Untangling evidence via computer forensics and taking suspects to court is usually a long and expensive task.

It is therefore preferable, where possible, to implement security measures to prevent crime, according to speakers at a forensic event organised by the Information Security Specialist Group (ISSG) on 12 July. Helen Boddy reports.

There are various programs on the market that will help clean and bleach traces of illicit activities on a computer. It is even possible to buy software that will check that cleaning has been effective.

Yet even when a suspect has been particularly thorough in cleaning and bleaching a computer's disk, it is usually possible to find some evidence that can be pieced into a case to present in court, as Professor Tony Sammes of Cranfield University explained at the ISSG Forensics Day. He said it was fortunate that most criminals do usually make some mistakes.

The example that Tony gave of looking for loopholes in a suspect's actions highlighted just how painstaking such work can be. He argued against publishing such details so that he does not inadvertently give more clues to criminals on covering their tracks.

A useful source in gathering evidence against suspects in a forensic investigation are the records of internet activity, according to Jim Bates, a speaker who has worked for both the prosecution and defence in computer forensic cases.

Local file accesses are often recorded and these together with cookies and records of sites accessed can provide the investigator with surprisingly fine detail in a picture of internet activity on the suspect computer.

Email records can also be useful, said Jim. Recent investigations have shown how easy it is for 'invisible' pictures to be sent via email - recoverable by forensic methods but completely unknown to the user. Fortunately the provenance of these is usually easy to recognise but email users should still exercise caution.

As forensics is highly specialized work, it should be left to the experts, speakers at the ISSG event stressed. Evidence needs to be handled with care. Edward Wilding, an experienced computer forensics expert and well known author on the subject, pointed out that it is easy to alter computer evidence just, for example, by starting up a windows-based PC.

If handling evidence in a business fraud case, for example, you must maintain a chain of evidence, which includes taking measures such as clearly marking exhibits in plastic bags, according to Noel Bonczoszek, an IT crime investigator.

That way evidence stands less chance of being mislaid or tampered with. You should also make notes at the time you take any action respecting exhibits. Notes made at the time of the event are more likely to be accepted by a court rather than a witness who is relying on his memory of an event long ago.

Follow procedures when fraud suspected

Edward gave a list of fundamental rules to follow if you suspect computer-related crime or fraud in your company:

  • Do not panic.
  • Quantify the risk.
  • Don’t confront suspects until evidence is gathered as they can then use evidence elimination software to destroy evidence; if that does happen, backup tapes can be an important source of evidence.
  • Obtain expert legal advice.
  • Maintain operational security.
  • Establish the chain of command – someone at board level should be in charge.
  • Gather your evidence covertly.
  • Use appropriate experts so that their evidence stands up in court.
  • Prepare suspension and exit procedures.
  • Lock down all boxes and dial-in ports.
  • Do not discuss investigations by email.

Further advice was given in another presentation at the Forensics Day by Alan Woodroffe, who focused on what to do if you suspect someone of listening, stealing, or interfering with data on your wireless network.

'You cannot monitor all the activity on your network because there will be gigabytes of information,' he said. 'However, you can put monitoring equipment on the perimeter, which allows you to check out new devices appearing. You can monitor within the perimeter to check for new access points.'

One problem, according to Alan, is that if someone is just passively collecting your information you may not know they have been doing so. But you may gain clues from elsewhere, for example if you suddenly see lots of shares traded, someone may have been eavesdropping on your wireless communications about a takeover.

The above examples of dealing with suspected criminal activity served as examples of the costly and time-consuming nature of collecting evidence to build a case to take to court. Speakers at the event therefore advocated doing your utmost to prevent crime in the first place.

Outsourcing is a security minefield

If you outsource IT activities, for example, there are measures that can help prevent difficulties or make your case stronger if you do have to resort to court action and in any event resorting to the courts takes too long, according to Noel.

It is particularly important to consider preventative measures if you do outsource IT, he believes, as there are many potential ways that suppliers could disrupt your business.

Examples of possible problems are the supplier’s staff tampering with your company's data, or the supplier shutting you out of your systems, potentially leaving you with no staff capable of intervening to retrieve you data.

Worse still, if the suppliers' employees use their own computers, you have no rights to access their privately-owned equipment, making it difficult to recover your information and files quickly, if at all.

To help combat such problems, Noel recommended having a security policy agreement of around two to three lever arch files thick; three pages is not enough, he stressed.

The agreement should include policies such as the supplier providing you with daily back-ups. There should of course be harsh financial penalties for the supplier if security is breached.

You also need a plan to return outsourcing to 'in house', should anything go wrong, and you should keep a rump of key employees to assist this process. Your IT staff could check that the outsourcers are not pulling the wool over your eyes and monitor the current status of your IT when subject to outsourcing.

Happy staff equals secure intellectual property

It's not just companies that outsource IT functions that run security risks, however. Threats to businesses come from inside organisations, as well as from the outside.

'Many companies are often obsessed with external threats outside the firewall but in fact insiders are often responsible for intellectual property (IP) theft, sometimes working alone and sometimes with outsiders,' said Edward.

He cited several high profile cases where disenchanted employees have committed business fraud against their employers. For example, an AOL employee sold a database of 92 million AOL email addresses to spammers, and a GM executive revealed confidential plans of a new plant to Volkswagen. Edward was therefore at pains to stress the importance of contented employees.

However, Edward said he did not believe in actions such as locking down USB ports for most companies, as he does not think that is compatible with a high tech environment. He thinks it is only really worth locking down ports for computers being used for:

  • highly confidential research and development;
  • some MOD high security networks;
  • cases such as highly sensitive mergers or acquisitions.

Better still, Edward proposed that computers used for working on high-end IP should simply not be networked because programs exist that are very effective at finding out passwords. Because of this, he advises against embedding passwords in a system (ie when asked if you would like passwords to be remembered, always say 'no') as they are a gift to an attacker.

Edward recommends that an organisation should have one information security professional for 1,000 users. And ideally companies also need a computer auditor, who can oversee compliance and conduct spot checks. As computers generate huge amounts of data, a company needs to assess and define the most appropriate areas to inspect.

To avoid disputes over the ownership of intellectual property, it vital that the owning organisation asserts its copyright in all proprietary systems and developments.

It is also far easier to secure a prosecution or favourable judgement when disciplinary transgressions are unequivocally specified in a formal policy. Companies should, for example, clearly state that employees must not intentionally download or access pornography.

Keep out spies of your network

There are also a variety of measures that can be taken to help protect a wireless network. Alan Woodroffe explained what organisations can do:

  • Change access point names (SSIDs) to something random, so it is not obvious to whom they belong if a would-be criminal finds one of them.
  • Change the default configuration access.
  • Use infrastructure mode, instead of ad-hoc mode.
  • Hide the SSID. Ask anyone trying to access it to identify the name.
  • Only allow trusted connections.
  • Enable Wi-fi Protected Access (WPA2) encryption and use randomly generated keys.
  • Use 802.1x authentication methods.
  • Have a policy that requires pre-approval for wireless connections.
  • Periodically check access point, router and firewall logs for anomalies
  • Place access points on a DMZ (a separate subnet) behind a strong firewall.
  • Turn off wireless equipment when not in use.

In summary, you have a good chance of avoiding lengthy and expensive forensic investigations and court cases by clearly defining your policies and procedures, configuring systems and networks securely, tying everything down in contracts and policies, and managing employees wisely, with fairness and decency.