The two-edged sword: Legal computer forensics and open source Monday April 11, 2005 (08:48 PM GMT) By: Bruce Byfield http://software.newsforge.com/article.pl?sid=05/04/05/2052235&from=rss Ryan Purita of Totally Connected Security is one of the leading computer forensic experts in private practice in Canada. He is a Certified Information Systems Security Professional, holding one of the most advanced security qualifications in the world. Working for both the prosecution and the defence in legal cases, Purita has also taught computer security to law enforcement agencies, probation officers and social workers, and is currently developing programs for the Justice Institute of British Columbia. Much of his daily work is an extension of a system administrator's activities. A good part of it involves the advanced use of open source tools, including several standard system tools. His work methods offer fresh perspectives on security, privacy issues and the relative merits of Windows and GNU/Linux -- to say nothing of a niche industry where open source is more than holding its own.
Click Here "Computer forensics" is a term that is usually applied to an investigation after a system has been cracked. And, in fact, Purita's work does sometimes fall under this definition. However, the term is also used more narrowly to define investigations that find evidence for legal purposes. Illegal possession of trade secrets, intellectual property or child pornography, the dismissal of employees, divorce, insurance fraud, insider trading, counterfeiting, criminal or sexual harassment -- any of these could require a forensic investigation of a hard drive, removable media, or network. Although open source tools are not the only ones available for computer forensics, they are among the most widely used. A GNU/Linux enthusiast, Purita often prefers the open source tools. However, he frequently uses proprietary ones as well. The proprietary tools, he explains, are "pretty," with better developed GUIs that are easier for clients to understand. Moreover, the precedence for accepting their evidence in court is well established although, increasingly, their open source equivalents are not far behind. According to Purita, the most widely used piece of forensic software is EnCase, a proprietary Windows program. Purita describes Encase as "the most court-validated software on earth," noting that evidence produced by Encase has been used over 2700 times in court. A close second is The Coroner's Toolkit (TCT), an open source project from Dan Farmer and Wietse Venema, the co-developers of Satan. Another widely used program is SMART, a proprietary GNU/Linux program. All these programs have roughly similar functionality. Securing the File System In order for results to hold up in court, the file system under investigation must remain unaltered. If a single file has a time stamp later than the date and time that the file system was surrendered as evidence, an opposing lawyer can call the entire investigation into question. "You screw one little thing up," Purita explains, "and everything else is gone" in the case. For this reason, Purita's first efforts are to ensure the integrity of the original medium. Physically, that can mean working in a locked room if a case is sensitive, such as an allegation of possession of child pornography. When working with a hard drive, it means attaching a Write-Blocker such as Firefly before attaching the drive to a computer. The Write-Blocker has the added benefit of keeping any logic bombs in a disc-wiping program from being activated when the system is turned off. As an added precaution, Purita may access a file system via GNU/Linux. "Windows," he notes, "will always try to interfer with everything," adding a recycling bin and other features. By contrast, on a GNU/Linux system, he can control when and how the the file system is mounted, providing an additional safeguard against writing to the drive. Finally, Purita copies a disk image of a file system to CDs or DVDs. If the forensic software he is using does not have an imaging tool, he uses dd instead. The original drive is then placed in a company safe until the case is over or it is surrendered to a search warrant. Purita then works from the copy, accessing the original only if an additional copy is needed. Conducting an Investigation No matter what forensic software is used, an investigation comes down to a series of searches through the files and wiped space for evidence. Sometimes Purita is given clues in the form of key words and names, a date, or a type of file. At other times, he may have only a general sense of what he is looking for and the type of file in which it might be found -- an email or office program file, for example. Some forensic programs, such as EnCase, come with a wide variety of file-type searches already defined by extensions. They include extensions used by many open source formats, including OpenOffice.org. However, Purita cannot always rely on these pre-defined search scripts. Changing a Windows file extension is a common way to hide files, and extensions are not used on UNIX-like systems to the same extent as they are on Windows. Instead, Purita may search for file headers and footers using grep tools and a full range of regular expressions. In general, these searches are far more reliable than ones based on file extensions. Even EnCase relies on a Windows version of grep, providing a functional GUI for adding regular expressions. An even more reliable search item is digital signatures retrieved using md5. According to Purita, databases of md5 signatures are maintained by the National Institute of Science of Technology "for everything from child porn to hacking tools to counterfeiting software." By comparing the results of the investigation against these databases, Purita can quickly narrow the focus of his search. This comparison is especially easy with TCT, which can write a complete log of all the digital signatures on a file system. Context can also play a role in an investigation. For example, Purita may know from preliminary statements that a particular witness claims she only uses her home computer to work on spreadsheets. If he finds that an e-mail in which her company's trade secrets are given away was sent a couple of minutes after a spreadsheet was closed, then he has established the possibility that the witness might have sent the email. The connection is tenuous, but further questioning from a law enforcement officer or cross-examination from a lawyer may produce additional proof or even a confession. To establish such context-based evidence, Purita relies on ordinary file information and logs, as well as meta-tags used by HTML and office program files and even keys in the Windows registry. Purita points out that both Windows and MS Office record far more information about users' activities than most people realize. Unless a firewall is in place, Windows XP even records and transmits information about the searches conducted and help files accessed. While Purita wonders why this information is collected, he concedes that it makes forensic investigations far easier on Windows than on GNU/Linux. Unsurprisingly, the time for an investigation varies wildly. The size of the file system, the scope of the investigation, and the clues provided are the main variables. Some of Purita's investigations have taken less than an hour. Others have taken over 500 hours. On networks, the required time is kept reasonable by searching for only key computers or usernames rather than the entire system. In most cases, Purita will only expand network searches if this preliminary approach fails to give results. Investigative Problems Purita identifies several common problems with forensic investigations. First, security is so lax on some systems that many witnesses convincingly claim that damning files were downloaded after the system was compromised by Internet-borne malware. Such claims are particularly common in pornography cases. In response, Purita has developed the habit of searching for viruses and trojans at the start of each investigation. If none are found, then the claim is immediately disproved. If one is found, Purita then checks whether it can behave as the witness claims. Second, similar claims are made about pop-ups that download files automatically without the computer user's knowledge. With pop-ups, Purita checks the time that the files were accessed. If those files were not accessed or were accessed at a time when the person being investigated was was not at the computer, he or she may be telling the truth about the files. A third problem for an investigation is the password policy on a system. This is especially a problem on home machines running Windows. Unless passwords are unique to each user and a secure password policy is enforced, proving that a particular user has done something is difficult. Usually, more information from users is required. In this respect, most UNIX-like systems and networks that require each user to have unique login are easier to investigate than Windows systems, especially those used at home. Increasingly, cryptographic and disk-wiping tools are also a problem. Used properly, either can defeat Purita's investigation. Sometimes, however, witnesses will disclose cryptographic keys. As for wiping tools, many of those on Windows are less effective than advertised. Purita also notes that the mere presence of such tools does not indicate criminal or dishonest intent. Having used such tools himself, Purita recognizes that privacy advocates and people working with sensitive material may have legitimate reasons for possessing these tools -- a point that he sometimes has to make to law enforcement officers or prosecutors. Conclusion Purita's expertise stands in marked contrast to that of most law enforcement officers. Although Purita believes that computer and security awareness is higher among law enforcement personnel than it was five years ago, their general level of knowledge remain low. Law enforcers who become forensic computer experts often jump to private industry, where their knowledge receives greater financial rewards. Meanwhile, the policies of such agencies as the Canadian RCMP result in over nine-tenths of computer forensics investigations being conducted internally by overworked and undertrained employees. Although his services are in high demand, Purita continues to research his chosen field on his own time. Increasingly, this research involves open source technology. One of his concerns is that, just as open source development provides new tools for computer forensics, it can also arm those whom he investigates. In this respect, he admits, open source is a "two-edged sword" that "could make my life a nightmare." Thinking about the situation, he takes comfort from the belief that, if an act cannot be committed via computer, it will simply be done another way. If a man cannot remove data from a hard drive, for instance, he will simply break and enter to steal the whole computer. All the same, Purita seems to view the spread of GNU/Linux, whose architecture is more secure than Windows, with a mixture of private delight and professional dismay. From Purita's professional perspective, "The great thing about Windows is that even though [people] think they have covered their tracks, they haven't." Printer-friendly Email story You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
