize our impact if modification can't be helped but a pristine
> system is preferred.

If the system is live, it will never be pristine…even if you don't touch it. A live running system is in a constant state of change. Don't believe me? Install Process Monitor and run the Registry Monitor…just run it, don't do anything to the system, don't even move the mouse.

Modification to the system will happen, regardless, and documentation is the key.

> As far as the use of the word "evidence" goes, I mean it as in collected
> data that could be used in legal proceedings(either prosecution or
> defense).

I doubt that this will be the case for a while.

ReplyQuote
Posted : 06/02/2007 5:21 pm
ddow
 ddow
(@ddow)
Active Member

"How do you scientifically test your assumptive hypothesis in a live situation without destroying evidence or minimizing your impact?"

One approach is to build a similar system and attempt to duplicate the incident from there. Of couse, this assumes you have the time to do this. . . Naaah, never mind. )

ReplyQuote
Posted : 06/02/2007 6:03 pm
keydet89
(@keydet89)
Community Legend

In some ways, a follow-on question would be along the lines of, "how do you prove that in your actions you haven't destroyed evidence?"

And I don't think that's really the issue…the results of your actions when performing live response are quantifiable, to an extent. As ddow pointed out, using a similar system for testing will provide some insight into what your tools and techniques do as far as leaving artifacts on a system. At that point, its a matter of documentation and process, which is not unlike what EMTs and crime scene investigators do.

More so than anything else, there needs to be a move away from the traditional view of computer forensics, which in essence says that in order to investigate a crime you have to "kill" the victim.

ReplyQuote
Posted : 06/02/2007 6:37 pm
deckard
(@deckard)
Member

I've never been sure of why we have "had" to treat computer incidents different than physical crimes. After all, way before CSI people of the coroner show up a crime scene has been entered and "handled" by many people, witnesses, victims, police etc. The police have procedures for documenting who entered a scene, why it was entered, what was done etc that will later be a part of the record and possibly court testimony. Its only the undocumented or negligent actions that cause evidentiary problems (assuming a rational judge).

Computer forensics HAS to move to this system. I for one would not take down a running system without checking for encryption, rootkits, malware and if the incident lends itself to acquiring the memory. The possible evidence to be obtained far outweighs the risks of damaging other data or the inconvenience of having to document your actions and explaining yourself on the stand.

ReplyQuote
Posted : 06/02/2007 7:40 pm
hogfly
(@hogfly)
Active Member

Imagine that you're walking down the street, and you hear a moan from behind a pile of rubbish in an alley. Investigating, you find a man laying there, and in the light of the street lamp, you see that he's been stabbed. You try to see if he's okay, but then call 911. The EMTs arrive, examine the victim and then stabilize him, place him on a gurney and into the ambulance. They continue working on him in the hospital. Once at the hospital, surgeons work on him to save his life. If he dies, the police can still find and convict the perp for murder; if he lives, they can do the same (lesser charges, of course).

Following traditional computer forensics, after your call, the Chief Surgeon would show up and kill the victim, and from there they would begin investigating the crime, without moving the body.

That's exactly the scenario I needed. It just wasn't coming to me. Thanks.
Have one for catching the criminal in the act?

Many EMT's would destroy the useful evidence while attempting to save the life of the victim. That's their job. Collecting forensic evidence falls far behind that in the priority list. There are courses for EMT's or other medical personnel that teach them how to preserve evidence while saving a life.

Unfortunately we aren't talking about life or death with computers.
Incident Responders are akin to EMT's and there is an obvious connection between Computer forensics and criminal forensics. However, as we know, we are the only "science" that is required to freeze the scene if for no other reason than it can be done. As someone who does IR and Forensics, I think there are qualities of both that need to be applied.

I think it really comes down to one simple question. What is the goal of responding to the incident?
Is it to complete an RCA? Prevent it from happening again? Gather evidence for prosecution/defense? These are some traditional goals of IR. IR hasn't changed that much, but forensics has, and therefore IR is forced to adapt.

Forensic analysis is the second act in the play of IR, so our IR methods must support our forensic analysis, especially if we are doing both.

If the system is live, it will never be pristine…even if you don't touch it. A live running system is in a constant state of change. Don't believe me? Install Process Monitor and run the Registry Monitor…just run it, don't do anything to the system, don't even move the mouse.

Modification to the system will happen, regardless, and documentation is the key.

Yes of course. It is never pristine, but it is in so much as I haven't done anything to modify it. Documentation is the key, but good documentation isn't a justifiable excuse if someone makes a bonehead mistake that jeopardizes the entire investigation.

> I doubt that this will be the case for a while.

There have been cases where lawsuits occured because of compromises dealing with sensitive data loss, and the state laws and soon to be federal laws will require notification, which will undoubtedly bring even more lawsuits of this nature.
http//www.watchyourend.com/2006/06/28/ohio-university-sued-over-data-theft/

Deckard,
I'm a firm believer of criminalistics being applied to computer forensics and Incident Response. The difficulty is due to the inherent transient nature of what we are dealing with. DNA doesn't disappear from blood evidence. But, unless we specifically have something in place to capture it, the network evidence in a case will disappear just as soon as it is sent. What if your IR process destroys the physical hard drive(head crash, platter scraping etc..)?

Maybe it's just me, but computer forensics seems to be held to a higher standard than other sciences. Whether we like it or not, anything we do in IR can be called in to court. We face civil litigation every time we investigate. We can be sued because someone doesn't like what our report says.

ReplyQuote
Posted : 06/02/2007 8:37 pm
deckard
(@deckard)
Member

>DNA doesn't disappear from blood evidence

True, but then again, DNA has always been present but it wasn't "discovered" that long ago, and really hasn't been accepted in courtrooms as scientifc evidence and used very long at all. Same applies for Live Forensics, until it is USED and an attempt and attempts are made to get it inroduced as valid evidence, it won;t become mainstream. But that day will come. The sheer size of Hard drives and increased use of encryption are just two events that will make it necessary, the pervasiveness of networks being another.

>computer forensics seems to be held to a higher standard than other sciences

I would like to think they are held to higher standards, just that the standards can be adjusted to what is realistic. The Duke lacrosse case points out that ALL DNA evidence must be used,. It is the standard of what can be proven to be justified among several choices of actions. Again, clear documentation of properly used methodologies.

>We face civil litigation every time we investigate. We can be sued because someone doesn't like what our report says.

Sure, we can be sued by anyone because we are ugly and our momma dresses us funny too. But if we are not negligent, have a good contract that says things like we are independent and will report exculpatory evidence, and stick to a good methodology with proper documentation of our procedures, that chance is mitigated. Oh and I carry good insurance

ReplyQuote
Posted : 06/02/2007 10:46 pm
keydet89
(@keydet89)
Community Legend

> Have one for catching the criminal in the act?

That's a different issue that involves incident preparedness, not incident response.

> Many EMT's would destroy the useful evidence…

Perhaps. Going back to our scenario, as the victim had been stabbed (or shot) the EMTs would attempt to stop the bleeding, and administer the necessary fluids to stabilize the victim. While they have touched & moved the body, they haven't affected the stab or gunshot wound. They may have stepped in tire tracks, and cut away the victim's clothing…but their goal is to keep the victim alive.

Unfortunately in IT, IR very rarely has a goal…which is why folks like me get called.

> I think it really comes down to one simple question.

I think you're right…but moving away from the academic discussion and into the real-world, the fact remains that most of the folks I deal with have no clue when an incident occurs what their goal is. Many times, they decide on the goal after all of the information that could be used to answer their questions had already been destroyed. Other times, the political landscape/corporate culture leads to competing goals.

> There have been cases where lawsuits occured…

You're right. I'm familiar with some of the incidents. And yes, as long as corporations continue to stick their heads in the sand with regards to threats (not just threats to the data that they store/process, but threats to the corporation when they are required to notify), then these will continue…as they should. Corporations have not been taking the necessary protective measures, deeming it too expensive to do so. Then an incident occurs, and legislation requiring notification leads to additional costs due to lawsuits, as well as loss of customers due to lack of confidence.

Some of the recent press releases and information available throught sites such as privacyrights.org have stated that some of the compromises have gone undetected for months…so much for confidence, eh?

> Maybe it's just me, but computer forensics seems to be held to a higher standard than other sciences.

Perhaps. Maybe it's more a matter of perspective. Also, keep in mind that computer forensics is missing some critical core elements of other disciplines. For example, specificity of language. Doctors have terms that mean the same thing to all doctors…terms like "stat", etc. However, in IR/CF, you can rarely find agreement on much.

There're also issues with maturity of the discipline, etc. It's funny, too, because from my perspective, computers are a lot more deterministic than the human body. If you unplug a computer, you pretty much know what will happen. However, people have had skydiving accidents where their 'chutes didn't open, and they survived - while others have tripped and never walked again.

> Whether we like it or not, anything we do in IR can be called in to court.

Perhaps, perhaps not. I believe that in a lot of potential "evidence" doesn't even get considered by attorney's, as it's too hard to present or explain.

ReplyQuote
Posted : 07/02/2007 12:55 am
az_gcfa
(@az_gcfa)
Active Member

I like the reference to EMT's for IR - that is a totally accurate description.

I am of the opinion that IR and CF are two distinct functions. The relationship between these functions should/must be defined early on in the IR protocol. For example, an incident occurred and management has already determined the course of action – identify the incident, verify the incident, analyze the incident data, develop mitigation response and implement mitigation response. In otherwords, management is not interested in pursing any legal recourse.

I agree that if IR is not handled properly then there is little chance of any meaningful or worthwhile CF investigation. However, the need or likelyhood of a CF investigation should have been defined initially!

More than likely CF will be involved in analyzing the incident data in order to determine a mitigation approach. However, this should not mean that the data collection and analysis should be done haphazard when the strigent audit and documentation controls required for an legal proceeding are not needed.

CF does not require that the IR protocol be implemented first. A boss finds porn on computer and wants proof of who, what and when!

I understand the example - the Chief Surgeon arrives and kills the victim. I do not agree with that statement. I have been involved in numerous incidents where the victim remained living. The Chief Surgeon was not allowed to pull the plug. We acquired live snapshots of the running systems - "yes LE wanted - even demanded that the systems were to be shut down and imaged", but they settled for snapshots.

So, I would agree that traditional CF techniques did apply when there was no one arguing for victims rights! What would be your guess of the percentage of investigations in which the killing of the victim was not acceptable! Of course we are talking mechanical or electronic victims!

I do completely agree that CF needs to develop a dictionary of terms so we all have a common reference point. Maybe we should start with the FRE and DOJ Guidelines.

ReplyQuote
Posted : 10/02/2007 10:24 am
Share: