On the Structured Interdependence of Policy

Corporate documentation is a multifaceted pyramid structure.  It begins with the business plan and statement of purpose.  The departments are chartered to spell out purpose, responsibilities, and control.  The charters are supported in policy.  Policy is frequently interdepartmental in reach.  Nothing is done in a vacuum.  The policies are detailed in procedures, standards, and other documents.

Everything fits into the structure, which makes it strong.  Errors in the documentation expose a company to risk from a variety of sources.  Every action taken by the company should be traceable back to one of the documents.  The documentation exists to protect and guide the actions of the employees.

It shouldn’t just be a bunch of paper in a binder that gets reprinted once a year for auditors.  It shouldn’t be a stick used only to discipline.

If policies aren’t the inspiration for action, they’re in need of overhaul.  You can tell the vitality of a company by its policy manual.  Is yours a lighthouse in the storm, or a pair of handcuffs?

Canary in a Coalmine

As of January 1, 2018 Liticode has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information.

Proof of Proper Electronic Evidence Collection

One of the nice things about electronic evidence is that it is relatively trivial to create a “provable” methodology to refute any complaints regarding evidence veracity.

For example, assuming you collect widely and preserve broadly, when it comes time to cull and produce materials for review, this should be done using scripts (small computer programs rapidly written by professional resources) which remain with the culled materials for later review, should there be any doubts.

Provided with both the original sources and the cull scripts, the production materials should always be the same. Providing the opposition approves of the scripts written, there can be no doubt about the veracity of the materials produced.

While scripts remain largely unchanged between cases, a general search for strings is simple enough, narrowing the cull intelligently requires more skill, and true targeted refinement requires pattern manipulation skills not commonly found amongst technicians. Yet these culling scripts can drastically reduce the size of the evidence for consideration, and simplify case dynamics.

GIven the sizes of preservation sets, the key to a quality case, is the speed with which it proceeds and the quality of the interaction. Good culling improves the legal experience and is best done using a combination of standard process and expert eye, depending on the complexity. Spending money on expert assistance such as that provided by Digital Trust® results in saved money over the life of the case, frequently drastic savings.

Using and providing scripts for review ensures the materials produced are incontestable.

Truecrypt Kerfluffle

In late May of 2014 the developers of Truecrypt posted version 7.2 with some issues that caused a flurry of concern and activity ultimately resulting in the developers attempting to shut down the product.  It appears as of now that there may be some shenanigans going on in the code, but nobody knows for sure at this point.  All we know is that 7.2 was compromised and should be avoided.

However, if you are considering abandoning TC altogether, you might want to delay a bit until more is known.  First off, the program has not been abandoned by the community and is hastily reforming in what is hoped will ultimately be a clean version thoroughly examined by the open source community.  Second, many clients have a tremendous investment in the program, and change will be expensive.  Third, it still works as far as anyone knows.  There has been no “skeleton key” disclosure, and as of now it seems at worst that a large government agency can read the files, but they are not a threat to most people’s use.

Digital Trust’s guidance on the software at this time is: if you are traveling with highly sensitive material and relying on Truecrypt to avoid compromise by another agency, (you’re a fool and) change those travelling devices to another form of encryption.  If however, you are in a relatively safe security environment and relying on Truecrypt to protect basic privacy and legal confidence, take no action at this time, unless you are using version 7.2, in which case we advise immediate downgrading and cleanup.

The cost of converting existing business assets to a new program should be weighed against the likelihood that all of this ends benignly.  For the majority of our clients we are advising you to remain with Truecrypt and simply not upgrade to 7.2.  Should the situation change, we will recommend further action at that time, but for now, just keep working with what you have.

To be as clear as possible: those clients currently relying on 7.1a or lower should continue to do so and not upgrade past 7.1a.

“Keep calm and don’t upgrade.”

Information Systems Purchasing

Core business management is not an IT function.  Even if you’re a “systems” shop, like Cisco, the people responsible for uniting your business personnel in cyberspace aren’t the ones directing business operations.  They do not get to steer the ship, and if they do, you can be sure it will be a rough crossing.  IT can no more make core business purchasing decisions than HR can.  These are support functions in an organization, but sometimes that gets forgotten.

The problem being that IT doesn’t know the business.  No matter how hard they try they can not share the exact same viewpoint nor face the same risks as a core business unit, and any direction comes from self-interest.  This is normal, natural, and nothing to be upset about.  It is upsetting when reality is ignored, and systems are purchased by people who aren’t the responsible business unit.

We’re not saying that IT shouldn’t make IT purchasing decisions, because that’s the exact opposite problem.  But they need to simply be advisory when it comes to core business systems and the business unit responsible needs to be the one making the ultimate decision, even if it goes against IT advisement.

The rub being that this only works if the business unit is in capable hands and held responsible for any mistakes in decision making.  In many cases it isn’t, and this leads to a clash of wills when there’s a senior IT person that really does genuinely know better and advise against it.  Of course, such a senior mind should be capable of persuading any recalcitrant business unit, but sometimes things don’t work out, and the business pays the price.

At any rate, as much as reasonably possible, the business needs to decide what to buy and IT’s role is to support it and advise during purchasing.  This has a beneficial effect for IT by removing them from the decision, almost entirely, and leaving the responsibility with the business where it belongs.

What’s important from the 20,000 foot view is that no sabotage come into play.  If IT implements something the business didn’t want, they need to support it and not undermine the effort.  The reasons for implementing it were solid or it wouldn’t have happened, and if that’s not the case, there’s bigger problems than the failed system.  The opposite also holds: IT must support the business purchases wholeheartedly.  Any whiff of antagonism must be rooted out and squashed or the blight may persist and grow.

Business cannot ignore IT input.  If IT makes a case for cost effectiveness over form, then it’s real and it goes into the profitability model.  It cannot be disregarded or IT ends up covering hidden costs that undermine success.

So purchasing delineation needs to be clear.  Business systems are the responsibility of the business heads and IT is the responsibility of IT, and business cannot make decisions without IT.  IT can make decisions on IT purchases without the business, unless it impacts them.

Keeping the purchasing in line and distinctly defining responsibility is critical to accountability and success, and muddying the waters by having different business areas intermingle purchasing decisions with IT is a guaranteed path to failure.

What’s this got to do with security or forensics?  Well, there’s the policies that get generated which end up being reivewed as part of the audit process, but more importantly, inefficiency and waste in a business, as characterized by poor purchasing habits, leads to system duplication and financial difficulties.  More systems equals more attack surfaces and more potential forensic sources.  Financial difficulties means security needs get cut (second only to training).  So in a roundabout way, purchasing has a real, discernable impact on security and forensics.

So don’t neglect those purchasing policies during your next non-financial regulatory inspection.  They’re important.

Why Do Governments Hate Hackers?

Fear and greed.  That’s all.  Governments hate hackers with an intensity reserved for the most heinous of criminals, because they know that if the hackers want they can cause massive damage.   Governments hire them to do these things to other governments, so they know what they are capable of.  When resources or motivation are high enough, hackers can do pretty much anything you can imagine with computers.

This has resulted in governments treating hackers with some heavy hands; treating them worse, even, than violent offenders.  Something, in a number of cases, which we here at DT find deeply disturbing, and which is why we support various charitable organizations that provide hacker’s legal defense.

Here at DT, we think that a man robbing a bank with a gun deserves a harsher sentence than a man robbing a bank with a computer. Period.  Most citizens would agree with that view, we think.  Only the banks are going to be seriously biased against the hacker, because the hacker is harder to stop and poses a greater risk of loss.  The robber gets only what he can carry, but the hacker gets everything he can transfer.  Nobody can physically rob a bank and walk away with $1B, but a hacker can do it digitally.  That frightens financial types.  One hacker can, and has, destroyed thriving businesses by emptying their bank accounts, which the banks are reluctant to pay for, even if their security is negligently low.  Insurers have been abysmally slow to catch on.  And what the banks hate, governments are instructed to hate.  And it is a war of fear and oppression.  How else does one explain crack smoking government officials remaining in office while hackers are jailed and physically assaulted by Federal government agents over minor offenses?

Going after criminal hackers instead of violent offenders is disgusting.  Truckloads (hundreds of thousands) of sex trafficked children are driven nearly unimpeded throughout the world, human slavery runs more rampant than ever in history, and financial fraud and white collar crime are secondary to a bunch of guys with computers stealing from poorly secured corporations.  Let the corporations and businesses look after their own and let law enforcement return to protecting the people first, and the corporations second.  Businesses make profit and they can defend their own interests and if that adds to the cost of a song or a banana, then so be it, because it means it won’t get added in as a hidden cost in taxes or insurance.  Who among any of us would claim that stealing music is a worse crime than rape and kidnapping?  It’s absurd and insulting to people who are real victims.  To do otherwise is to admit wholeheartedly that the business interests are more important than the people, yet music pirates get more attention.  And that, as intelligent and responsible people, we cannot stand for.

BYOD: Bring Your Own Device/Doom/Destruction/Distraction

BYOD continues to be a popular topic of conversation. Here at Digital we are torn on the business use case. This seems like a technology with a high hurdle in costs to attain any payback. On the other hand, we love it for the ease with which it allows us to penetrate security layers in companies. This is definitely a two edged sword and business entities are strongly advised to have their security ducks in a row before putting any important assets at risk. Get an outside opinion on your setup. This is one area where an extra set of eyes is important. When you permit BYOD you drastically increase the attack surface of the company. We can help ensure your security preparations meet your requirements.

Law Firms Foundation

Law firms, are particularly interesting targets for computer crime.  They frequently have large amounts of sensitive data, some of it of distinct value, some of it useful to criminals for a variety of reasons.

It can be used to make fake ID’s or provide the opposition with intelligence they shouldn’t have, and that’s just the tip of the iceberg.  Imagine if all the firm’s data, notes, communications, were all in the hands of the opposition or a criminal.  Imagine if it all simply vanished.  One recent virus did this by encrypting data files and demanding money.  What would happen to the typical law firm if all their online case data became inaccessible?  Perhaps permanently.

Firms frequently have banking data that can be used to pilfer funds from client accounts.

Client data they posses may have value outside the legal forum.  For example, a blueprint might be of interest to a bank robber.  Copyright materials might be of interest to client competitors.  Contracts might be of value to the opposition or a third party.  Criminal and social behavior notes are valued by unscrupulous news people, as we saw in the Rupert Murdoch scandal.

Then there’s access to client networks.  If the firm doesn’t have direct access to the client network via VPN, they’ve got email, and once internal email is compromised, sending emails with malware into a client network is relatively easy.

But the bad guys don’t need to get control of a firm’s email, they can, with a simple forged email that looks like it came from the firm, get a client to click on a link that infects their computer.  It’s telling that simply the name of the firm can be of value to an attacker.  With just a name, they can reach out and cause trouble.

Worse, firms can be targeted.  Because of public filing or news, it is quite easy, in most cases, to find out who someone is being represented by, and then use that information for nefarious purposes.

Which is why law firms need to be certain they are effectively managing risks.  Understandably, most don’t have the level of security in house to do the job, but help is available.  By contracting a professional service to assist with risk management activities, the firm can continue doing it’s business with the assurance that they are more secure and aware of all the potential problems.

Management can make rational judgments about how much to spend, on what, and to what ends.  Without professional assistance, crucial details can be missed, and gaps can remain where none appear.

Digital Trust provides security and risk management services, and we’re intimately familiar with the environment.  Give us a call, or email us, but make sure you’ve looked at your risk situation, no matter who you use for security services.

Best Evidence

When it comes to electronic preservation of evidence in civil litigation (as opposed to criminal evidence collection), there is some discussion about what is the best evidence to preserve.

On the one hand, you want to ensure you collect everything that is relevant.  On the other, you can’t collect primary sources for everything in most modern companies, because it is too disruptive.  For example, we don’t collect the disks from the email server, but this is highly likely in a criminal proceeding.

The question then becomes, what’s best?  How do you preserve defensibly whilst doing so economically?  Particularly when preservation requirements begin when litigation is a potential and not an actual event.

Our mandate is to preserve broadly, but how without breaking the bank?

By using a reasoned approach, seasoned with the perspective of a potential litigator and a judge.

When collecting materials, consider what might play out and designate accordingly.  Then determine what’s the most effective means of preserving it, and what arguments you can make if you’re excluding anything.

For example, if we preserve email based on a filter, is that filter sensible in terms of what the litigation might reference?  If the filter is too restrictive, opposing counsel will object and the judge might rule in their favor.  If we collect too broadly, we risk exposing client business secrets and increasing expenses for evidence handling.

Whatever the limitations you impose on a potential pool of evidence materials, make sure your rationale is sound.  Put yourself in opposing counsel’s shoes and ask the questions they will ask.  Follow the leads they will see, and document why a direction doesn’t make sense or is overly burdensome.

In the end, it is best to over preserve than under, but there’s no reason to overwhelm a client with a massive collection effort if something smaller makes sense.  Just make sure you can back it up with fair reasoning.

Efficiency Options

The two premier options for forensic collection are the Voomtech Hardcopy 3P, and the Tableau offerings.  We use both here, in limited ways, along with dcfldd booted from a CD.

One of the things that new people in the field sometimes miss, is effective use of technology for client efficiency.  The emphasis here is on parallel collections, but this actually works for any volume, from one on up.

As a new forensicator, the impulse can be to obtain the best “device” for collection, based on LE input or marketing or whatever.  Many of us rush to buy the best device for collection, when in fact, no device is necessary, and in many cases, detrimental.

Our first loyalty is to the preservation, and our second is to the client, which means, our imaging must be flawless and our billing must be minimal.  We are not here to maximize our billable hours; that is morally repugnant.  We should always strive for greater efficiency, and the way to do that is through the use of boot images for collection.

Assuming modern computer hardware (SATA2+, USB2+), the difference between using a dedicated device and using a boot image can be startling.  While a single PC can quickly show an advantage for a dedicated device, truly modern hardware (3 series SATA/USB) exceeds or equals it in cost and speed.

Dedicated devices cost money, around $2000 a piece.  A boot image is free, other than time to create it.  Both collection processes require opening a PC and messing with wires.  Both take about the same time on similar hardware, with the dedicated devices being faster on older hardware.

But if you need to do two or more, the cost effectiveness of a boot disk clearly shines. Duplicate the boot disk however many times necessary for a parallel effort (one tech can manage 10 running instances, typically) and do multiple PC’s at the same time.

The cost for using a dedicated device is $2000 x # of collections.

The cost for using a boot disk is $0 x # of collections.

The time (assuming you can afford that many) for dedicated devices is X collection devices x connect time.  It looks like this: fraction(x1)+fraction(x2)+fraction(xN).  By the time you get to the end of your loop in setup, the first device is finished and by the time you finish putting them all back together, the last one is finished and you close up.

The time is the same for the boot disk, only there’s no upfront cost for equipment. And they don’t break.  And they stay current with technology and don’t cycle out as technology advances.

(Slower machines are better on devices, but this is offset if the number of collected devices grows to overcome the efficiency gap.  Meaning, usb2 is slow, but 20 usb2 collections is faster than 20 dedicated hardware collections split using two devices.  There’s lots of wiggly room in low volume, do the math yourselves.)

And you can do a BUNCH of collections in a single sweep.  As mentioned previously (thanks Vestige!) the boot disk is the ONLY WAY to do an entire building in one night.

So if you’re considering buying yet another device, please reconsider.  Devices are nice for collection personnel that don’t know what they’re doing inside a boot image and require strict training (like criminal evidence collection by LE), but for forensic ePreservation, you can’t beat a boot disk.

We like Ubuntu + dcfldd.  It keeps overhead down and increases billing efficiency.  DO IT.