Uses for Computer Forensic Tools

After an attack on your system, you are going to want to figure out how it was done so you can prevent it from happening again. If they managed to get past your existing electronic defenses, then obviously there is a hole in your armor somewhere. It may not immediately be obvious where this hole is, especially if they were good about covering up their tracks. Forensic tools can help you retrace their digital footsteps and find the holes so you can patch them up.

Cleaning Up and Rebuilding

If the attackers did damage, you need to figure out exactly what they did so you know how extensive the damage is and can rebuild appropriately. You don't want to miss any hacked servers or backdoor accounts they may have left behind. Using forensic tools can help you figure out where the bodies are buried, so to speak. If the attacker deleted files, you may be able to recover some of them using forensic tools.

Criminal Investigation

If the damage done by an attacker is severe enough, you may want to consider pressing criminal charges. Simple Web defacings or intrusions usually aren't worth pursuing due to the high costs involved. However, if your infrastructure or corporate reputation was significantly damaged, then you may want to file criminal charges against your attacker. Your insurance company may require that you file a police report in order to make a claim. Forensic tools will help you identify your attackers so you can report them and provide the evidence to prosecute them.

There are a few things you should consider before proceeding down this path. For small damages, you can file a report with your local police department. Be aware that they often do not have the resources to properly pursue computer crime at the local level and you may end up doing most of the investigative work. You can use the tools in this chapter to help with the effort. Just be careful that you don't contaminate the evidence so that it is not useful in a court of law (see the sidebar on computer forensics).

If the damages are large enough or involve a federal crime (such as interstate or international commerce), you can take your case to the FBI. You can find contact information for your local FBI field office in your telephone book or on the Web at www.fbi.gov. If the case involves the violation of federal law or material dollar damages of over $25,000, they will probably take your case. Otherwise, they might refer you to local law authorities. If you can show some involvement with terrorism, interstate fraud (such as stealing credit card numbers or identity theft), or some other element that is high on their radar screen, you might get them involved for lesser amounts. Garden-variety hacking attacks will probably not be investigated heavily; there are too many incidents reported daily for the FBI to give any real attention to anything that isn't a significant case.

If you do succeed in having criminal charges filed against your attacker, proper forensic analysis becomes all the more important. There is a heavy burden of proof in computer criminal cases. Tying a certain act that was performed by a user ID to a specific person is quite difficult in a court of law. Usually prosecutors have to prove that the person was actually at his or her keyboard using that account while the attack was taking place. Otherwise, there are many defenses available to the accused, such as "Someone else used my password," "I was hacked," and so on. There is also close attention paid to the chain of custody of any evidence collected. This refers to who has had access to the data and could have changed or altered it along the way. In a case like this, defer to the authorities, who may want to use their own data collection techniques. You may also want to use a third party who does this professionally to assist in your interaction with law enforcement.

Flamey the Tech Tip: A Little Knowledge Can Be Dangerous! If you are thinking about pressing criminal charges, it is important that you do not use the tools in this book right away. Other than your lockdown and recovery activity, you shouldn't tamper with the evidence in any way if possible. An unskilled person using these tools can wipe out evidence or make it unusable in court. Imagine a neophyte gumshoe wandering around a murder scene. Not good! Get the law enforcement professionals involved, and then you can help them, if directed, with the tools and knowledge from this chapter.

Careers in Computer Forensics The growth of computer crime has created the budding field of computer forensics. There are many career options available for those interested in a career in computer forensics. The need has never been greater for computer-savvy cops. There are several areas to look into if you are interested in this field. Local Law Enforcement Police departments in large cities usually have a computer crime division. This may require a degree with a major or minor in law enforcement or a similar field. Sometimes, though, departments are so strapped for technical talent that they are willing to overlook police experience for technical know-how. Federal Law Enforcement The ultimate computer forensic positions are with the FBI. Here you would get to work on high-profile cases of national or international importance. Usually the FBI hires from within its own ranks, although they do make an occasional exception for someone of particular talent or prestige. Working with the FBI would give you the chance to truly have an impact on computer crime. Armed Forces If you are of a military bent, all of the armed forces have computer crime staffs, most notably the Air Force's Office of Special Investigation. The OSI, while focused on crimes and incidents within the armed forces, often become involved in civilian matters due to the overlap of computer crime incidents. Department of Homeland Security There are lots of new positions and departments being created as part of the Department of Homeland Security. Taking a position in law enforcement or the military may require you to take a lower salary than your commercial counterparts. However, many find these positions more fulfilling. There are also large companies that employ full-time computer forensics staffs. Civil experience can also greatly enhance your resume if you want to go into private practice or join a company's computer forensic department.

Civil Action

If you find that pursuing criminal charges is unwarranted, you may still want to file a civil lawsuit to punish your hacker. Sometimes this is the only way you can get someone to stop his or her attacks. If the assailant is coming from another company, either sanctioned, in the case of corporate espionage, or unsanctioned, in the case of a wayward employee, you may have cause to file a lawsuit and collect significant damages. Although the burden of proof is less in the civil courts, you still have to be able to substantiate your case. The tools in this chapter will help you to do so. However, if the case is big enough and the stake large enough, you should still probably hire a computer forensic expert rather than try to do it yourself.

Internal Investigations

If you suspect your intrusion may be from an internal source, it is imperative that you track down this huge source of business liability. An internal hacker can do volumes more damage than an outsider because they often know the personnel, systems, and information that could cause the most damage to a company if revealed or compromised. By using these forensic tools, you can track them down. If disciplinary action is warranted, you will have the evidence to back it up. In this litigious age, you don't want to get sued by a former employee for wrongful termination.

ISP Complaints

If you decide not to pursue criminal or civil action or if the person assaulting your network is still doing it, you will want to file a complaint with his ISP and try to at least get him shut down. Often, this is the only real recourse that doesn't cost a lot of money for companies hit by a hacker attack. Using the forensic tools in this chapter, you can follow the perpetrator's trails, at least as far as his or her ISP. Once you have tracked the attacker this far, you can make a formal complaint with the ISP, asking them to take further action. Most ISPs have acceptable use policies for their users, which of course don't include hacking. If you can show them sufficient evidence, they will usually take action, ranging from a warning to terminating that user's account. Because of privacy concerns, they will not usually disclose any personal information about the user unless required to by a subpoena, but some ISPs are more helpful than others in this area. Most of the major providers have a special abuse e-mail address that you can send your messages to.

You should make sure you have gathered sufficient information so they can find your assailant. This would include IP addresses tied to specific times. Most ISPs gives out dynamic IP addresses, which change every time someone logs on. Without time information to match to their logs, they probably won't be able to help you. If possible, give them multiple access times so they can correlate the user from several data points, as their log files might be out of sync with yours and the times won't exactly match. Also include any other data you might have such as logs of commands used, places they copied files to, and so on. The ISP may be a victim too and will want this data to investigate further.