Hostile Forensics | Offensive Countermeasures

Is White Hat "Hacking" Illegal?

Mark Lachniet publishes an excellent paper titled “Hostile Forensics.”  He argues that sometimes digital forensics investigators have reason to take actions that are legally and ethically provocative.  He calls these actions “hostile forensics.”

Mark frames the topic: “Due to recent developments in counter-forensic technologies such as strong encryption, it may soon be necessary for forensic analysts to use system penetration or ‘hacking’ techniques in order to obtain forensic evidence, a process here referred to as ‘Hostile Forensics.’”

Mark distinguishes “hostile forensics” from traditional forensics. Here is an example of traditional forensics: An investigator analyzes data on a hard drive, with formal authorization from the owner of the drive. The investigator has consent from the person who put the data on the drive. The drive is in the physical possession of the investigator.

Here is an example of “hostile forensics,” as I interpret the idea:  A publicly-accountable investigator, with justification, remotely interacts with a marveloustly complex cloud of computers,  while having something less than formal authority from each owner of each computer.  One or more of the computers is in part controlled (or influenced) by a suspicious-acting adversary of the investigator.  The investigator’s purpose is to gather evidence that incriminates the adversary.

Mark offers numerous intelligent steps to help cause a “hostile forensics” investigation to fall on the side of good and not evil.  He suggests, for instance, that the investigation be subject to detailed recordkeeping and tight supervision over individual investigators.

Hacking Back?

An idea related to “hostile forensics” is a style of computer secuurity that my fellow SANS Instructor John Strand calls “offensive countermeaures.” Sometimes John uses the term “hacking back.”

The range of actions that might qualify as "hostile forensics" or "offensive countermeasures" is huge, limited only by imagination.  It includes much more than just the examples that Mark and John  articulate.  

Illegal?

Do “hostile forensics” or “offensive countermeasures” constitute computer crime?  This is an exotic jungle of law, thick with nuance.  Much of the law is open for interpretation.  Simplistic interpretations of the law here are of little help.

In this field there's a lot of dubious folklore (e.g., "action X is always legal; action Y is always illegal").

In truth, the legality of any given action can be highly dependent on the facts of the particular case.  Change the facts slightly from one case to the next, and the conclusion whether an action is legal can change.

Two Observations

I have two big picture observations.  Neither of these observations is criticism of Mark or John, and neither of them passes judgment on any particular action.

1.  Words Matter. When law and ethics are nuanced, the words we choose carry immense weight.  The descriptions of an action can influence the understanding and treatment of the action.  Subtlies are important.

(a) Choose Adjectives Carefully

I am reluctant to use the adjectives “hostile” or “offensive” to describe what Mark and John have in mind.  Those adjectives carry emotional charges; those adjectives can be interpreted as negative.  But Mark and John are talking about actions that are positive and not negative . . . good and not evil . . . legal and not illegal.  

Therefore, under a given set of facts, an adjective like “justified,” “responsible” or “proportionate” might better describe an action.

(b) Choose Verbs Carefully

Well-meaning IT folks can be quick to use words like "penetrate" or "hack" or "strike-back" without carefully examining the definition of those words and without considering alternative words.  Instead of the verbs "to penetrate" or "to hack," the more accurate verbs to describe an action may be "to confuse," "to tease," "to elicit" or "to regale."  Example:  "We regaled the adversary bots with a multitude of honeypots."

Alternatively, a more accurate description might be metaphorical.  A security or investigative action might best be described as, say, “to depict a clever digital costume.”  The reasons for this description might be that:

• the action induces a suspicious person to believe something he did not expect and persuades him to reform his behavior or reveal evidence about himself; and/or 
• the action induces a malicious community of software, like a botnet, to perceive a new situation and persuades the community to reform its behavior or reveal evidence about itself.

2. Court Support.  Mark mentions the idea of getting court approval, such as a search warrant, for “hostile” action by law enforcement. Good idea. Typically such approval would come after a government agent, such as prosecutor, requests the approval.  

An alternative type of court approval might come from a civil lawsuit brought by a private party such as a corporation.  Microsoft is a pioneer in bringing civil lawsuits against cyber adversaries, such as bot herders and spammers.  Microsoft has gotten court approval for assertive actions against adversaries.   A civil lawsuit might be brought in either state court or federal court.

What do you think?

–By Benjamin Wright

Wright teaches the law of data security and investigations at the SANS Institute.

3D Printing Forensics

Metadata in Micro-manufactured Products

3D printing creates physical objects as though they were units of digital data. It takes instructions from software to render physical objects by successively adding small points or layers of substance, one after the next.

3D printing will be a bonanza for digital forensics investigators, just as other digital technologies have been.

Digital artifacts -- like spreadsheet documents or digital photographs -- often contain metadata, such as timestamps and information about the source of the artifact (e.g., what software was used to create the artifact).  Metadata is often hidden from view.  Users are often surprised the metadata exists.  

Metadata can be a treasure trove to a forensic investigator who inspects an artifact like a photograph.  The investigator might, for instance, determine the time the photo was created, the type of camera that was used, its GPS location, the photo manipulation techniques employed and so on.

Metadata Surprises in History

History tells many stories of forensic investigators surprising the subjects of investigation with metadata. The more sensational stories involve technology that was new at the time, when the existence of metadata in the technology was little known.

* In the mid-1980s Col. Oliver North was surprised to learn that after he deleted e-mails, his deleted records were recoverable.  In addition, the e-mail system he was using kept metadata indicating that he tried to delete relevant records while an investigation was pending.  

* When product developers at one employer switched to a competitor, they took a Microsoft Word document with them. While working for the competitor, they claimed they invented new product ideas from scratch. But metadata in the Word document betrayed them.  They recorded their “new” ideas in the very Word document they took from the first employer.  The metadata in that document contained a code showing the document had been printed on a printer owned by the first employer. That code was the smoking gun; it showed that the plans were not created from scratch after the developers left the first employer. John H. Jessen, “Special Issues Involving Electronic Discovery,” 9 Kansas Journal of Law and Policy 425, 441 (2000).

* More recently, some Twitter users are surprised that sometimes Twitter associates GPS metadata with each tweet to show where the user was when the tweet was sent.  The GPS data might be taken from the user’s smartphone. A forensic investigator could use that GPS metadata to show, for example, that a spouse was at the home of a paramour.  

Metadata in 3D Printed Objects

It is into this historical context that 3D printing emerges.  3D printing technologies are diverse.  But in principle a 3D printer can incorporate words, codes and numbers into the objects they create.  

This web site demonstrates the incorporation of a unique serial number into each 3D printed object: http://www.gomboc.eu/site.php?inc=0&menuId=20   In that example, the serial number is visible to the eye.  But serial numbers and other metadata could be hidden from view inside the object, or could be microscopic.

It is natural that the makers of 3D printer technology would embed serial numbers, time stamps, GPS markers and many other codes into objects.  The codes can help with billing, shipping, quality control, inventory management and other operations.

3D printing is growing in popularity, and its growth will continue.  3D technology will make it easier and less expensive for anyone to design and print a custom object.  

Metadata as Legal Evidence

Eventually, 3D printed objects will be evidence in official investigations, just as spreadsheets and digital photographs are today.  When that happens, I anticipate that forensic investigators will be able to harvest metadata from those objects.

For example, suppose a California tax auditor wants to know whether an aircraft part was either designed or manufactured in the state of California.  Clues to answer those questions might be embedded as metadata in the aircraft part itself.

What do you think, dear reader?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Article:   3D Printing and Copyright Compliance

Financial Auditor Gathers Cyber Evidence

Authenticated Record of What You See When You See It

How should an auditor record his observations as he inspects evidence online?

A multinational auditor in Hong Kong, BDO Limited, needed to inspect the online bank account of a publicly-held Chinese company China-Biotics Inc. (which is traded in the US).  The auditor needed to confirm how much cash the company possessed.  But when the auditor used a web browser to access the online bank account identified by the company, the auditor became suspicious that the bank web page was fake!  Michael Rapoport, “Auditors Sharpen Queries In China,” Wall Street Journal, June 29, 2011.

The auditor resigned on grounds that:  “In connection with BDO’s review of the Company’s bank account through the Company’s e-banking system using the Company’s computer, BDO was directed by the Company to access a suspected fake website for the bank.”  

Audit Evidence is Now Online

The evidence an auditor must examine is, increasingly, online.*  The evidence, such as a web page, could show one thing now and something different an hour later.  Auditors need more credible methods for capturing and authenticating what they see.  Sure, they can make screenshots, but screenshots are cumbersome and don't capture the full interaction of the web.

The following video demonstrates an alternative.  It shows how an auditor can capture a real-time screencast of his observations as he inspects web pages, mobile apps or e-banking accounts.  It allows the auditor to bind his observations with simultaneous, eyewitness testimony as to the steps he was taking and his interpretation of what he was witnessing.

 

Notice the auditor legally signs the final video record (like an affidavit) so that it is authenticated for future use, even if the auditor himself is not available later to vouch for the record.  See details.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Sometimes online evidence is considered OSINT (open source intelligence).

Investigator Ethics | Forensics Professional Integrity

In the training I deliver at SANS on the law of investigations, I recommend that an investigator assume the role of what I call the “transparent self-regulator.”  The transparent self-regulator is the consummate professional.  He opens his work to outside scrutiny, and he corrects his errors as soon as he finds them.

When the transparent self-regulator sees he has made a mistake, he does not hold back to see if he gets caught.

The transparent self-regulator assumes material form in the latest column by attorney/forensic expert Craig Ball, titled "I erred." "I was mistaken." "I got that wrong."

On his column, Mr. Ball forthrightly admits that he made a mistake in a report he prepared for a certain pending lawsuit.  Although out of respect for client confidentiality he does not reveal the particular lawsuit or mistake, he says that in preparing his report, he made a false assumption. He now knows it is false. He has resolved to go on record correcting the error, and he plans to acknowledge his error in forthcoming testimony.

Ball quotes John F. Kennedy as saying, "An error does not become a mistake until you refuse to correct it."

I admire Mr. Ball.

–Benjamin Wright, Senior Instructor at the SANS Institute on the law of data security and cyberforensics investigations

Information Security Legal Certification | GLEG

GIAC | Global Information Assurance Certification

The SANS Institute's law & investigations course series LEGAL-523 is associated with a GIAC cert, called GIAC Legal (GLEG).     

Over 600 proud professionals hold or have held this unique certification as of September 2014.

Numerous LinkedIn members, like information assurance professional Joel Baese, list GLEG certification on their profiles.

 Credentials for Investigators

Increasingly, as more evidence of human activity is captured digitally, infosec professionals are expected to conduct investigations.  "Investigator" is becoming a key part of their job description.  The LEGAL-523 course series (supported by the GLEG) teaches these professionals the skill set to execute competent, defensible investigations.   

You don’t know how important something is until you are about to lose it.  Late 2009 GIAC decided to discontinue the GLEG for economic reasons.  But that caused an uproar when I taught the LEGAL 523 course in December.  Fortunately GIAC reconsidered and changed its mind.  When we delivered LEGAL 523 in March 2010, a record-setting number of students (~15) signed up to take the GLEG, which was a pleasant surprise to GIAC!

The law of information security and cyberforensic investigations is challenging . . . and developing rapidly.  Many employers want their professionals to possess training on the topic, and the GLEG confirms that training.  It shows that a student did more than register for a class; it shows the student studied and mastered the material.   Also, some LEG523 students say they want the certification because it enhances their credibility as expert (forensic or otherwise) witnesses in a courtroom or in an investigation. 

GIAC as World Leader

I’d be happy to hear comments and answer questions about the GLEG certification or GIAC in general.  GIAC offers certification in many fields of IT security, e.g., Windows security GCWN.

News:  SANS Masters Degrees in cybersecurity are now accredited.

By: Benjamin Wright, Senior SANS Instructor who developed and teaches LEGAL 523: The Law of Data Security and Investigations.  See comments about the SANS Legal 523 course.

Postscript:  A topic of growing impact in the Legal 523 course is ethics for IT security and forensics professionals.

Update 2014 on SANS Institute's Legal 523 course.