EnCase® Enterprise Edition is a powerful network-enabled incident response ...
investigation and how EnCase Enterprise facilitates the proper collection and ...
Evidentiary Authentication within the EnCase® Enterprise Process
JUNE 2003 By John Patzakis1 and Victor Limongelli2
I. Executive Summary EnCase® Enterprise Edition is a powerful network-enabled incident response and computer forensics system for immediate and complete response to computer security incidents that occur throughout the enterprise. This solution brings the highly successful and industry standard EnCase computer forensic technology to the enterprise, allowing for remote and immediate analysis and bit stream disk acquisition of any server, workstation, and attached media connected to a wide area network. This capability enables immediate enterprise-wide forensic analysis, information analysis and discovery through volatile data capture including open ports, active processes, open files and the live Windows Registry. This capability also enables comprehensive enterprise-wide incident response and forensic analysis through file retrieval, including deleted file recovery, keyword and GREP searches, file signature and hash analysis, and many other integrated tools. This paper will address issues related to authentication of evidence recovered through an enterprise network investigation and how EnCase Enterprise facilitates the proper collection and documentation of recovered computer evidence in a networked environment, and in fact represents best practices in many investigations in a network environment. This paper will also address actual case studies, including a reported court decision where a federal court addressed the use of EnCase Enterprise Edition.
II. Background The EnCase computer forensic software is widely recognized by the industry and validated by the courts,3 as well as by testing conducted by the National Institute of Standards,4 as the standard process used to collect, recover, and analyze computer evidence in a forensically sound manner. The EnCase process begins with the creation of a bit-stream drive image called an Evidence File. The Evidence File is then mounted as a read-only drive for analysis. When acquiring an image of a drive, EnCase calculates both a CRC (Cyclical Redundancy Checksum) value for every block of 64 sectors (32kb) that EnCase writes to the evidence file, as well as a MD5 hash calculated for all data contained in the Evidence File. The MD5 hash is calculated through a publicly available algorithm developed by RSA Security. The odds of two computer files with different contents having the same MD5 hash value is more than 1 in 340 undecillion.5 This is a higher level of certainty than even DNA enjoys.6 The MD5 hash value generated by EnCase is stored in a footer to the Evidence File and becomes part of the documentation of the evidence. The EnCase Enterprise Edition is based upon the same technology as the standalone forensic edition, only it is modified to run in a live enterprise environment to provide immediate incident response, data recovery and analysis capability. EnCase Enterprise offers numerous advantages over the much more limited existing alternatives for the remote analysis of files over the network and provides the only available mechanism for live, disk-level analysis of remote drives. The Enterprise edition also features an extensive security apparatus, including 128-bit AES encryption for data transport and a detailed PKI-based authentication scheme. A central authentication server, called the SAFE (Secure Authentication For EnCase), controls permissions, grants session keys for authorized users and services, and securely monitors and logs all examination activity for auditing and chain of custody documentation. In order to gain access to a live server or workstation at disk level to allow remote previews or drive acquisitions, the EnCase Enterprise process utilizes a small servlet installed on each network device to act as a communication proxy for commands from the EnCase Examiner software operated by the remote investigator, and the SAFE server, which controls, monitors and logs each session in a secure manner. In addition to enabling live, disk-level analysis of remote media, the servlet also operates as a critical security mechanism to ensure that only approved investigators authenticated by the SAFE server with properly signed session keys are able to conduct an examination of that particular network device.
2003 Guidance Software. All Rights Reserved. 215 North Marengo Avenue, Second Floor • Pasadena, California 91101 • Tel. 626.229.9191 • www.guidancesoftware.com
2
III. Evidentiary Authentication and EnCase Enterprise Edition When computer evidence is recovered over a local or wide-area network, questions that may arise include: How is that data authenticated as genuine? How is the retrieved evidence tied to a specific computer, which may be located thousands of miles away? How do we ensure the data integrity was not compromised during the investigation? Authentication of Computer Data Computer data retrieved in a network environment in the regular course of business has been successfully admitted into evidence in many reported cases.7 In the United States, the admission of computer evidence is generally governed by Federal Rule of Evidence 901(a), which provides that the authentication of a document (including a computer file) is “satisfied by evidence sufficient to support a finding that the matter in question is what the proponent claims.” As explained by one court when considering the admission of computer log files, “[t]he rule requires only that the court admit evidence if sufficient proof has been introduced so that a reasonable juror could find in favor of authenticity or identification.”8 The Canada Evidence Act specifically addresses the authentication of computer evidence, providing that an electronic document can be authenticated “by evidence capable of supporting a finding that the electronic document is that which it is purported to be.”9 Under these nearly identical statutes, a printout of an e-mail message can often be authenticated simply through direct testimony from the recipient or the author.10 In the corporate enterprise environment, effective computer incident response examinations must occur in real time and over the network, either because the targeted workstations or servers are in a remote location or because the drives cannot be powered down without causing significant harm to the business. In order to evaluate issues concerning chain of custody and data integrity through the EnCase Enterprise process, the disadvantages of other more limited procedures often utilized for remote analysis and file recovery over a network must first be understood. For example, utilizing virus checking utilities or system administrator tools to conduct remote analysis of active files presents several problems from an evidentiary standpoint. First, such applications will materially alter the files being accessed or examined. In addition to changing critical file date stamps, including last accessed, and last modified times, remotely opening files through Windows NT and other system administration processes will likely result in a temporary file and other shadow data being generated on the target drive being examined. EnCase Enterprise is designed to address these challenges presented by real-time enterprise investigations. Importantly, EnCase Enterprise operates at the disk level, allowing EnCase to analyze the subject media in a read-only manner, without querying the resident operating system. This means that when the native files are read by EnCase, the various metadata related to those files, such as time stamps, date stamps, and other information, are not altered. This also means that no backup files or shadow data are generated during this process. Best Practices For Collection of Computer Evidence Required Courts recognize the importance of employing best practices in the collection of computer evidence. Gates Rubber Co. v. Bando Chemical Indus., Ltd.,11 is a particularly important published decision where the court essentially defines a mandatory legal duty on the part of litigants or potential litigants to perform proper computer forensic investigations. There, one party’s examiner failed to make a mirror image copy of the target hard drive and instead performed a logical “file-by-file” copy in an invasive manner, resulting in lost information, altered file time data, and the creation of new temporary files on the original media.12 In its ruling issuing harsh evidentiary sanctions, the court criticized the errant examiner for failing to make an image copy of the target drive, finding that when processing evidence for judicial purposes a party has "a duty to utilize the method which would yield the most complete and accurate results."13 Best practices, or, in the words of the Gates Rubber Court, “the method which would yield the most complete and accurate results,” is a shifting standard based upon both the circumstances of the investigation and the evolution of new technology. In incident response investigations, the analysis must be as rapid as possible to mitigate the loss and increase the likelihood of identifying the culprit. As the European Convention on Cybercrime has noted, “effective collection of evidence in electronic form requires very rapid response.”14 For these reasons, many law enforcement agencies in the United States and throughout the world are employing EnCase Enterprise Edition in criminal investigations in situations in which (i) the circumstances do 2003 Guidance Software. All Rights Reserved. 215 North Marengo Avenue, Second Floor • Pasadena, California 91101 • Tel. 626.229.9191 • www.guidancesoftware.com
3
not allow for systems to be taken off-line, (ii) the necessity of a rapid response requires utilization of a wide area network (WAN) to access the target media, or (iii) there is a need to investigate numerous volumes of computer media attached to a WAN. Under these situations, best practices require the use of EnCase Enterprise. Live Analysis Of course, because EnCase Enterprise operates in a live environment, a “static” imaging process is simply not possible. Whenever a computer drive remains operating in its native environment, there will be changes made to that drive by virtue of its continued operation, such as writes to the swap file or other automatic functions of the resident operating system. However, despite operating in a live environment, EnCase Enterprise does not itself make any writes to the target drive during the exam, nor are files altered in any way when viewed or copied by EnCase. In addition to substantial cost benefits, it is often more advantageous from an evidentiary standpoint to remotely image or forensically search a live computer system, rather than to shut down a system for standalone analysis, for reasons including the following: 1)
Critical systems often cannot be brought down without causing substantial damage to an enterprise’s business operations. With the advent of EnCase Enterprise, it is no longer absolutely necessary to shut down mission critical servers in order to conduct a proper computer investigation.
2)
Critical evidence will often be lost between the time an investigation is deemed necessary, and when the investigator can gain physical access to a computer. It is thus often more advantageous to conduct an immediate remote investigation, rather than waiting several hours or even days to either travel to a site or conduct a clandestine standalone computer investigation. With the advent of the EnCase Enterprise technology, such a delay is no longer reasonable.
3)
When operating on a live system, a substantial amount of volatile data can be accessed that would otherwise disappear or not be available if a system were shut down. Running processes, open ports, data in RAM, connected devices, and current open documents are a just a few examples of forensically important live data that is only available when a computer is running in its native environment.
Factors such as these are considered by the courts in determining the appropriateness of methodology to search computer systems for purposes of recovering evidence.15 Another question sometimes raised whenever a live system is remotely previewed or recovered over a network is whether the recovered data is genuine and can be connected to the specific computer in question. EnCase Enterprise addresses this equation on three fronts. First, EnCase Enterprise, unlike typical system administrative tools, cannot write to the Subject media at any time during the examination. This means that any relevant data found on the Subject drive could not have been placed there through the use of EnCase Enterprise, even if the investigator had wanted to do so. Secondly, the elaborate, role-based security apparatus of the Enterprise Edition disallows unauthorized access and securely logs and identifies all users and activity throughout the course of the examination through a secure server, thus documenting important chain of custody and creating a detailed and secure record of the examination. Finally, all transported data in the EnCase Enterprise environment and the resulting Evidence Files are encrypted with 128-bit AES encryption. As noted above, when creating Evidence Files, EnCase Enterprise calculates CRC and MD5 checksums in the same manner as the standalone forensic version. Challenges To Authenticity Must Have Solid Basis Even if a criminal defendant or civil litigant were to challenge directly the authenticity of evidence gathered through the use of EnCase Enterprise Edition, the threshold to be met is quite high. Courts will normally disallow challenges to the authenticity of computer-based evidence absent a specific showing that the 1) computer data in question had been corrupted or mishandled, and 2) that the allegedly mishandled data is relevant to the case.16 Mere speculation and unsupported theories of alterations to relevant data generally will not suffice. There is ample precedent reflecting that unsupported claims of possible tampering or overlooked exculpatory data are both relatively common and met with considerable skepticism by the courts. One federal 2003 Guidance Software. All Rights Reserved. 215 North Marengo Avenue, Second Floor • Pasadena, California 91101 • Tel. 626.229.9191 • www.guidancesoftware.com
4
court refused to consider allegations of tampering that was “almost wild-eyed speculation . . . [without] evidence to support such a scenario.”17 Another court noted that the mere possibility that computer data could have been altered is “plainly insufficient to establish untrustworthiness.” 18 One court suggests that the defense should perform its own credible computer forensic examination to support any allegation of overlooked exculpatory evidence or tampering. 19 Another court noted that while some unidentified data may have been inadvertently altered during the course of an exam, the defendant failed to establish how such alteration, even if true, affected the data actually relevant to the case. 20 As such, in order for a court to even allow a challenge based upon alleged tampering or alteration of the computer data, the opponent of the evidence should be required to establish both specific evidence of alteration or tampering and that such alteration affected data actually relevant to the case. Further, even if it is established that relevant computer records have been altered, such evidence would be considered toward the weight of the evidence, not its admissibility.21
IV. Case Studies From The Field Positive Software v. New Century Mortgage Positive Software Solutions Inc. v. New Century Mortgage, 2003 WL 21000002 (N.D.Tex.), is a U.S. federal court case in which EnCase Enterprise Edition was used by the defendant’s expert to image 11 of the defendant’s 250+ servers. The plaintiff raised objections and sought direct access to the defendant’s network to conduct their own imaging. In denying the plaintiff's motion to conduct their own imaging of defendant’s servers, the Court ordered the defendant to "to preserve all extant backups or images of all servers or personal computers that now or previously contained any [relevant evidence] . . . and to preserve all extant backups or images of all e-mail servers, pending further order of the Court or directive of the arbitrator." The Court did not fault the use of EnCase Enterprise Edition or otherwise find that the forensic imaging that was conducted using EnCase Enterprise Edition was in any way deficient or unacceptable, despite the fact that the plaintiff's motion raised unspecified allegations questioning "the quality and accuracy of the imaging." While EnCase Enterprise has been used in hundreds of investigations to date, the Positive Software case is notable as it is a published decision that deals with evidence produced by EnCase Enterprise Edition, and implicitly accepts the process. Insider Fraud Investigation
EnCase Enterprise was recently employed by an examiner at a major financial institution in New York to successfully preview two drives in Thailand connected to the WAN for purposes of investigating a very sensitive case of insider fraud. The drives were previewed less than an hour after management determined that the investigation was necessary and that time was of the essence. The preview process revealed that one of the drives contained highly relevant information, and that drive was promptly acquired for further forensic analysis in New York without the knowledge of anyone in Thailand and without disrupting operations. The investigation also revealed that the other drive did not contain relevant evidence. An investigation with stand-alone computer forensics utilities would have delayed the process by several days, thus resulting in destroyed or otherwise changed evidence due to the delay in response, and would have likely compromised the investigation or, at a minimum, impacted business and morale due to the physical presence of investigators. Military Incident Response
A military agency employed EnCase Enterprise edition and a high-speed network connection to image a drive located over 10,000 miles away . This process enabled rapid response and the capturing of live data, including the processes that were currently running on the compromised system. Without EnCase Enterprise the response would have been delayed by several days, or even more likely, would not have taken place at all.
2003 Guidance Software. All Rights Reserved. 215 North Marengo Avenue, Second Floor • Pasadena, California 91101 • Tel. 626.229.9191 • www.guidancesoftware.com
5
IV. Conclusion EnCase Enterprise is ideally suited to recover and authenticate data over a local or wide area network. In many cases, the use of EnCase Enterprise is more that merely acceptable, but in fact constitutes best practices. EnCase Enterprise maintains the integrity of the files being examined, and cannot write to the target drive. Its robust security infrastructure disallows unauthorized access and securely logs and identifies all users and activity throughout the course of the examination through a secure server. This framework establishes EnCase Enterprise as an unparalleled process for maintaining and documenting data acquired in a remote and live network environment.
NOTES 1
John Patzakis, Esq. is President and CEO of Guidance Software. Victor Limongelli, Esq. is General Counsel of Guidance Software. 3 State v. Cook, 2002-Ohio-4812, 2002 WL 31045293 (Appellate court expressly validates the authenticity of an EnCase image); State of Washington v. Leavell, Okanogan County Cause no. 00-1-0026-8, October 20, 2000 ruling; People v. Rodriguez, Sonoma County, California Superior Ct. no SCR28424, January 12, 2001 ruling. 4 See www.ojp.usdoj.gov/nij/sciencetech/ecrime.htm for the results of the NIST Computer Forensics Tool Testing Project and Guidance Software’s comments to the EnCase test report at www.guidancesoftware.com/products/software/EnCaseForensic/NIST2003Response.pdf 5 undecillion would be written as a 1 followed by 36 zeros. By contrast, trillion would be written as 1 followed by twelve zeros. 6 NCPCA Update Newsletter, Volume 15, Number 9, 2002; www.ndaaapri.org/publications/newsletters/update_volume_15_number_9_2002.html 7 See, e.g., United States v. Moore, 923 F.2d 910, 915 (1st Cir. 1991); United States v. Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990); People v. Lugashi, 205 Cal.App.3d 632 (1988) 8 th United States v. Tank 200 F.3d 627 (9 Cir. 2000), 9 Canada Evidence Act, Chapter C-5 section 31.1. 10 th See, e.g., United States v. Siddiqui 235 F.3d 1318 (11 Cir 2000) (Testimony of recipients sufficient to authenticate e-mails sent by defendant.) 11 167 F.R.D. 90 (D.C. Col., 1996) 12 Id. at 112. 13 Id. 14 Council of Europe’s Convention on Cybercrime, Explanatory Report, ¶ 298. 15 See United States v. Campos, 221 F.3d 1143, 1147 (10th Cir. 2000); United States v. Upham, 168 F.3d 532, 535 (1st Cir. 1999) (upholding seizure of "[a]ny and all computer software and hardware, . . . computer disks, disk drives" in a child pornography case because "[a]s a practical matter, the seizure and subsequent off-premises search of the computer and all available disks was about the narrowest definable search and seizure reasonably likely to obtain the [sought after] images") 16 United States v. Tank, supra; Wisconsin v. Schroeder 2000 WL 675942 17 United States v. Whitaker, 127 F.3d 595, 602 (7th Cir. 1997) 18 United States v. Bonallo, 858 F.2d 1427, 1436 (9th Cir. 1988); See also, United States v. Glasser, 773 F.2d 1553 (11th Cir. 1985) (“The existence of an air-tight security system [to prevent tampering] is not, however, a prerequisite to the admissibility of computer printouts. If such a prerequisite did exist, it would become virtually impossible to admit computer-generated records.”). 19 United States v. Tank, supra, at 631 fn. 5 20 Wisconsin v. Schroeder 2000 WL 675942 21 See, Bonallo, 858 F.2d at 1436. 2
2003 Guidance Software. All Rights Reserved. 215 North Marengo Avenue, Second Floor • Pasadena, California 91101 • Tel. 626.229.9191 • www.guidancesoftware.com
6
