Old Data Never Dies...
eSecurityPlanet columnist Bob Hillery walks us through a digital forensics case. How do you protect and find the data you're looking for? And how do you keep your computers from being used to steal the company's information in the first place?
OK, how many of you out there have a lawyer you'd call a friend? Oh, come on now. There must be a few of you. No, this is not a lawyer joke or a rant at the expense of attorneys. By the end of this article those of you muttering in the back of the room should want to review your company's -- and maybe even your personal -- policies regarding the legal aspects of IT.
Let me explain.
Along with the IT security consulting that I do, I also review forensic data. The technical part isn't rocket science, but it does require patience, care, and a lot of detailed notes. I also deal with lawyers and the legal aspects of evidence, digital data, and digital data as evidence. The hard part in digital forensics seems to be policy and dealing with the human factor.
It comes back to company policies. Always does, doesn't it?
Let's start with an example -- a 'composite' drawn from a couple of recent cases. All of the elements are real, they may just have come from more than one case so I can maintain the clients' privacy.
Company X calls and says they need to have the computer used by a former employee examined. Their concern is that the employee who recently left is now working for their competitor, and it seems the competition has just bid on a contract for developing some new widget that looks an awful lot like Company X's gadget.
They want to know if I can find out if proprietary information or protected intellectual property has been stolen?
Never say, ''Yes.'' Just say, ''We'd be happy to review the drive in a forensically clean process, and if the drive has that information, we'll find it.''
It's all about the facts and the data -- not inferences and surmises. That's what the lawyers get paid to do as they build cases from all of the details from digital and traditional investigations.
Now we enter through the looking glass.
When I arrive on site I learn that:
The person telling me all of this averted his eyes and carefully inspected his shoes. I think I may have been glaring, dumbstruck.
At this point, it's hard to call this a ''forensics'' case. Anyway, I suggested that it was good to at least know these things. Perhaps I could determine what had happened on a timeline and show what may or may not have been done while the former employee was responsible for the computer.
In the end, I did find some facts that were useful to the lawyers' teams in each case. But the important part, again, wasn't technical -- it was the process.
What should the process be for the termination, transfer, or promotion of any employee with access to sensitive company or personnel information? Out-brief letters, signing or re-signing non-compete and non-disclosure agreements, a review of transaction logs and the data on the system, all jump to mind as good standard practice.
Why does a sensitive development system have internet access? Why are employees using web-mail that won't have company transaction logs or email records? For those in companies with Sarbanes-Oxley or Gramm-Leach-Bliley requirements, this could be a regulatory violation, too.
User installed software is a great vector for Trojan horses and other malicious programs, so it should be avoided at all costs. This untested software could also simply introduce incompatibilities that crash programs or degrade the network.
CD-Rom burners used to be part of resource management. Some of you are nodding... Remember when there was one burner and you had to get blank CDs through some tracked process? ''What are you copying and why?,'' needed to be answered first. Today, burners are literally everywhere. And so are copies of software and data.
If someone leaves the company or a project, and there's enough of an issue to keep a computer out of the network, shouldn't that be a hint that something more formal should be done to keep track of the box?
Don't wait three months. And don't turn on the system to check things out and copy a few files. If a computer needs do be 'examined', and there is any chance it may be key in upcoming litigation, you must follow some pretty clear procedures that maintain a chain of custody and record of access to the system.
This, of course, brings us back to the lawyers.
It is essential that legal counsel be an active part of the policy development and implementation team. Among other things, they need to help determine what is private and what isn't. Anyone dealing with European-based firms or offices knows the E.U. privacy laws are very different from those in North America.
As an IT department decides what to check for policy compliance measures, they should also talk to the lawyers so they know how to handle what may become evidence in either a civil or criminal case.
Remember, forensics is generally what gets done after something bad happens. There's a lot of homework and preparation that should come beforehand.
Oh, if you're ever a defendant, you want your counsel to be more of a friend than just another lawyer. In one of the parts of this composite story, it became pretty clear that the person under scrutiny wasn't doing anything wrong. They were just unpopular.
So, go meet a lawyer. She will help you understand a crucial and under-appreciated aspect of the business world.
By the way, in each of the cases that made up the composites, data was discovered that pre-dated the employee in question -- and some of it wasn't good at all. We found snippets of emails to and from competing companies, and address books with entries for competitors. Of course, we found where some employees had been surfing the Web for a new car or clothing.
And we did find, in one case, where an employee had been surfing pornographic Web sites in violation of company policies. When the company further investigated this same employee, they found he was still viewing porn on the job and he received an administrative warning. And yes, any one of a dozen ways to block sites would have helped, but this company hadn't put policy enforcement processes in place.
Bob Hillery, a former computer and security manager for the U.S. Navy, is a founder of Intelguardians, LLC, a security consultancy. With experience in the corporate, military and academic worlds, he now also is an instructor with the SANS Institute.