Discover LinuxSecurity Features
Making It Big: Large Scale Network Forensics (Part 1 of 2)
In recent months (late 2002-early 2003), I have seen more articles addressing the use and definition of corporate computer forensics than ever before. Ive seen a general acceptance of investigative software as a useful tool for keeping the enterprise internally secure.
Much has been made of firewalls, VPNs, smartcards, and biotechnology. These things are important of course, but how are companies investing in protecting their internal security? Threats from within make up a good percentage of identity theft (read: NY Horse Racing Association scandal), credit card fraud, proprietary information theft, harassment, and intellectual property violations. All very serious business indeed. I am positive that most high tech Human Resources departments do not employ a forensic investigator, nor is it likely that there exists the appropriate funding for IT admins. to attend forensic training.
Proper tools and training are definitely important. Understanding the methodology behind forensic investigations is even more important. Id go toe to toe with anyone that thought they could purchase a bargain forensic toolkit and do a decent job of it. Its just not comprehensive enough. Then again, what is enough? There are many determinants to deciding on appropriate investigative tools: How secure do you want to be? What exactly are you looking for? Do you need to monitor crucial business functions like Accounting and Finance? Is leaked information in Software Engineering a cause of concern? Are PCs and laptops properly investigated for signs of abuse when an employee has left or been terminated?
These are questions that beg consideration. The threat to corporate security is not waiting around the outside of the parking lot day after day. Sometimes, yes. More frequently, its internal. Multi-national companies pose an interesting challenge in that there are hundreds, sometimes thousands of people networked together, making and the ability to respond to threats in real-time and from a remote location, increasingly important.
Ive spent a good deal of time following the privacy concern issues behind the use of computer forensics in the corporate environment. The fears have been common enough and yet, they seem to stem from a misunderstanding about what forensics can and cannot do. As an employee of any company, you sign documentation to the effect that all company systems, data, inventions on behalf of the company, etc., are property of the company. At least, this is the way North America does business. In knowing and embracing your status as a company employee, you understand that nothing on your desk (save for some pictures, weird objects and a cup of coffee), belong to you. However, this is fundamentally the very first thing thats forgotten when arguments are presented. How can your company spy on you? Well, they arent spying, they are monitoring the data and work flow of their organization. Shouldnt any company in these scary economic times want to assure that it is operating at the most efficient and secure levels possible? If you, as the loyal employee to Company X, are not in any violation of company policies, then the ad-hoc monitoring of your network communications and actions should not concern youor should it? Depends on what youre up to.
Computer forensics do not follow you home in your car. Enterprise Forensics, or Large Scale Forensics, are installed on a base server with a specified number of licenses issued to monitor a specified number of systems on the network. The sys. admin. (or examiner as it may be) does not monitor all systems on the entire network. It isnt really possible and is very inefficient. The company chooses areas that it feels need monitoring, or a specific individual that is most likely committing some type of internal policy violation, and they monitor thusly.
Mirroring a system does not affect performance of that system. Copying down information gleaned from the system while its in use may slow up the performance a bit, but again, its highly specific information that an investigator is looking for, not random emails about Friday nights date.
Computer forensic tools can compile custom reports that run unattended 24-7 to monitor certain areas of concern. As an example, because of new regulations for American companies traded on the public market, the Security Exchange Commission (SEC) requires that all corporate heads personally vouch for their companys financial reports. To ensure that these reports are indeed accurate, a CFO might want to employ a forensic solution to monitor cash flow in and out of Sales or Finance. A custom report could be programmed that would glean specific information for the CFO through the network capabilities of the enterprise forensic tool. In this way, there is consistent visibility into areas of the company that might otherwise go unnoticed but may cause catastrophic downfall all the same. Read: Enron.
Also of note, enterprise computer forensics do not work across the internet. They are company network specific. The Administrator exchanges a digital key with the vendor company and the vendor company holds the master agreement in an extremely secure location off-site. This again leads back to the licenses, and how many a company is utilizing. There is the potential to have a license to mirror every system on the network, but this is defeating to any real purpose and there are definitely not enough IT folks in a single company to do the monitoring on that scale.
Regardless of an existing computer forensic tool installed on the network, what can be audited on every system are its log files. Time consuming and difficult to synthesize in massive amounts, log files have always been available to sys. admins. for customization, long before the advent of computer forensics. This is where the perceived evils of computer forensics must be addressed. The ways and means to monitor workflow and information exchange on computers has been there since their inception, on every system and with every user. Most companies employ some sort of log file audit process of their own. As with forensics, actions and events are chosen to be log-worthy. Trying to log every event on a system would adversely affect performance and isnt practical. As for inferred human rights violations and or privacy violations of computer forensics, there isnt anything magical or nefarious about the process other than its been made much easier to find critical data and its been automated.
The purpose and use of log files have been a topic of discussion in most in-depth forensic articles Ive read. To this end, Ive called upon Mike Fowler, a master trainer at Guidance Software*, to speak on the topic of log files and forensics.
What value do log files have to a forensic investigator using a forensic tool? In the case of EnCase Enterprise (Guidance Softwares Enterprise tool), log files can be viewed regardless of whether or not they have been deleted or exist in allocated filespace. These details, commonly referred to as System Artifacts, assist the examiner in determining not only the breadth and scope of an investigation; but also allows them to target locations on the suspect drive that contain items of evidentiary value.
On the subject of performance sacrifice, Fowler continues, Like any networked application, forensic tools will utilize as much bandwidth as the system administrator will allow it to accomplish its job. Performance is dependant more on network topology than on any bandwidth throttling issues.
Melisa LaBancz is a freelance journalist in the San Francisco Bay Area who has spent the past several years writing unique pieces about the security industry. With a special fascination for encryption technology and computer forensics, she has called upon the industry's best to assist in the quest for layman's terms and a trailer park understanding. Her day job consists of being a security export analyst and a security PR consultant to some of the nation's most cutting edge security vendors.
When not feverish over worldwide security conferences, she can be found photographing random glass and steel architecture, antagonizing her garden into growing and finishing off her Japanese half sleeves.
In an effort to articulate complex topics for a wider variety of readers, Melisa is known to rely on her belief in comparative nonsense to build her case and has developed strong relationships among the industry's best known thought leaders.
A few selected pieces:
Super! Ultra! Jumbo! Privacy as the New Multi-Purpose Word
Do It Yourself Security: Cutting Our Umbilical Dependence on the Consultant Community
Fire and Brimstone in 21st Century Security