Digital forensics: Because Bruce Willis is not always there to save the world…

In Die Hard 4.0, former Security Agent Thomas Gabriel is hacking US government IT-systems. He takes control over the financial system, the electricity grid and causes terrible calamities among the civil population until John McClane alias Bruce Willis eventually stops him in his own famous style... What is presented in the movies as pure Hollywood fiction has - at least in parts - become a reality on the gournd, unfortunately. Less spectacular though, but no less worrying are incidents where malicious hackers obtain confidential files of thousands of patients, intrude into government IT-systems or launch successful Denial of Service attacks on governmental websites. Increasing security by building secure networks is only one part of the necessary measurements. Once an attack has been successfully launched neither business nor government institutions can go back to normal without investigating on how the incident happened and who caused it. This is where Digital Forensics come into play.

Digital Forensics is highly complex, requires an enormous amount of specialized knowledge and is often an erratic process. Nevertheless, it follows a certain chain of principle actions. In this short article, we shall briefly describe these and take a look at the applicability of Digital Forensics for Law Enforcement Agencies, Military and Business.

Digital Forensic investigators (DFIs) proceed not so much differently from their colleagues in physical forensics. Basically, investigators follow three major steps:

Preserving the Evidence. Where physical Forensic Investigators simply put a yellow tape, the DFI has to choose the appropriate method of how to preserve the evidence carried by a given digital artifact (e.g. an electronic document, a storage medium or a whole computer system). In many cases the first and most difficult decision has to be taken right at the beginning: Switching off a running system or keeping it running during the investigation process? The fact of the matter is that most of the working memory content may be lost after pulling the plug. On the other hand, conducting a "live"-investigation carries the risk of changing the existing evidence. The decision has to be made on a case-by-case basis and therefore requires well trained investigators. In static analysis, however, the technique of "imaging" is applied to produce an exact copy of, say, the hard-drives of a system without executing any writing processes that would alter the data. The IT security market provides stand alone solutions for this task suitable for various specific situations. To verify that the evidence has not been altered subsequently, the DFI will apply a hash function that creates a kind of fingerprint of the evidence data. Later hashing should produce an identical fingerprint if the data has not been changed during the course of investigation.

Collecting the Evidence. Physical investigators  may find blood and other carriers of human DNA at the crime scene. Contrarily, the DFI finds hard drives, random access memory and other carriers of digital information. To conduct a structured search the following questions would typically guide the collection process:

How did the attacker gain access to a given system?

• From where was the attack executed?
• Who has carried out the attack?
• What was the attacker's objective?
• Which changes where done in the system?

The DFI faces two digital forensic-specific problems in this phase: Data abstraction and data quantity. Data abstraction is given by the fact that the collected data are typically at the most raw format, which tends to be too difficult for humans to understand. To solve this problem, tools are used to translate data through one or more levels of abstraction until it can be understood. Moreover, the quantity problem in digital forensics refers to the vast amount of data that may found in the collection process. As it would be highly inefficient to analyze every single piece of information, data reduction techniques are employed to solve this problem. Special tools group the data into one larger event or remove already known data.

Analysing the Evidence. Answering the question from where a bullet was shot in physical forensics may be equal to answering the question of how an attacker gained access to a given system in digital forensics. In other words, the DFI tries to reconstruct the event. To do so a central task is to individualize the data. In physical forensics this means to link a particular object to a particular person. Take a bullet, for example: The random marks on its outer hull provide it an individual signature and thus allow the investigator to link it back to a particular gun and eventually to a particular person. In the digital world, however, there are no "random marks". Instead, the user's human randomness is translated into non-random binary values at the interface. Of course, this fact significantly complicates the individualization of data and related event-reconstruction. The expertise to handle these challenges can hardly come from on single expert. Typically, DFIs develop a specialization in one of the four major areas of firewall-, network-, database-, or mobile device forensics. To solve a case, close team-work is required because the purpose of the analysis is always to

• establish the identity of the suspect,
• establish a timeline of the attack (sequence of events),
• establish the scope of the attack,
• establish the motivation of the attack and
• how it was executed.

Most importantly, to do so, a detailed documentation and reporting is mandatory from the first to the last step.

Although the above described steps are mostly the same in every forensic investigation, there are varying perspectives and focal points, depending on the institutional context. Principally, we find three different areas of application for DF: (a) Law Enforcement Institutions concerned with homeland security, (b) Military institutions concerned with national security and digital warfare, and (c) business and industry focusing on the protection of critical business infrastructure. The major difference between the three is time:

Law enforcement agencies typically act after a crime has happened as their focal point is prosecution for which they need to provide the relevant evidence. Time, therefore is not necessarily a critical variable. Contrarily, military institutions want to act before a crime has happened as their primary focus is on prevention or continuity of operations. The concept of "digital warfare" or "cyber-war" adequately reflects this perspective: "We against an army of guerilla fighters striving to dominate the flow of (digital) information". Consequently, time is a crucial criterion and also the set-up of a military DF-laboratory will look different from the type that law enforcement agencies require. Especially, tools for live investigations are more crucial for the military then for law enforcement. Yet for both, applications for lawful interception are becoming an increasingly integrated part of the DF-lab. Choosing the right tools and applications here is crucial and should be well thought through by qualified experts. Finally, business and industry have a perspective similar to that of the military in the sense that they also aim at keeping operations running.

Nevertheless, their focus is, of course, limited to a particular company. Due to this confinement, companies typically resort to external forensic experts when needed or restrict their in-house knowledge to very specific stand-alone applications instead of installing and running a costly full-scale DF-laboratory. Of course, neither the military nor law enforcement institutions can - for the sake of adequate homeland and national security - afford to rely on external or even foreign experts. These institutions have no choice but to build up their own, national capacities. Yet, with the right partner in terms of technological know-how and trustworthiness this challenge can be mastered. But, rest assured, Bruce Willis is not the right one for this job...

Anas Chbib

IT-Security Expert & Digital Forensics Advisor

Managing Director of AGT –Advanced German Technology, Berlin and Dubai

Marco Rettig

IT-Security Consultant and Sales Director at AGT – Advanced German Technology in Dubai