Forensics: New Options for the Enterprise

Last month Ameritrade announced that 6.3 million customers' personal information had been exposed to remote attackers—no one knows for how long. Unauthorized malicious code, not identifiable by antivirus products, provided access to an internal customer database.

If this happened to you, what would be your first move? Do you have enterprise-wide incident response policies paired with tools, logging systems or network recording devices to quicken response times and consolidate analysis to affected systems? How about dedicated first responders?

If you think finding out who did what with your data always means calling in high-priced spooks armed with arcane software, think again. The trend is toward placing the power to handle investigations in the hands of enterprises themselves. Why? With security incidents, e-discovery and litigation on the rise across all industries and organizations of all sizes, having tools in-house allows IT to mobilize quickly and address situations before there's significant impact.

The forensics software landscape has also gotten more inclusive, with enterprise-class investigative tools in the pipeline along with log-analysis software, network monitors, and systems that can aid in investigations and e-discovery involving e-mail. Many of these do double duty, making them easier sells come budget time.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

In the forensics space, at least two upstarts are set to rival the enterprise edition of Guidance Software's Encase, the granddaddy of investigative toolsets. By year's end, security services provider Mandiant will step into the enterprise incident response arena with its Intelligent Response appliance, and AccessData is also prepping an offering, due in the first half of next year, that will encompass forensics, incident response and e-discovery.

Log analysis in particular has long been a thorn in IT's side. Either you tried hard to forget that terabyte or so of raw log data just sitting there, or you paid through the nose for a security information manager. Now, affordable log analyzers are available from companies like LogLogic that can justify their existence by satisfying provisions of Sarbanes-Oxley and the Payment Card Industry Data Security Standard. Meanwhile, packet-capture products from vendors such as Network Instruments and NetWitness not only enable investigators to do full session reconstruction, they also help the network team diagnose performance problems. Finally, products from Clearwell Systems and Athena Archiver mean IT can handle e-mail analysis in-house. While aimed at e-discovery, these tools will also be invaluable when investigating claims of harassment or other inappropriate behavior involving e-mail communications.

Still, advances aside, organizations need to be clear as to what IT can handle—and when to call in professional help.

Not All Fun and FlashlightsWhen most people think of forensics, they envision TV shows, like CSI, that glamorize the field. While those dramas occasionally brush the surface of digital, or computer, forensics, in real life, forensics is the application of scientific methods to problems or questions raised by the legal process. Grissom and his team make it look exciting on TV, but in reality, incident response, internal investigations and e-discovery are time-consuming and tedious tasks that require know-how and equipment to perform properly.

Impact Assessment
Enterprise Digital Forensics
Click to enlarge in another window

In respect to computer systems, digital forensics "is the art and science of applying computer science to aid the legal process," says Chris Brown in his book, Computer Evidence Collection and Preservation. "Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and a skill for solving puzzles, which is where the art comes in."

Incident response can address issues as simple as a malware-infected host, to something as high-stakes as a breach of sensitive customer information. Human resources departments may need to launch an internal investigation regarding reports of sexual harassment or leakage of trade secrets. E-discovery is the process of gathering and processing electronically stored information that may or may not be part of a legal process.

Before IT starts dealing with a case that appears complex or that involves high-stakes legal and financial consequences, discuss the situation with legal counsel. It's imperative that forensic investigators understand their limitations and know when to call in help. For e-discovery, there really shouldn't be any issue with doing it all in house; the Federal Rules for Civil Procedure spells out the process. Investigations related to human resources issues may need to be outsourced based on the closeness of the investigation subject to the IT and forensics team.

As for tool selection, when you speak with vendors about how their products can help with these challenges, you'll hear terms like "log forensics," "network forensics" and "e-mail forensics." While these buzzwords are not generally accepted by digital forensic investigators, they will give you an idea of each vendor's product focus.That Was ThenUntil the release of Guidance Software's Encase Enterprise (see: Rollout: Guidance Software EnCase Enterprise 6 ) enterprise IT shops that ventured down the road of in-house forensic investigations were often stopped short by the limited scope of traditional digital forensic tools. AccessData Corp.'s Forensic ToolKit, Guidance Software's Encase Forensic and Technology Pathways' ProDiscover were originally designed to assist law enforcement and corporate investigators with analysis of what usually amounted to a single computer. These tools can image a hard drive and provide deep analysis into its contents but were never designed to span hundreds or even thousands of systems across an enterprise. Traditional tools were also limited to working with hard-drive images and couldn't be used for performing incident response on running computer systems.

Today, investigators understand that different types of digital evidence have varying levels of what pros call "volatility." The concept of an order of volatility was pioneered by Dan Farmer and Wietse Venema in their 2004 book, Forensic Discovery. A condensed version of their definition, from most volatile to least, includes memory, network state, running processes and disks. Traditional forensic tools were stuck operating on only the least volatile evidence, disks.

That's a problem because, as IT knows too well, data has a pervasive nature that causes it to find its way into every nook and cranny in your enterprise. For many companies, outsourcing to specialized e-discovery firms and forensic boutiques has been the only option when dealing with extremely large cases that required finding every last bit of that pervasive data.

The good news is, IT shops can now do much themselves, and enterprises often see a full return on investment just from one case being handled internally instead of outsourced.

Building a KitThe first item you need in your arsenal is a digital forensics tool. Traditionally, this market has been, and still is, a duopoly, under Guidance Software and AccessData.

Guidance Software was the first vendor to provide an enterprise version of its software for performing an investigation across many machines. Building on its successful Encase Forensics tool, Guidance released Encase Enterprise, which leverages a central server to communicate with agents running on computer systems throughout the enterprise. It uses the same user interface as the Guidance Forensics product, making it easier for users to move to the enterprise version.

Of course, if you find the Encase user interface as unintuitive as we do, this may not be the blessing it appears. Still, when we recently reviewed the product, we found it a good performer and a decent value. Though Version 6 starts at $25,000 and can go up fast as you add modules, agents and investigative clients, forensic firm K&F Consulting told us it charges $6,000 for an initial forensic audit, and for e-discovery, you'll pay $5,000 just to store a 40 GB to 80 GB hard drive.

As noted, Encase Enterprise takes a modular approach, allowing it to perform multiple functions including incident response and e-discovery. From an enterprise IT perspective, Encase Enterprise immediately gives corporate investigators the ability to remotely examine any computer running the agent. If HR receives reports of inappropriate materials being stored on an employee's PC, for example, they can work with the investigative team to determine if the allegations are true without ever visiting the desktop, and possibly tipping off the culprit.

Encase also aids in data collection and analysis for e-discovery. John Patzakis, Guidance Software's chief legal officer, says Version 2.1 of the company's eDiscovery Suite now performs advanced data processing to prevent issues like data duplication and disclosure of sensitive information during the e-discovery process.Not to be left behind, AccessData vice president Brian Karney told us his company will release Version 2 of its standalone product, Forensic Toolkit, by year's end and is currently developing an enterprise offering with the easy-to-use Forensic Toolkit interface and an Oracle back end, allowing for advanced data correlation and reporting. We're looking forward to the debut of Forensic Toolkit enterprise edition, expected the first half of next year, because it will finally give enterprises a choice of enterprise forensic tools; in addition, we find Forensic Toolkit's interface and general setup more intuitive than Encase. Rapid Response

While some incidents clearly require digital forensics from the get go, most investigations cycle through various stages of incident response prior to the decision being made that deeper analysis is required.

Many times, when security incidents arise in an enterprise, a security pro is dispatched to investigate the suspect computer system by inserting a CD or USB flash drive containing incident response tools. If the IT shop has been doing incident response for some time or must deal with geographically separated offices, they've probably streamlined the process with tools, like Microsoft's Sysinternals Pstools, that enable them to check hosts remotely. Now, imagine if those capabilities were implemented in a centrally manageable console. Guidance Software was the first to make that concept a reality within Encase Enterprise, enabling IT shops to quickly identify open ports and running processes on remote hosts to aid in the incident response process. Now, Mandiant is set to step into the enterprise incident response arena with its Intelligent Response appliance, due by the end of this year. Mandiant is already well known for its incident response and forensic services and free tools for incident response and malware analysis, so we're not surprised to see it developing a commercial product based on its service provider experience. Jim Hansen, the company's executive vice president and COO, described incident response as being not about depth, but about spreading knowledge across systems in order to make a quick and efficient discovery of what's going on.

That's exactly what Intelligent Response is designed to do. Agents must be deployed to each computer—they're pretty much a necessary evil. While agents can be installed during the investigative process, we recommend placing them ahead of time. Then, the appliance queries agents to provide investigators with a view of what's going on, from running processes and open ports to advanced rootkit detection techniques through filesystem and memory analysis. For now, agents are limited to Microsoft Windows platforms, but Hansen says the company plans to expand to other platforms based on customer needs.Technology Pathways, makers of ProDiscover, has developed basic functionality to assist with incident response and remote analysis, but the product isn't scalable for enterprise investigations in its current form.

Log ForensicsWhen designed and implemented properly, a system that centrally collects, manages and processes logs can be invaluable for enterprise investigative teams. The key is getting all logs into one location and making that information usable.

Logs from computer systems; firewalls; servers like Apache, IIS and sendmail; intrusion detection systems; and routers have always been rich sources of information during forensic investigations. The problem with logs, however, is that attackers like to cover their tracks and so will often clear the logs on systems they've compromised. The answer is to institute a centralized logger for all computers, network devices and servers; without this, you may be out of luck next time a security breach occurs.

Centralized logging can be done on the cheap using open-source and free software, like Lasso, Snare and syslog. But taking those centralized logs and making them into meaningful, actionable data is more difficult. This is where enterprise log management vendors and security information management (SIM/SEM/SIEM) vendors pick up the slack by correlating events across an enterprise, making it easier for corporate investigators to see what collateral damage may have resulted from a malware-infected computer system or internal network breach.

LogLogic's Anton Chuvakin told us that that the majority of his company's customers are looking to address the requirements of regulations like Sarbanes Oxley (SOX) and Payment Card Industry (PCI) Data Security Standard. Many of the enterprises that have implemented log management found out later how useful it could be when determining which computer systems required deeper forensic analysis.

We reviewed LogLogic LX2010 4.0 in July and found robust indexing and searching capabilities as well as interesting Web services APIs. The product starts at $14,999.Capturing Network TrafficIntrusion detection systems log alerts and sometimes the packets that cause them, but they rarely provide the context needed to determine if an assault was successful. Immediately following an attack, flow data can show if connections occurred, but it provides only the metadata for connections, not actual packet content.

If full packet captures existed for all network traffic, it would make the life of a corporate investigator or intrusion analyst easier. And a system that could make sense of all that data and provide full session reconstruction would almost make investigations a walk in the park.A few vendors, including Network Instruments and NetWitness, provide these capabilities, but their products can get expensive. We've seen the Network Instruments GigaStor in action in our lab, and it is impressive as it searches for traffic of interest, such as files downloaded from a Web or FTP server, and extracts the contents. Imagine if that were an attacker's toolkit being downloaded, then wiped from the drive? Now, you've got an easy way to recover it.

Of course, when we recently reviewed GigaStor, the price as tested was about $53,000 (Joy link: www.nwc.com/showArticle.jhtml?articleID=201804054). If the forensic value of being able to reconstruct all the conversations that have taken place between an attacker and a compromised computer system isn't quite enough to foot that bill, these systems typically provide features such as VoIP call playback and troubleshooting for network problems. Eddie Schwartz, chief security officer for NetWitness, said that not only does his company's NextGen software provide attack context, it gives enterprises the situational awareness they need to answer questions about exactly what is taking place within their networks. Corporate investigators can trace each step that an attacker made during a compromise to determine what other systems were accessed and if sensitive data was transmitted to an external system. NextGen can also accept and process network captures in pcap format from tools like Wireshark and tcpdump.

Keep in mind when considering a network recorder that encrypted traffic will prevent full packet decoding, and current offerings do not natively support 10GigE networks without placing a load balancer into the mix to pass traffic to multiple Gigabit Ethernet ports.

Forensic Evidence of the E-mail KindEveryone from the receptionist to the CEO uses e-mail, making it a treasure trove of information just waiting to be mined. The Federal Rules of Civil Procedure that went into effect in December 2006 had a significant impact on enterprises by requiring than any party involved in a federal case exhaustively search all electronically stored information for data relevant to the case, and disclose that data to opposing counsel without waiting for a formal discovery request. E-mail is considered part of the electronically stored information that must be searched and turned over. Considering how informal e-mail tends to be, you can be sure that there are certain messages employees, and their employers, won't want exposed if it's possible to keep them under wraps.

Because of the sheer magnitude of e-mail volume and the myriad places it can be located (mail servers, desktops, laptops, phones, PDAs) many companies have simply outsourced e-mail-related e-discovery tasks. Now, vendors, like Clearwell Systems and Athena Archiver are chomping at the bit to provide enterprises with systems that will allow them to handle e-discovery in-house. What makes these products stand out is that they can index, de-duplicate and make searchable millions of messages.

Clearwell has had its Clearwell Intelligence Platform on the market for just over a year and recently gained its hundredth customer, according to Aaref Hilaly and Kamal Shah, the company's CEO and VP of marketing, respectively. The Clearwell Intelligence Platform is an appliance that crawls and indexes e-mail message stores, attachments and documents. We had the opportunity to take the Clearwell system for a test drive at the CyberCrime Summit this spring and were impressed with its depth of searching capabilities. It's intuitive enough that enterprise legal staffers should be able to use it without much help from IT. Think of it as Google for e-mail. So Many Toys, So Little Cash

With so many digital forensic tools available and limited funds, where should you start?

Determine what your enterprise deals with most. Is there a need for extremely fast incident response and digital forensics? Do HR and the corporate investigative team have their hands full and need to streamline their processes? Or is e-discovery eating a hole in your pocket? Base purchase decisions on historical perspective as well as future expectations, and solicit input from the IT security group, corporate investigative team and legal counsel. There's still no one-size-fits-all solution to the demands of digital forensic investigations. Guidance Software would like for Encase Enterprise to fill that niche, with modules to handle incident response, e-discovery and core forensic capabilities, but we're also keeping an eye out for AccessData's enterprise version of Forensic Toolkit.Mandiant's Intelligent Response will focus only on incident response in its first release, but we wouldn't be surprised to see it enter the e-discovery and digital forensic spaces with future versions.

LogLogic collects all your logs and can tell you where to look to do deeper analysis, but it stops there, while NetWitness can tell you what's going on within the network and dive deep into packets but doesn't address e-discovery or deeper host forensics. Clearwell covers 80% to 90% of e-discovery needs but misses out on deeper digital forensic analysis and incident response.