Incident Response

So you've been breached. Is your company prepared to look for and preserve digital evidence of the crime for eventual use in court?

In September 2005, police attached to the Australian High Tech Crime Centre (AHTCC) arrested and charged a Melbourne man under the Cyber Crime provisions of the Criminal Code Act 1995. This man admitted to committing unauthorized access to a company which provides a payment gateway system for other companies conducting business over the Internet, specifically the provision of facilities allowing customers of these other businesses to make credit card payments over the Internet.

Examination of the payment gateway system revealed there were a number of other scanning tools, as well as username and password guessing tools, on the server. These tools had been placed there unlawfully by the Melbourne man. These files are collectively referred to as a "rootkit". A rootkit is an intruder's toolkit, which is placed on a vulnerable computer once access has been gained. This kit then performs a number of designated tasks, including hiding its presence on the compromised computer and preventing another person from gaining access the same way by "closing the window" behind it.

In the case in Melbourne last year, the files indicated that the intruder had been scanning for other vulnerable computers from the compromised server. The AHTCC were alerted to this criminal activity by a system administrator who, during routine maintenance, had noticed there had been multiple failed attempts to log on to this compromised server.

In addition to using the server for storing files, the man also used it for the purpose of scanning for other vulnerable servers in which to place his rootkit and gain further administrative access. During the investigation, police found evidence of IRC (Internet Relay Chat) communications where the man had made references to his activity.

So what should organizations do if they detect this type of illegal activity? Organisations should contact their local police. For the AHTCC to commence an investigation there needs to be evidence of a criminal offence. Whilst larger businesses may have trained internal capacity to deal with such incidents, many small and medium sized organizations do not.

Preserving Evidence

The preservation of evidence at the early stage is critical. The quality and success of a subsequent investigation is highly dependent on the initial response and the quality of information gathered.

What form the preservation of evidence takes will depend upon the circumstances but usually involves actions including the copying of unaltered computer logs to CD/DVD or obtaining computer system backups through forensic imaging of computer hard drives.

When conducting incident response, organizations need to be aware of the following:

1.Identify and gather relevant pieces of information which may assist police in an investigation. This includes network layout diagrams, details of user accounts, details of system backups and information relating to operating systems and software used

2.Anyone involved in the incident response process may be required to provide statements to investigators and may also be required to give evidence at court;

3.Those involved in the incident response process should take detailed notes of any actions they have undertaken in responding to the incident; and

4.Those involved in the incident response process should ensure the continuity of any evidence is maintained, including the labelling of where and when evidence was obtained. w

Federal Agent Nigel Phair has over 16 years experience with the Australian Federal Police and National Crime Authority conducting large-scale criminal investigations, as well as policy development and peace monitoring duties. He is currently a team leader within the Australian High Tech Crime Centre

Show Comments