|< Day Day Up >|
Uses for Computer Forensic Tools
After an attack on your system, you are going to want to figure out how it was done so you can prevent it from happening again. If they managed to get past your existing electronic defenses, then obviously there is a hole in your armor somewhere. It may not immediately be obvious where this hole is, especially if they were good about covering up their tracks. Forensic tools can help you retrace their digital footsteps and find the holes so you can patch them up.
Cleaning Up and Rebuilding
If the attackers did damage, you need to figure out exactly what they did so you know how extensive the damage is and can rebuild appropriately. You don't want to miss any hacked servers or backdoor accounts they may have left behind. Using forensic tools can help you figure out where the bodies are buried, so to speak. If the attacker deleted files, you may be able to recover some of them using forensic tools.
If the damage done by an attacker is severe enough, you may want to consider pressing criminal charges. Simple Web defacings or intrusions usually aren't worth pursuing due to the high costs involved. However, if your infrastructure or corporate reputation was significantly damaged, then you may want to file criminal charges against your attacker. Your insurance company may require that you file a police report in order to make a claim. Forensic tools will help you identify your attackers so you can report them and provide the evidence to prosecute them.
There are a few things you should consider before proceeding down this path. For small damages, you can file a report with your local police department. Be aware that they often do not have the resources to properly pursue computer crime at the local level and you may end up doing most of the investigative work. You can use the tools in this chapter to help with the effort. Just be careful that you don't contaminate the evidence so that it is not useful in a court of law (see the sidebar on computer forensics).
If the damages are large enough or involve a federal crime (such as interstate or international commerce), you can take your case to the FBI. You can find contact information for your local FBI field office in your telephone book or on the Web at www.fbi.gov. If the case involves the violation of federal law or material dollar damages of over $25,000, they will probably take your case. Otherwise, they might refer you to local law authorities. If you can show some involvement with terrorism, interstate fraud (such as stealing credit card numbers or identity theft), or some other element that is high on their radar screen, you might get them involved for lesser amounts. Garden-variety hacking attacks will probably not be investigated heavily; there are too many incidents reported daily for the FBI to give any real attention to anything that isn't a significant case.
If you do succeed in having criminal charges filed against your attacker, proper forensic analysis becomes all the more important. There is a heavy burden of proof in computer criminal cases. Tying a certain act that was performed by a user ID to a specific person is quite difficult in a court of law. Usually prosecutors have to prove that the person was actually at his or her keyboard using that account while the attack was taking place. Otherwise, there are many defenses available to the accused, such as "Someone else used my password," "I was hacked," and so on. There is also close attention paid to the chain of custody of any evidence collected. This refers to who has had access to the data and could have changed or altered it along the way. In a case like this, defer to the authorities, who may want to use their own data collection techniques. You may also want to use a third party who does this professionally to assist in your interaction with law enforcement.
If you find that pursuing criminal charges is unwarranted, you may still want to file a civil lawsuit to punish your hacker. Sometimes this is the only way you can get someone to stop his or her attacks. If the assailant is coming from another company, either sanctioned, in the case of corporate espionage, or unsanctioned, in the case of a wayward employee, you may have cause to file a lawsuit and collect significant damages. Although the burden of proof is less in the civil courts, you still have to be able to substantiate your case. The tools in this chapter will help you to do so. However, if the case is big enough and the stake large enough, you should still probably hire a computer forensic expert rather than try to do it yourself.
If you suspect your intrusion may be from an internal source, it is imperative that you track down this huge source of business liability. An internal hacker can do volumes more damage than an outsider because they often know the personnel, systems, and information that could cause the most damage to a company if revealed or compromised. By using these forensic tools, you can track them down. If disciplinary action is warranted, you will have the evidence to back it up. In this litigious age, you don't want to get sued by a former employee for wrongful termination.
If you decide not to pursue criminal or civil action or if the person assaulting your network is still doing it, you will want to file a complaint with his ISP and try to at least get him shut down. Often, this is the only real recourse that doesn't cost a lot of money for companies hit by a hacker attack. Using the forensic tools in this chapter, you can follow the perpetrator's trails, at least as far as his or her ISP. Once you have tracked the attacker this far, you can make a formal complaint with the ISP, asking them to take further action. Most ISPs have acceptable use policies for their users, which of course don't include hacking. If you can show them sufficient evidence, they will usually take action, ranging from a warning to terminating that user's account. Because of privacy concerns, they will not usually disclose any personal information about the user unless required to by a subpoena, but some ISPs are more helpful than others in this area. Most of the major providers have a special abuse e-mail address that you can send your messages to.
You should make sure you have gathered sufficient information so they can find your assailant. This would include IP addresses tied to specific times. Most ISPs gives out dynamic IP addresses, which change every time someone logs on. Without time information to match to their logs, they probably won't be able to help you. If possible, give them multiple access times so they can correlate the user from several data points, as their log files might be out of sync with yours and the times won't exactly match. Also include any other data you might have such as logs of commands used, places they copied files to, and so on. The ISP may be a victim too and will want this data to investigate further.
|< Day Day Up >|