From: InfoSec News (alertsinfosecnews.org)
Date: Wed Sep 27 2006 - 01:16:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>

ITL BULLETIN FOR SEPTEMBER 2006

FORENSIC TECHNIQUES: HELPING ORGANIZATIONS
IMPROVE THEIR RESPONSES TO INFORMATION SECURITY INCIDENTS

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Digital forensic techniques involve the application of science to the
identification, collection, examination, and analysis of data in ways
that preserve the integrity of the information and maintain a strict
chain of custody for the data. Organizations have the means to collect
growing amounts of data from many sources. Data is stored or transferred
by standard IT systems, networking equipment, computing peripherals,
personal digital assistants (PDAs), consumer electronic devices, and
various types of media. When information security incidents occur,
organizations that have established a capability to apply digital
forensic techniques can examine and analyze the data that they have
collected, and determine if their systems and networks may have
sustained any damage and if sensitive data may have been compromised.
Digital forensic techniques can be used for many purposes, such as
supporting the investigation of crimes and violations of internal
policies, analyses of security incidents, reviews of operational
problems, and recovery from accidental system damage.

Guide to Integrating Forensic Techniques into Incident Response

NIST's Information Technology Laboratory recently issued Special
Publication (SP) 800-86, Guide to Integrating Forensic Techniques into
Incident Response. Written by Karen Kent and Tim Grance of NIST, and by
Suzanne Chevalier and Hung Dang of Booz Allen Hamilton, the guide
provides detailed information on how an organization can establish a
forensic capability and develop the needed fundamental policies and
procedures that will guide the use of forensics. The focus is on helping
organizations use forensic techniques to aid in the investigation of
computer security incidents and in troubleshooting other information
technology (IT) operational problems.

The publication describes the processes for performing effective
forensics activities and recommends ways to use the many data sources
that are available for collection, examination, and analysis. Forensic
techniques are discussed from the IT perspective, rather than from the
law enforcement standpoint. While it is not an all-inclusive
step-by-step guide for executing a digital forensic investigation or a
source of legal advice, the publication is a useful source of
information on applying forensic technologies within the context of
performing incident response or troubleshooting activities.

Issues covered in the guide include the need for computer and network
forensics; how to establish and organize a forensics capability; and the
basic steps of data collection, examination, analysis, and reporting.
Case studies are provided to illustrate how data analyses can correlate
events among several data sources. The appendices summarize the major
recommendations in a convenient format and provide scenarios in which
the application of forensics techniques might be appropriate. Also
included in the appendices are a glossary, an acronym list, a list of
in-print references, online tools, and other resources that support the
establishment of a forensics capability and awareness of forensics tools
and techniques.

The guide is available at http://csrc.nist.gov/publications/nistpubs/.

Why Forensics Techniques Are Needed for Information Security

Forensic science is generally defined as the application of science to
the law. Over the last decade, the number of crimes that involve
computers has grown, spurring an increase in companies and products that
assist personnel in using computer-based evidence to determine the
details of computer-related incidents. As a result, digital forensic
tools and techniques have evolved to enable organizations to properly
provide computer crime data to courts. In addition to assisting with
criminal investigations and the handling of computer security incidents,
digital forensic tools and techniques are valuable for many other
organizational and security-related tasks, such as:

* troubleshooting operational issues: finding the virtual and physical
  location of a host with an incorrect network configuration;
  resolving a functional problem with an application; and recording and
  reviewing the current operating system (OS) and application
  configuration settings for a host.

* log monitoring: analyzing log entries and correlating log entries
  across multiple systems; assisting in incident handling;
  identifying policy violations; and auditing and other related efforts.

* recovering lost data from systems, including data that has been
  accidentally or purposely deleted or otherwise modified.

* acquiring data, for possible future use from hosts that are being
  redeployed or retired: acquiring and storing the data from a user's
  workstation when the user leaves the organization. The workstation's
  media can then be sanitized to remove all of the original user's data.

* protecting sensitive information and maintaining certain records for
  audit purposes: enabling organizations to notify other agencies or
  individuals when protected information is exposed to other parties.

The Forensic Process

NIST SP 800-86 describes a four-step process for applying digital
forensic techniques in a consistent manner:

Collection. Data is identified, labeled, recorded and acquired from all
of the possible sources of relevant data, using procedures that preserve
the integrity of the data. Data should be collected in a timely manner
to avoid the loss of dynamic data, such as a list of current network
connections, and the data collected in cell phones, PDAs, and other
battery-powered devices.

Examination. The data that is collected should be examined using a
combination of automated and manual methods to assess and extract data
of particular interest for the specific situation, while preserving the
integrity of the data.

Analysis. The results of the examination should be analyzed, using
well-documented methods and techniques, to derive useful information
that addresses the questions that were the impetus for the collection
and examination.

Reporting. The results of the analysis should be reported. Items to be
reported may include: a description of the actions employed; an
explanation of how tools and procedures were selected; a determination
of any other actions that should be performed, such as forensic
examination of additional data sources, securing identified
vulnerabilities, and improving existing security controls; and
recommendations for improvements to policies, guidelines, procedures,
tools, and other aspects of the forensic process.

Forensics in the Information System Development Life Cycle

Many computer incidents can be handled more efficiently and effectively
if forensic considerations have been incorporated into the information
system life cycle. NIST SP 800-64, Security Considerations in the
Information System Development Life Cycle, presents a framework for
incorporating security into all phases of the life cycle, and for
selecting appropriate, cost-effective security controls. NIST SP 800-64
is available at: http://csrc.nist.gov/publications/nistpubs/

Examples of these life cycle considerations include:

* Performing regular backups of systems and maintaining previous backups
  for a specific period of time;

* Enabling auditing on workstations, servers, and network devices;

* Forwarding audit records to secure centralized log servers;

* Configuring mission-critical applications to perform auditing,
  including recording all authentication attempts;

* Maintaining a database of file hashes for the files of common OS and
  application deployments, and using file integrity checking software on
  particularly important assets;

* Maintaining records of network and system configurations; and

* Establishing data retention policies that support performing
  historical reviews of system and network activity, complying with
  requests or requirements to preserve data relating to ongoing
  litigation and investigations, and destroying data that is no longer
  needed.

Summary of Recommendations for Using Forensic Techniques

NIST recommends that organizations carry out the following actions to
establish, organize, and use forensic techniques effectively:

* Develop organizational policies that contain clear statements
  addressing all major forensic considerations, such as contacting law
  enforcement, performing monitoring, and conducting regular reviews of
  forensic policies and procedures.

High-level policies should allow authorized personnel to monitor systems
and networks and to perform investigations for legitimate reasons under
appropriate circumstances. Organizations may also adopt a separate
forensic policy for incident handlers and others with forensic roles;
this policy should provide more detailed rules concerning appropriate
behavior. Forensic policy should clearly define the roles and
responsibilities of all staff members and external organizations
performing or assisting with the organization’s forensic activities.

Organizations usually rely on a combination of their own staff and
external groups to perform forensic tasks. Some organizations perform
standard tasks themselves and use outside parties only when specialized
assistance is needed for demanding tasks, such as sending physically
damaged media to a data recovery firm for reconstruction, or having
specially trained law enforcement personnel or consultants collect data
from cell phones and similar sources. These tasks usually require the
use of specialized software, equipment, facilities, and technical
expertise that many organizations cannot afford to acquire and maintain.

The organizational policy should clearly indicate who should contact
specified internal teams and external organizations, and the policy
should clearly define the circumstances for making the contacts. When
deciding which internal or external parties should handle each aspect of
forensics, organizations should consider factors such as personnel and
equipment costs for collecting data; the time needed for internal or
external teams to respond to incidents; and data sensitivity and privacy
issues.

* Create and maintain procedures and guidelines for performing forensic
  tasks, based on the organization's policies and all applicable laws
  and regulations.

The procedures and guidelines should focus on general methodologies for
investigating incidents using forensic techniques, since it is not
feasible to develop comprehensive procedures tailored to every possible
situation. Consideration should be given to developing step-by-step
procedures for performing routine tasks. The procedures and guidelines
should facilitate consistent, effective, and accurate actions. This is
especially important for handling incidents that may lead to prosecution
or internal disciplinary actions. When decision makers handle the
forensic data evidence in a sound, thorough manner, they are in a
position to take necessary follow-up actions with confidence.

The organization's procedures and guidelines should support the
admissibility of evidence into legal proceedings, and should include
information on gathering and handling evidence properly, preserving the
integrity of tools and equipment, maintaining the chain of custody, and
storing the evidence appropriately. Because electronic logs and other
records can be altered or otherwise manipulated, organizations should be
prepared, through their policies, guidelines, and procedures, to
demonstrate the integrity of their records. The procedures and
guidelines should be reviewed periodically and when any changes are made
to the policies and procedures of the incident handling teams.

* Develop organizational policies and procedures that support the
  reasonable and appropriate use of forensic tools.

Organizational policies and procedures should clearly explain what
forensic actions should and should not be performed under various
circumstances, as well as describing the necessary safeguards for
sensitive information that might be recorded by forensic tools, such as
passwords, personal data, Social Security numbers, and the contents of
e-mails. Legal advisors should carefully review all forensic policies
and high-level procedures.

The organization's policies and procedures on the use of forensic tools
should address the use of anti-forensic tools and techniques, which are
designed to conceal or destroy data so that others cannot access it.
There are many uses for anti-forensic software, such as removing data
from computers and media that are to be discarded. Recently issued NIST
SP 800-88, Guidelines for Media Sanitization: Recommendations of the
National Institute of Standards and Technology, provides help to
organizations in securely managing the information processed and stored
on devices and media. The guide on media sanitization was discussed in
the August ITL Bulletin and is available at:
http://csrc.nist.gov/publications/nistbul/index.html.

* Prepare IT professionals to support and participate in forensic
  activities.

IT professionals throughout the organization, especially incident
handlers and other first responders to incidents, should understand
their roles and responsibilities for forensics. They should receive
training and education on forensic - related policies and procedures,
and be prepared to cooperate with and assist others when the
technologies for which they are responsible are part of an incident or
other event. IT professionals should also consult closely with legal
counsel in general preparation for forensics activities to determine
which actions IT professionals should and should not perform. The
consultation with legal counsel should also take place on an as-needed
basis to discuss specific forensics situations. The organizational
management should be responsible for supporting forensic capabilities,
reviewing and approving forensic policy, and approving certain forensic
actions, such as taking mission-critical systems off-line.

Incident handlers performing forensic tasks should have a broad
knowledge of forensic principles, guidelines, procedures, tools, and
techniques, as well as anti-forensic tools and techniques that could
conceal or destroy data. It is also helpful if incident handlers have
knowledge of technical issues involving information security, operating
systems, file systems, applications, and networks. Training courses help
to build competence in forensics among technical support staff, system
and network administrators, and other IT professionals. Interactions
between incident handlers and IT professionals can be effective in
promoting the understanding of forensics tools and in identifying
potential shortcomings in forensics capabilities.

For More Information

NIST publications assist organizations in planning and implementing a
comprehensive approach to IT security. For information about NIST
standards and guidelines that are referenced in the forensics techniques
guide, as well as other security-related publications, see
http://csrc.nist.gov/publications/index.html.

Disclaimer Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement by NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.

Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378

_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]