Jul 1, 2004 - collect and preserve potential digital evidence for potential later use, with an emphasis on the word ... digital signature). ... manipulate introduces strict requirements on collection and preservation of potential digital evidence.
IADIS Internacional Conference e-Commerce 2004
THE NEED FOR A STRUCTURED APPROACH TO DIGITAL FORENSIC READINESS DIGITAL FORENSIC READINESS AND E-COMMERCE Jerker Danielsson Norwegian Computing Center Gaustadalléen 23 0314 Oslo Norway
Ingvar Tjøstheim Norwegian Computing Center Gaustadalléen 23 0314 Oslo Norway
ABSTRACT In a business context, management of digital evidence is a means to limit business risks. The awareness of this resource is limited. Digital evidence supports, among others, legal defense, civil litigation, claim to intellectual property, and the documentation of the impact of a crime or disputed action. In the future, the importance of digital evidence will increase significantly, particularly in the B2B e-commerce environment, as more and more transactions are carried out in the virtual world. Digital forensic readiness focuses on adapting organizations and configuring their systems to proactively collect and preserve potential digital evidence for potential later use, with an emphasis on the word proactive. The purpose of this paper is to address the importance of digital forensic readiness and to address key issues in a structured approach for digital forensic readiness. KEYWORDS Crime, E-commerce, Information Security, Digital Forensic Readiness.
1. INTRODUCTION Information technology, like any other technology, can be used for both good and bad. Proliferation of information technology increases the possibility of committing criminal acts. On the other hand, information technology plays a vital role in fostering effective communication and collaboration for business and society. In the future, the importance of digital evidence will increase significantly, particularly in the B2B environment. This is a consequence of the fact that more and more transactions are carried out in the virtual or digital world. In this environment reliable digital evidence will play an important role in enforcing law and order and the legal rights of individuals and organizations [Harrison et. al. 2004]. Digital evidence is present in disputes and crimes where (i) computers and the information they store have been targeted, (ii) computers have been used as tools, and (iii) computers have been used as repositories for information used or generated in the commission of crimes or disputed events. Digital evidence consists of bit strings. It may be a bit string representing a log record, the signed hash of a document1, a signed timestamp from a trusted third party, etc. Bit strings do not exhibit any measurable intrinsic physical properties such as weight, size, structure, etc., like DNA or fingerprint evidences do. Furthermore, it is difficult to determine whether a bit string is a result of an authentic event or if it has been
1
The hash value of a document (i.e. a string of characters) is a shorter fix-length representation of the document. This hash value is then signed with a key (e.g. a symmetric secret key or an asymmetric private key) resulting in a signed hash of the document (also called digital signature).
417
ISBN: 972-98947-8-7 © 2004 IADIS
constructed to indicate an event. The fact that bit strings, and consequently digital evidence, are easy to manipulate introduces strict requirements on collection and preservation of potential digital evidence. For digital evidences to be reliable they must be managed according to a structured approach. In the physical world procedures and methods for fighting crime and solving disputes have been developed over centuries. Corresponding procedures and methods for investigating events that involve the cyberworld are warranted. The purpose of this paper is to address the importance of digital forensic readiness and to address key issues in a structured approach for digital forensic readiness.
2. DIGITAL FORENSIC READINESS Digital forensic readiness has been defined to have two objectives [Tan 2001]: “maximizing an environment’s ability to collect credible digital evidence, and; minimizing the cost of forensics in an incident response.” Digital forensic readiness focuses on adapting organizations and configuring their systems to proactively collect and preserve potential digital evidence for potential later use. It might also be defined to encompass more general preparation for incident response such as specifying the resources allocated to different types of incidents. Collection and preservation of digital evidence is essentially a means to limit business risk by providing support for: legal defense, civil litigation, criminal prosecution, internal disciplinary actions, claim to intellectual property, the documentation of due care, and the documentation of the impact of a crime or disputed action in order to support an insurance claim or a claim for damages. In addition, digital forensic readiness indirectly supports the recovery process (i.e. clearing up the mess and adjusting the defenses) after an incident. Digital forensic readiness is a discipline within the field of digital forensics. It relates to the other main field within digital forensics, post mortem analysis2, by increasing the availability and quality of the raw traces that are needed for investigating an incident post mortem. The success of a post mortem analysis is dependent on the pool of potential digital evidence that is available for analysis. Post mortem analysis relies on the fact that all widely used operating systems simply mark the sections on the disk that a file occupies as available when the file is deleted. Hence, old files still reside on the disk after they have been deleted at the operating system layer. Additionally, files are often available in many copies. For example, an email may be found in the server inbox, the desktop inbox, cached memory, backups, and in the systems that the e-mail was sent to. However, there are no guarantees that a deleted file is available for analysis. Deleted or old versions of files that are not explicitly preserved (e.g. in a dedicated forensic vault) risk being overwritten and consequently not available for post mortem analysis. This is especially true for busy servers and network appliances (e.g. routers and firewalls). On the other hand, deleted files on desktop computers might never be overwritten. In addition to providing raw traces for post mortem analysis, proactive collection and preservation of potential evidence has the potential to lower the cost of post mortem analysis, since it provides a structured pool of potential digital evidence for analysis. Proactive collection and preservation also enables strict integrity protection and meta-data (e.g. time stamps, origin etc.) generation.
3. MOTIVATION Digital forensic readiness can be compared to the measures organizations take in the physical world to monitor their buildings with, for example, video surveillance (i.e. CCTV), guards, and by logging information about all persons that enter and leave their office buildings. These measures serve three interdependent purposes. First, they provide a deterrent effect. Second, they support the detection of suspicious events. Third, they provide support in answering the questions post mortem of who, when, how and what. The focus in digital forensic readiness is on the third purpose; to provide information about transpired events. By doing so it provides a deterring effect, since the probability of being caught increases. Like the measures mentioned above, this is probably the most important contribution digital forensic 2
A post mortem analysis in digital forensics typically involves collection of raw traces (e.g. taking images of computer hard disks), search for potential evidence in the collected traces, and analysis of the potential evidence.
418
IADIS Internacional Conference e-Commerce 2004
readiness provides in terms of monetary savings. Digital forensic readiness also indirectly supports detection of suspicious events, although this is not its main purpose. Deployment of digital forensic readiness is a natural progression for organizations with a mature information security posture. Forensic readiness offers a second line of defense to information security measures (i.e. defense in depth), in that it supports organizations in pursuing perpetrators in the legal domain when other security measures have failed. Sound forensic readiness procedures also help in establishing clearly what happened in the event of a dispute over an electronic transaction or interaction. In a business environment, especially in B2B, trust is essential [Mahadevan & Venkatesh 2000]. In e-commerce, the label “secure transactions” is often used for the purpose of building trust and confidence. For further proliferation of e-commerce it is important that organizations offering services in a virtual environment can limit their risk, and that their counterparts can trust the offered services. This is especially true when the value of a transaction exchanged electronically is high. An essential component in reducing risk and building trust in the electronic world is to provide the possibility, as in the physical world, to seek recourse to legal action should a transaction be disputed.
4. CURRENT STATE What is the most common method used in digital forensic readiness? A search on Google the 1st of July 2004 with the term "digital forensic", together with the two words “readiness” and “method”, resulted in only 17 hits! What is then used if anything? Significant for the current state of digital forensic readiness is its ad-hoc nature. For example, the events logged in most systems are not based on any form of analysis. Moreover, the integrity of the logs is often poorly protected, if protected at all. This state, ad-hoc methods and easily manipulated evidence, threatens the reliability of digital evidence and consequently the legal rights of individuals and organizations.
4.1 Unclear requirements, constraints and responsibilities In many jurisdictions it’s unclear to organizations which requirements and constraints the legislation sets on collection and preservation of potential digital evidence. Often it’s also unclear how the responsibility is shared between law enforcement organizations and organizations affected by criminal activity leaving digital traces [Sommer 2004]. It can be argued that organizations have to take a greater responsibility in the cyberworld than they currently do in the physical world. This is due to the complexity of the environment and consequently the complexity of investigations of crimes in this environment. Law enforcement needs support in getting an overview of affected systems. Additionally, law enforcement can only collect evidence post mortem and is consequently dependent on the fact that organizations affected by crime have collected and preserved potential digital evidence in a way that guarantees that it is authentic, accurate and complete.
4.2 The conflict between forensics and privacy Digital forensic readiness also raises privacy concerns. Furthermore, these concerns might escalate if digital forensic readiness is outsourced to a third party. This is a likely scenario, as we in the future will see Managed Security Service Providers (MSSP) start offering services related to preservation of potential digital evidence. We believe privacy concerns are a “showstopper” for the deployment of digital forensic readiness. The challenge is to provide digital evidence without violating or being perceived (for social acceptability) to violate privacy concerns. Forensics and privacy pull in different directions. Forensics is about collecting data about actions taken. Privacy is about protecting the identity of, and information about, users and data subjects3 in all situations except in those where there are valid grounds for accessing this information. The privacy concerns that forensic readiness introduces must, and can, be mitigated through the incorporation of privacy enhancing technologies [Arnesen & Danielsson 2003] into forensic readiness tools and components.
3
The data subject is the person whose identity is, or may be, connected to the data in question.
419
ISBN: 972-98947-8-7 © 2004 IADIS
To conclude, there is a need for a structured approach to digital forensic readiness compliant with applicable legislation, that simultaneously takes the privacy of users into account. When the need for digital forensic readiness is recognized, then the focus can shift to “how to”.
5. A STRUCTURED APPROACH – KEY ISSUES A structured approach, in this context, will provide guidance on how organizations proactively can configure their systems and adapt their organizations to collect and preserve potential evidence according to applicable international or national legislation. Furthermore, a structured approach would necessarily provide clarification of requirements and constraints set by the applicable legislation on proactive collection and preservation of potential digital evidence. Moreover, it is a key issue to study the interaction between law enforcement and organizations affected by crime in the cyber domain in order to clarify responsibilities as well as to structure the interaction. National legislation sets requirements (e.g. concerning integrity protection of evidence) and constraints (i.e. what can be collected lawfully) on digital forensic readiness procedures and practices. Work in this field must therefore be guided by applicable legislation. Norwegian Computing Center is currently working on a project named DESDIFOR that aims at developing a structured approach for digital forensic readiness in the context of Norwegian legislation. However, results from the work in DESDIFOR are expected to have relevance in other legal contexts. Other work in this field includes; the ten steps process for forensic readiness developed in the EU-project CTOSE [Rowlingson 2004], the Australian Standard “Guidelines for the management of IT evidence” (HB 171-2003), the British Standard PD008 “Code of Practice for Legal Admissibility - and evidential weight of information stored electronically”, and the ISO 15489 “Information and documentation – Records management” standard. A structured approach in digital forensic readiness should at least include: • An analysis of legal requirements and constraints on collection and preservation of potential digital evidence in the applicable legal context. • A method for analyzing the organizations’ need for digital evidence. • An identification and classification of potential digital evidence sources, and enumeration of technologies and processes for utilizing these sources. • Guidelines for preserving digital evidence, including processes, procedures, and suggestions as to how technology solutions can be used. • Guidance on when and how to report incidents to the law enforcement, including content and formats of reports, criteria for reporting, and standardization of the interaction between affected parties and law enforcement. A key issue in a structured approach concerns methods for analyzing the potential evidence need of organizations. Such methods will ensure that actions are targeted towards the most critical disputes and crimes. This analysis should result in a high-level audit policy [Ahmad & Ruighaver 2003], specifying the potential digital evidence that should be collected.
5.1 Analysis of potential digital evidence need An analysis method for determining which potential digital evidence an organization should collect and preserve is essentially a two-step process. First, the crimes and disputes the organization is exposed to must be determined. Second, based on the identified exposure, the potential digital evidence to collect and preserve can be determined. It is important that this process is guided by a risk-analysis combined with a cost-benefit approach. Different crimes and disputes represent different risks for organization and are associated with different costs for collecting and preserving evidence. The cost should be weighted up against the risk. Organizations have different needs for digital evidence. The need of a particular organization can be derived from the different crimes and disputes the organization is likely to be exposed to, which in turn depends on the organization’s crime and dispute history, assets, customers, and possibly other factors. A structured approach should identify such factors as well as provide a method for assessing organizations’ crime and dispute exposure based on the identified factors.
420
IADIS Internacional Conference e-Commerce 2004
Which of the identified crimes and disputes are most likely and have a large impact? These variables can possibly be approximated based on the crime and dispute history of the organization and/or any other relevant crimes statistics. The product of these two variables identifies the crimes and disputes where the highest returns can be expected from collecting and preserving potential evidence. The value of the deterrent effect introduced should also be assessed and taken into account. Once the crime and dispute exposure has been analyzed, the digital evidence need of the organization can be determined. For each crime and dispute, evidences that document relevant events should be collected and preserved. To strengthen one’s case it is important that several corroborating evidence sources are identified and utilized. For example, an exposure to theft of intellectual property by insiders can be addressed by logging all access to the intellectual property in question and by applying unique digital watermarks to all accessed versions of the intellectual property. Another example could be an e-commerce provider that concludes that it is exposed to repudiation of agreements. One possible way of addressing this concern is to enact a policy that all documents concerning transactions, over some specified amount, should be preserved according to strict forensic standards. Proactive collection and preservation of potential digital evidence is associated with costs, such as costs associated with developing and maintaining procedures and costs associated with modifying existing applications to collect potential digital evidence. Additionally, further costs are introduced if an incident is pursued in the legal realm. Collection and preservation of potential digital evidence also introduces a risk that should be taken into account. That is, the risk of the evidence being misused or used for purposes that do not benefit the organization. In some jurisdictions, both parties have a right to access potential evidence that is under the control of the other party. To limit the cost of implementing digital forensic readiness it is important that prior investments can be leveraged and that readiness can be acquired incrementally. Hence, it its of importance that a structured approach builds on relevant established standards and best practices, and that it takes into account that organizations collects data for other purposes, such as for the purpose of detecting security critical events.
6. CONCLUDING REMARK Digital evidence can be viewed as an asset. The importance of an asset is determined by its value. The value of digital evidence lies in the fact that its existence deters crime, supports documentation of insurance claims, protects against litigation, and supports legal or internal action. Digital evidence is an asset that is seldom utilized and there is a cost associated with utilizing this asset. Collection and preservation of digital evidence is only worthwhile if this cost is lower than the value of the digital evidence. To summarize, there is a need for structured approaches for proactive collection and preservation of potential digital evidence compliant with applicable legislation. For these approaches to be successful they should address privacy concerns and be based on risk-analysis and cost-benefit analysis.
REFERENCES Ahmad A.., Ruighaver A. B. (2003) Improved Event Logging for Security and Forensics: Developing Audit Management Infrastructure Requirements, ISOneWorld, April 2003. Arnesen R. R., Danielsson J. (2003) A Framework for Enforcement of Privacy Policies, Nordic Security Workshop NORDSEC 2003, October 2003. Available at: http://publications.nr.no/A_Framework_for_Enforcement_of_Privacy_Policies.pdf Harrison W., Heuston G., Mocas S., Morrissey M. & Richardson J. (2004) High-tech Forensics, Communication of the ACM, Vol. 47, No. 7, pp.49-52. Mahadevan B., Venkatesh N. S. (2000) Building On-line Trust for Business to Business E-Commerce, IT Asia Millennium Conference. Rowlingson R. (2004) A Ten Step Process for Forensic Readiness, International Journal of Digital Evidence, Winter 2004, Volume 2, Issue 3, Available at: http://www.ijde.org/docs/04_winter_v2i3_art2.pdf. Sommer P. (2004) The future for the policing of cybercrime, Computer Fraud & Security, Issue 1 2004, January 2004, pp 8-12. Tan J., (2001) Forensic Readiness, @stake Inc., July 2001, Available at: http://www.atstake.com/research/reports/acrobat/atstake_forensic_readiness.pdf.
421
