Re: Role of Campus Police. Was: number of IT security staff

[Steven Alexander <alexander.s () MCCD EDU>]

Several years back, I was involved with the High Technology Crime
Investigation Association (HTCIA).  HTCIA is a group that consists of
law enforcement and IT personnel from private businesses and some
governmental (mostly local) IT people as well.  We covered some forensic
issues in out sessions, incident response and a little bit of security.

 
One of the recommendations from law enforcement was that you know who
handles computer crime in your area.  If you simply call the police,
they are going to send out a uniformed officer to take a report and that
is all he is going to do.  Instead, you should contact the detective in
your police or sheriff's department who handles these cases and has the
requisite training.  There are more police with some forensic training
than you would expect.  Most of the cases that they handle aren't
actually cybercrime but other crimes that involve a computer somehow.
These cases include identity theft, harassment, stalking, child porn and
even murder.  Sometimes, the investigation is as simple as looking
through a suspects email to help determine what relationship that
suspect had with the victim in the case or what possible motive he might
have had for the crime.  
 
It would a good idea to contact your local law enforcement ahead of time
and find out what they want you to do when responding to a security
incident.
 
The forensics that most detectives are able to do are fairly minor.
Mostly, they are trained to confiscate the computers, image the drives
and use some sort of forensic software such as Encase.  They are not
trained to handle the investigation of a complex security incident.
Also, most of them do not have significant Unix training, if any.  If
you ask the police to take over from the beginning, they will probably
want to take your computers so that they can perform drive duplication
in their labs.  The police will call in outside experts if necessary.  
 
The better option is to have a disk with the tools necessary to list all
current network connections, open files, running processes, logged in
users, etc.  Document every step.  Document the chain of custody for the
drive images and the information dumped off of the running server.  You
may be asked to verify in court that everything was stored safely and
could not have been tampered with.  Use the aforementioned tools and
dump all pertinent information to a floppy disk or network drive.  Shut
down the server.  Image the drives.  Make a detailed description of the
affected computers including hardware, BIOS version, drive information
and OS.  Prepare the server to be brought back up (with an OS reinstall
or whatever other measures you deem necessary).  
 
The images that you make should not be modified, ever.  These original
forensic copies must be preserved.  You can make additional copies and
perform whatever investigation you need to.  The police are usually very
busy.  The more you do before handing the case to them, the easier it is
for them to work with you (find out what they want first).  Investigate
as much as you can.  If you can determine what happened on your computer
and where the intrusion came from, the police will be better equipped to
take over.  If the attack came from another organization, the police may
be able to gain cooperation (possibly with a search warrant) to further
trace the attacker.  If the attack came from inside your organization,
handle it as you would any other crime.  
 
Local law enforcement do not have a large amount of resources.  They
will probably be more interested in the case if your organization can do
the analysis and package it nicely. Again, consult them ahead of time
and find out what they want.  You do not want to find out that they
won't take the case or that you blew the chain of custody for the
evidence or that there is some other problem after you've invested your
time in this.  
 
If the appropriate law enforcement agencies are not interested, you can
move on, contact your legal counsel and/or image the affected machines
so that there is evidence available if the agencies can be persuaded
later (perhaps after greater financial losses or information theft come
to light).
 
The FBI tends to get involved only in cases where a lot of financial
loss is involved.     
 
A number of companies offer incident response services, it would
probably be best to scout these out before hand if you think you will
need them.
 
I think my local police got some of their training from the state (CA).
I'm not sure though.  Various companies offer incident response and
forensic training.  One such company is foundstone:
http://www.foundstone.com/
 
I have not had their training and cannot vouch for it.
 
I hope that I've written everything as accurately as possible.  It has
been about 4 years or so since I was involved in HTCIA and I haven't had
to work with law enforcement on any sort of incident since then.
 
Cheers,
 
Steven

        -----Original Message-----
        From: Theresa M Rowe [mailto:rowe () OAKLAND EDU] 
        Sent: Monday, January 31, 2005 10:38 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Role of Campus Police. Was: number of IT
security staff
        
        

        I think this is an interesting thread.  I was surprised to
        learn, after a significant hack, that our police department
        was not prepared to do any type of network or systems
        forensics.  When we asked what we should do to protect any
        evidence, they did not have an answer (and haven't answered).
        
        There are several steps to a "cyber crime".
        1) Recognizing that there has been a crime.  This is still
        the IT area's responsiblity in many cases - agreed?
        2) Mitigating the results of the crime - IT's responsibility.
        3) Gathering and analyzing the evidence of the crime - whose
        responsibility?
        4) Tracking down the perpetrator and executing an arrest -
        the responsibilty of the police
        
        So for me, the question is:
        Is there a body of knowledge on cybersecurity crime
        forensics?  Where does one (either in IT or in the police
        department) get that training?
        
        
        
        Theresa Rowe
        Assistant Vice President
        University Technology Services
        www.oakland.edu/uts - the latest news from University Technology
Services
        
        **********
        Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.
        
        
______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security
System.
        For more information please visit
http://www.messagelabs.com/email
        
______________________________________________________________________
        


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.