Hostile Forensics

Hello everybody to my first Blog post both here at SANS. I've released a whitepaper that may be of interest to people in the forensic community, and wanted to both share it with you and get feedback and criticism on it. Seeing a few great presentations today here at DefCon, namely by Christopher Cleary, Michael "theprez98" Schearer, and Wesley McGrew motivated me to get off my duff and finish this thing.

- Mark Lachniet

Overview

Due to recent developments in counter-forensic technologies such as strong encryption, it may
soon be necessary for forensic analysts to use system penetration or "hacking" techniques in order to
obtain forensic evidence, a process here referred to as "Hostile Forensics". This issue is not one that
has been adequately discussed in the forensic community at large, and as such there has been very little
planning or public collaboration to discuss issues and define standards, tactics, strategies and best
practices. It is a particular problem for U.S. law enforcement, that currently has few (if any) legal ways
to pro-actively obtain permission to use penetrations in a law enforcement operation. This document
represents the results of a thought experiment by the author about how one might structure a Hostile
Forensics operation with the greatest degree of assurance possible, and to perform an investigation into
the issues and approaches of penetration-based forensics.

Whether or not Hostile Forensics would be legal, or indeed even a good idea, remains to be
seen, and will vary from place to place and legal context. Certainly, in some very specific
circumstances, such as a covert investigation of an organization's own property where consent has been
obtained, there is already a case to be made for the legality of these techniques. It is hoped that by
detailing a methodology that includes strong internal controls, analysts will be able to provide at least
some assurance that the evidence obtained is trustworthy. Similarly, with adequate internal controls,
the opportunity for an unethical analyst to plant evidence or otherwise "frame" an innocent person
should be greatly reduced. In this way, it is hoped that forensic investigators will be able to perform
their function for society while still respecting the rights of the individual - a challenge that is sure to
become more and more difficult as technologies such as encryption become more wide-spread.

This document has two parts. The first part is an overview of the issues surrounding digital
forensics in the modern age, as perceived by a technical practitioner but legal layman. The second part
of the paper is an attempt to outline a general methodology and set of controls and techniques that
might be used to perform a Hostile Forensics operation. A non-technical reader may be more interested
in the first part, whereas a strictly technical reader may be more interested in the latter.

Current Version (1.0):

http://lachniet.com/forensics/2011-08-05_Hostile Forensics_v1.0.pdf

Example internal controls spreadsheet:

http://lachniet.com/forensics/2011-06-15_Sycophant_Inc_HF_Controls.ods(Open Document Format)

http://lachniet.com/forensics/2011-06-15_Sycophant_Inc_HF_Controls.xls (Excel Format)

About the author

Mark Lachniet is a security engineer for CDW (http://www.cdw.com), a member of the Foofus.net team, and a frequent presenter at security conferences and seminars. Mark has performed hundreds of security projects including penetration tests, forensic investigations, and practices and procedures audits over more than a decade. Mark is a licensed private investigator in the State of Michigan, and holds a number of industry certifications including a SANS GIAC Certified Forensic Analyst (GCFA) Gold, Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) among others.