Well, it's done!! Special Agent Allyn Lynd and I delivered a well-attended (350+.....people were getting turned away due to fire code issues) session on Implementing the Fundamental Computer Investigation Guide for Windows, followed by an podcast interview with Kevin Remde for TechNet Radio. We then rushed downstairs for our Interactive Theater session where we spent the entire hour doing Q&A with the audience on the Guide, best practices for investigations (along with a few investigatory nightmare anecdotes from the FBI), and generally had a terrific time engaging the IT Pro audience.
After that we enjoyed a lovely lunch at the "Tech-Ed Trough"........as I affectionately call it (seriously....ever seen 10,000 computer folks all eating lunch simultaneously? You get my point.) we headed over to the Virtual Tech-Ed recording studio where we shot some video for the Virtual Tech-Ed site (which, you should totally check out if you are not here!). Agent Lynd had to have his face covered for obvious reasons. The interview went well and we discussed the key points of investigatory process. For those in the audience who wanted it to be more of a "How do I do computer forensics?" session, I apologize, but as I mentioned during the event.....you really need to get some specific forensics training, if you're going to do this regularly. (Besides, I've seen most of you in person....and you are probably NOT going to be working in a job like CSI:Miami where you get to hang out daily with forensics guru, Calleigh Duquesne. Nice try though.)
So what are the key steps? There's only four, so I can take the time to list them here. Calleigh would be so proud. :
- Assess - Getting together what is you are being asked to investigate. This also includes getting the very important SIGNED authorization to conduct the interview. Don't your HR folks tell you, "It's okay...I said you could." You'd be surprised how few friends you truly have when the person sues you for wrongful termination. It's also important here that you have some well-documented procedures in place and that you rehearse them frequently. This is no different from any other type of process you'd do for incident response. What's your plan for a virus outbreak on the network? Do you know> Do you have mock tests where you practice an hone those skills? No different for investigations. Be prepared...works for the Boy Scouts, and for IT Pros who like remaining gainfully employed.
- Acquire - I discussed several tools, both commercial and open source that can be used for your forensic processes. They range from tools like Encase and FTK, to tools like TSK and Helix. You can even use the popular tools from SysInternals, like AccessChk, Du, PSExec, PSLoggedOn, etc. as tools used to acquire evidence. CAUTION: Use tools and procedures that are forensically sound! You make think that this is simply a matter of finding porn on Bob's computer....but what happens when a single picture of Bob's extensive pornography collection is a child? That's right.....it's now a Federal case. Bottom line: Always prepare and act as if this case is going to criminal court (like Law and Order...but without Sam Waterston). Agent Lynd made it also very clear that it's okay if you're procedures aren't perfect, so long as you document what it is you did and why you did it, and are completely honest about your errors. (Hmmm....being perfectly honest with the FBI....I'll classify that as a "Best Practice"). Once we get this data/imaged drive/evidence, we need to secure it in a safe location and then we move to Step 3.
- Analyze - You need to analyze all those logs, images, etc. This where the forensics tools really comb in handy. They can do REGEX ("regular expression") searches on acquired data. That includes pre-built searches that look for things like Social Security Numbers, Credit Card Numbers, U.S. Phone numbers, email addresses, etc. Much easier than combing through a 500GB drive block-by-block. Also, these tools will index the evidence for you, making the process much faster, and can even exclude known files (i.e. config.sys) from the results. Once we get all this data analyzed, we next need to.....
- Report - Just because you think this guy needs to be terminated, doesn't make it so. Even in Texas, we can't legally shoot someone for being a Stupid User. Your job is to simply provide "just the facts". You've been making great notes and documenting your actions, right? This is where it all pays off. You get to generate a report of your findings. You are providing a summary of what it is you found, as well as the evidence to back up your thoughts. Your job is not to determine law to prosecute Bob the Porn King, but instead, it's to provide the evidence for HR or the legal system to make a decision. Will it always be what it is you want to happen? Probably not. Guess what....not your issue. You got plenty else to worry about (when's the last time you checked your tape backups?)....and this guy will get his.
As always, remember, security needs to be seen as a "business enabler" and not a "business hurdle". Once you can start proving to management that by conducting a successful investigation, you saved the company $40 Million dollars in trade secrets that was on it's way to your competitor, you'll find it easier to have the "why we need security budget" discussion easier going forward.
P.S. I know many of you are asking for links to the resources I had on my last slide today. I'll post those tomorrow!
Hunter French just did a bang-up job summarizing the Interactive Theater session, so I wanted to redirect people to his blog for some great info. Thanks Hunter for the gracious write up and capture of the audience Q&A and especially for hanging in there despite the crowded theater and the late presenter (me).