Ready For Employee Theft and Sabotage

Are You Ready For Employee Theft and Sabotage?

For many in the financial services industry, the global economic catastrophe has increased the frequency of employee theft and sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence (identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal activities.  One component (there are many others) of reasonable processes required for dealing with this situation include “computer forensics.”  This is also a key component of our tooling and processes dealing with new insider crime linked to the toxic economic environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The Sleuth Kit and Autopsy, download a current copy of BackTrack (or one of the many other forensic toolkit bootable CDs) and start training — the important issue is starting somewhere.  Or, alternatively, get in touch with your favorite risk management consulting house and get their advice about becoming better prepared.  They might just point you to one or more of the specialty forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint at this range and complexity, a sampling of what they include (but are not limited to) appears below:

  • Respond to live incidents (The attack is ongoing).
  • Respond to recent incidents (hours or days old).
  • Respond to historical incidents (months old or longer).
  • Determine whether an attack/theft/sabotage/etc has actually occurred.
  • Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
  • Analyze volatile data and nonvolatile data.
  • Safely perform and document forensic duplications.
    Create a bitstream image of the evidence.
    Prepare for subsequent verification of the evidence using one-way hash functions.
    Understand hash and signature analysis.
  • Collect and analyze network-based evidence.
  • Identify and analyze print spool data.
  • Identify and analyze files of unknown origin.
  • Identify and document all start-up and shutdown activity.
  • Identify and document authentication and authorization activity.
  • Identify and document system and data access.
  • Reconstruct web browsing behaviors.
    Including recovery and analysis of cookies.
  • Document all e-mail activity.
  • Identify & document domain name ownership and the “real” source/destination of e-mails.
  • Identify and analyze system and application changes – invest special effort to privilege changes.
    This includes the Windows registry and event logs, as well as application residual files.
  • Identify and analyze data changes – with special attention to creation and destruction activities.
    Includes analysis of slack and unallocated space, and recovery of deleted files.
  • Identify and analyze errors and faults.
  • Perform keyword and email searches.
  • Build time-lines of user and application behaviors.
  • and lots, lots, more…

If computer forensics are not something that you or your staff are well prepared to execute, I strongly recommend that you consider moving on an immediate plan to develop a minimum competency in this area starting today.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3. http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html, and finally,
http://www.cybercrime.gov/cclaws.html.

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK.  http://www.sleuthkit.org/

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you in your forensic work: http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center for Forensic Science & Department of Engineering Technology University of Central Florida
http://ncfs.ucf.edu/craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.
http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=dp_ob_title_bk

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_1

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose. Addison-Wesley Professional, October 3, 2005.
http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=pd_rhf_shvl_4

And a 2008 list of web resources on forensics: http://geschonneck.com/security/forensics/

For many in the financial services industry, the global economic catastrophy has increased the frequency of employee theft and

sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our

weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence

(identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that

we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal

activities.  One component of reasonable processes required for dealing with this situation include “computer forensics.”  This

is also a key component of our tooling and processes dealing with new insider crime linked to need in the toxic economic

environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another

post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The

Sleuth Kit (http://sourceforge.net/projects/sleuthkit/) and Autopsy (http://sourceforge.net/projects/autopsy/), download a

current copy of BackTrack (http://www.backtrack-linux.org/) (or one of the many other forensic toolkit bootable CDs) and start

training — the important issue is starting somewhere).  Or, alternatively, get in touch with your favorite risk management

consulting house and get their advice about becomming better prepared.  They might just point you to one or more of the specialty

forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting

ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate

lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint

at this range and complexity, a sampling of what they include (but are not limited to) appears below:

Respond to live incidents (The attack is ongoing).
Respond to recent incidents (hours or days old).
Respond to historical incidents (months old or longer).
Determine whether an attack/theft/sabotage/etc has actually occurred.
Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
Analyze volatile data and nonvolatile data.
Safely perform and document forensic duplications.
Create a bitstream image of the evidence.
Prepare for subsequent verification of the evidence using one-way hash functions.
Understand hash and signature analysis.
Collect and analyze network-based evidence.
Identify and analyze print spool data.
Identify and analyze files of unknown origin.
Identify and document all startup and shutdown activity.
Identify and document authentication and authorization activity.
Identify and document system and data access.
Reconstruct web browsing behaviors.
Including recovery and analysis of cookies.

Document all e-mail activity.
Identify & document domain name ownership and the “real” source/destination of e-mails.
Identify and analyze system and application changes – invest special effort to privilege changes.
This includes the Windows registry and event logs, as well as application residual files.
Identify and analyze data changes – with special attention to creation and destruction activities.
Includes analysis of slack and unallocated space, and recovery of deleted files.
Identify and analyze errors and faults.
Perform keyword and email searches.
Build timelines of user and application behaviors.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3.

http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html.
http://www.cybercrime.gov/cclaws.html

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on

Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several

volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical

interface to TSK.
http://www.sleuthkit.org/,

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you

in your forensic work.
http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center

for Forensic Science & Department of Engineering Technology University of Central Florida
http://ncfs.ucf.edu/craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.
http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=dp_ob_title_bk

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_1

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.

Addison-Wesley Professional, October 3, 2005.
http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=pd_rhf_shvl_4

And a list of web resources on forensics: http://geschonneck.com/security/forensics/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: