Misconceptions about Computer Forensics
Of all the areas in which information security professionals become involved, few are more fascinating than computer forensics. I suspect that there is a bit of the spirit of Columbo, the legendary investigator in a 1970’s TV series, in many information security professionals, perhaps even myself included. The idea of coming to a crime scene, investigating, and gathering evidence without contaminating it is indeed intriguing.
At the same time I am concerned in that a number of misconceptions about computer forensics have started to become more prevalent. One of the most common of these misconceptions is that a forensics effort needs to be perfect if evidence is to hold up in a court of law. Although it behooves every member of an investigation team to try as hard as possible to follow correct forensics procedures precisely, mistakes happen. When they do, the results are not necessarily catastrophic. Consider the case of a botched forensics investigation at a large Department of Energy lab. A system administrator ran a pornographic Web site using a government computer. The lab’s incident response team was called in to investigate, but the team did not make a image backup of the system on which the Web site ran, nor did this team isolate the system from the network. Shortly afterwards someone accessed the system and erased all information from the system’s hard drive. Despite this forensics catastrophe, the accused ended up pleading guilty to several charges.
A second misconception is that everyone on an incident response team needs to be a certified forensics expert. Although having multiple forensics experts on such a team is highly desirable, it is not normally either practical nor cost-effective to have everyone possess that high a level of expertise. Training is essential in enabling individuals to become forensics efforts, but resources are invariably limited, and there are other critical areas besides forensics in which team members invariably need training. Spending a disproportionate amount of these resources to make each team member a forensics expert is thus generally difficult to justify. As long as a bona fide forensics expert oversees each evidence handing and gathering effort, other, less qualified team members are likely to be able to deal with forensic evidence in a reasonable manner.
Another misconception is that forensics specialists really need to develop only forensics-related knowledge and skills, not knowledge and skills that apply to other areas within information security. Reality is such that no forensics expert is likely to be involved in forensics efforts most of the time. Having other knowledge and skills is thus important in avoiding wasting resources if incident response team members were to have nothing to do a significant portion of each work day because they did not possess other types of knowledge and skills.
Still another misconception is that forensics procedures must necessarily be part of every incident response effort. Many attacks involve outbreaks of worms and viruses; collecting and archiving forensics efforts in these cases usually makes no sense at all. Other incidents may not of sufficient magnitude to justify the cost of engaging in a forensics effort. Others may involve attacks from afar that are likely neither to be traced nor to result in criminal prosecution. Contrary to what many technical staff members think, therefore, it should be a management decision whether or not to put forth the cost and effort to engage in forensics procedures while an incident is in progress.
A final misconception about forensics is the notion that forensics necessarily involves the use of advanced technology. Many think that if someone does not use sophisticated technology, including special hardware and software, to gather evidence, the evidence has not been collected properly. In general, having such hardware and software cuts down the time and effort in collecting and analyzing forensics data and also reduces the likelihood of making mistakes in doing so. I would much rather have EnCase or the Paraben Forensic Replicator and Forensic Sorter or some other tool that helps not only capture forensics images, but also aids in analyzing forensics data than not. On the other hand, however, a known, good copy of the dd (drive-to-drive copy) command can also make a legally defensible bit-by-bit backup of a system, and shell commands such as fgrep can be used for analysis purposes.
In closing, let me assure that somehow construing that the points I have raised in this paper constitute an attack on forensics is completely specious. Without forensics as we know them, the fight against computer crime would be hopeless. The problem is that as with every good thing, misconceptions surface over time, and many forensics is by no means immune from this problem. These misconceptions need to be corrected; this posting represents a start in doing so.