A Guide for Drafting Comprehensive and Effective Computer Policies
INCIDENT RESPONSE
This section is not meant to be a response guide for computer intrusions by hackers; rather, it is meant to provide some guidance for internal situations. The most common mistake made by organizations is to attempt to process a computer themselves. While Information Resources personnel may be able to recover deleted files, in almost all instances, they will not have the training and tools necessary to properly examine a computer.
The mere process of allowing a subject computer to boot can irrevocably destroy evidence. In many employment litigation cases, it is important to know what files the individual accessed in their last days. Failure to follow forensic evidence processing guidelines results in these dates being overwritten.
The best time to have a computer forensic examination conducted is when the employee first comes under suspicion. The examination can often be done surreptitiously, thereby not alerting the employee.
Assuming that the organization already has the appropriate policies in place, keylogging or screen capture software can be surreptitiously placed on the suspect's computer. Keylogging software captures all of the keystrokes that are made. Screen capture software takes a "snapshot" of what is on the computer monitor at a preset interval. The information from either type of program can be stored on the local hard drive, stored on a network drive, or transferred virtually anywhere via the Internet. Software is also readily available that allows the suspect's computer screen to be monitored remotely in real time. (An organization would be well advised to consult with a knowledgeable attorney before undertaking these options.)
If the employee has just resigned, the best policy is to have a trusted employee secure the computer(s) used by that individual. Do not allow anyone to access the computer(s) in any manner. A qualified computer forensic examiner should be sought out and the hard drive(s) turned over to them for processing. Likewise for any removable media that might contain evidence. Any server log files that could possibly contain information about the employee's actions should be immediately copied and preserved. Any files that might be stored on a network drive and any email that might be stored on a server should be immediately copied and preserved. Any backup tapes that could contain evidence should also be preserved. In the event that an employee is to be fired, these procedures should be undertaken while the employee is in the office being fired. The employee should not be afforded any further access to computers or storage media (i.e.: diskettes, CD-ROMs, etc.). (Note: there are a very limited number of qualified computer forensic examiners in the private sector. Rehman Technology Services, Inc. is one such qualified firm.)
While it is likely that an employee who submits their resignation has already made copies of whatever data and information they plan to take with them, giving them further access to anything sensitive is very dangerous. Immediately upon submitting their notice, the employee should lose all email, Internet, and network access. If their workstation contains anything sensitive, they should lose access to that also. Disgruntled employees have been known to send out company-wide emails and/or delete massive amounts of data on their last day.
Anytime an employee leaves the organization, for any reason, all computer accounts that the individual had access to should be immediately closed or have new passwords installed.
Checklist for user leaving under good circumstances:
- Close all email and user accounts that were unique to the user
- Change all passwords on shared systems that the user knew
- Ensure that all copies of sensitive information are retrieved from the user
- Change the password on any voicemail systems the user had access to and change the message appropriately
Checklist for user leaving under other circumstances:
- Close all email and user accounts that were unique to the us
- Change all passwords on shared systems that the user knew
- Ensure that all copies of sensitive information are retrieved from the user
- Change the password on any voicemail systems the user had access to and change the message appropriately
- Upon notification (firing or resignation), do not allow the user any further access to any computers, disks, files, etc.
- Secure all computers that the user was assigned (workstation, laptop, palmtop, etc.). All of the user's removable media should likewise be secured. They should be locked up in a manner such that an absolute minimum of people have access to them, preferably just the individual seizing them. A trusted employee that can survive a "he framed me" attack should do this. A better alternative is to bring in a qualified forensic examiner to seize all of the possible evidence.
- Secure all server logs that might contain evidence. This includes: file accesses; application accesses; print jobs; email; and Internet access. This should be done by burning them onto CD, by the same person in #5.
- Secure all of the user's files on any network drives. This should be done by burning them onto CD, by the same person in #5.
- Secure any email that might be stored on the network. This should be done by burning them onto CD, by the same person in #5.
- All backup tapes that could possibly contain any evidence should be secured with the computer(s) and removable media. This should be done by the same person in #5.
- Obtain and secure all of the user's available telephone records (long distance, cellular, etc.
Below are some of the frequently asked questions about computer forensics.
We have computer personnel in our company, why shouldn't we
let them conduct the examination?
Although they may have a considerable amount of knowledge and experience with
computers, perhaps even data recovery, it is highly unlikely that they have the
requisite knowledge of the forensic protocols that must be observed to find all
of the evidence, protect the data, and ensure the admissibility of evidence in
civil or criminal trials. A forensic examiner takes steps to safeguard the
computer data; these steps require specialized training, hardware, and software.
They have the training, experience, and tools to conduct a thorough examination
of computer data and are able to interpret what they find. In addition to the
lack of skills, hardware, and software, using a company employee can open you up
to allegations of fabricating evidence and other impropriety.
Can your employee qualify in court as an expert in the forensic examination of a
computer? Probably not. Assuming their findings were not suppressed, they would
only be allowed to testify to facts. They would not be allowed to testify to
opinions or conclusions.
We don't plan on going to court. We're just looking for what
an employee has been utilizing a computer for. Isn't it ok to use in-house
computer personnel to do this?
If your concerns are strong enough to warrant the examination of a computer,
then it is important to do it right. If the employee is fired or disciplined as
a result of the examination, civil litigation will likely follow. A qualified
forensic examiner can provide you with the documentation and expert testimony
that are necessary to substantiate your actions.
We are working with a Private Investigative company. Why
can't they examine computers for us?
While there are many tens of thousands of Private Investigators around the
country, the examination of computers is far beyond the skills and training of
all but an extreme few. There are many specialties in Private Investigation;
just because an investigator has excellent credentials for conducting financial
investigations does not mean that they are qualified to examine computers. If
you are going to pay someone to recover computer evidence, pay a professional
examiner who can recover evidence that others wouldn't even know to look for.
Can we use a data recovery firm for doing computer forensics?
Some data recovery firms may have qualified forensic examiners; most probably do
not. While some of the same skills and software are used in both computer
forensics and data recovery, computer forensics requires extensive additional
knowledge and experience. Remember, a forensic examiner is not only finding the
data, but is also providing expert analysis of what they find. This expert
opinion must be capable of standing up under intensive cross-examination.
Likewise, you need to know the qualifications of the person(s) that will
actually perform the examination rather than the collective qualifications of
all of the examiners at the company. When it comes time for testimony, the
individual examiner's qualifications, not the company's, will be under scrutiny.
We already have a relationship with one of the Big 5
accounting firms that says they can do computer forensics. Why can't they
examine computers for us?
There are some excellent forensic examiners working for the Big 5 accounting
firms. There are also some unqualified individuals being passed off as
qualified. As with a data recovery firm, the qualifications of every individual
that will be involved in your case must be known in advance.
What qualifications should we look for in a computer forensic
examiner?
There is an ever increasing number of people hanging out their shingle as
computer forensic examiners. Some are among the most qualified individuals in
the country; others are opportunists, lacking expertise, who believe they can
make fast money. Some factors to consider include.
- Is the person a former law enforcement, government, or military examiner? (Note: not just a former member of one of those organizations, but someone that actually did examinations for the organization.) The best forensic training has historically only been available to these groups. Examiners in this group have been trained in proper evidence handling and documentation. They are accustomed to operating at a proof level of beyond a reasonable doubt.
- While computer forensics requires the ability to think logically, it also requires investigative instincts. Examiners that are former law enforcement investigators have honed these skills. An examiner that does not have an investigative background may think logically, but probably lacks the investigative instincts.
- Has the person been accepted in court as an expert in computer forensics? How many times? Federal Court? Can they provide references by attorneys as to their testifying abilities? Has their expertise withstood appellate review?
- Are they a member of any computer forensic related organizations? These include: Florida Association of Computer Crime; High Tech Crime Investigations Association (Chapters nationwide); International Association of Computer Investigative Specialists (provides forensics training only to law enforcement- only people trained by IACIS can belong); Federal Computer Investigations Committee; Computer Forensic Information Digest (an email list); and Forensic Association of Computer Technologists (upper Midwest). These organizations provide cutting edge information that is necessary for any true forensic examiner to stay current.
- Another issue is the forensic processing software used by the examiner. Some firms, including at least one of the larger ones, are using dated analysis methods that result in their examinations taking significantly more time than firms using state of the art methods. Greater examination times mean far greater costs to the client.
What does it cost?
Forensic examiners typically charge from $250 to $350 per hour for forensic
analysis. An average examination will take approximately 20 hours, though this
can vary greatly, in either direction, for any given situation. Factors that
affect the amount of time required include: the amount of data to search (i.e.:
hard drive size, number of diskettes, etc.); encryption; data hiding; and
attempts at destroying the data
A Guide for Drafting Comprehensive and Effective Computer Policies
