Are You Ready For Employee Theft and Sabotage?
For many in the financial services industry, the global economic catastrophe has increased the frequency of employee theft and sabotage (broadly-defined). While some of these incidents are little more than inconvenient reminders that “people are our weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence (identification, copying, preservation, and documentation of the incident-relevant digital evidence). We all need to ensure that we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.
This is not a new obligation. Career criminals continue to expand their use of technology in the course of their illegal activities. One component (there are many others) of reasonable processes required for dealing with this situation include “computer forensics.” This is also a key component of our tooling and processes dealing with new insider crime linked to the toxic economic environment. Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another post.
If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The Sleuth Kit and Autopsy, download a current copy of BackTrack (or one of the many other forensic toolkit bootable CDs) and start training — the important issue is starting somewhere. Or, alternatively, get in touch with your favorite risk management consulting house and get their advice about becoming better prepared. They might just point you to one or more of the specialty forensic consulting practices — and you could do a lot worse than to get one of them on retainer. The time to start getting ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.
There are a number of good books on this topic (search google or amazon).
There are a broad spectrum of activities that are included under the label of “computer forensics.” In order to give you a hint at this range and complexity, a sampling of what they include (but are not limited to) appears below:
- Respond to live incidents (The attack is ongoing).
- Respond to recent incidents (hours or days old).
- Respond to historical incidents (months old or longer).
- Determine whether an attack/theft/sabotage/etc has actually occurred.
- Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
- Analyze volatile data and nonvolatile data.
- Safely perform and document forensic duplications.
Create a bitstream image of the evidence.
Prepare for subsequent verification of the evidence using one-way hash functions.
Understand hash and signature analysis.
- Collect and analyze network-based evidence.
- Identify and analyze print spool data.
- Identify and analyze files of unknown origin.
- Identify and document all start-up and shutdown activity.
- Identify and document authentication and authorization activity.
- Identify and document system and data access.
- Reconstruct web browsing behaviors.
Including recovery and analysis of cookies.
- Document all e-mail activity.
- Identify & document domain name ownership and the “real” source/destination of e-mails.
- Identify and analyze system and application changes – invest special effort to privilege changes.
This includes the Windows registry and event logs, as well as application residual files.
- Identify and analyze data changes – with special attention to creation and destruction activities.
Includes analysis of slack and unallocated space, and recovery of deleted files.
- Identify and analyze errors and faults.
- Perform keyword and email searches.
- Build time-lines of user and application behaviors.
- and lots, lots, more…
If computer forensics are not something that you or your staff are well prepared to execute, I strongly recommend that you consider moving on an immediate plan to develop a minimum competency in this area starting today.
U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3. http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html, and finally,
The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools). They run on Windows and Unix/linux systems. They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types. The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK. http://www.sleuthkit.org/
A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you in your forensic work: http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy
“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center for Forensic Science & Department of Engineering Technology University of Central Florida
“Windows Forensic Analysis DVD Toolkit.” (Second Edition) By Harlan A. Carvey. Syngress, June 11, 2009.
“File System Forensic Analysis. By Brian Carrier. Addison-Wesley Professional, March 27, 2005.
“Real Digital Forensics: Computer Security and Incident Response.” By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose. Addison-Wesley Professional, October 3, 2005.
And a 2008 list of web resources on forensics: http://geschonneck.com/security/forensics/