TELINDUS COMPUTER FORENSICS SERVICES
by Telindus NV

ICT security awareness in general has unquestionably been at its highest since the event on 9/11, and security policies, technologies and products are vigorously being implemented and enforced. Still, according to the CERT, the attacks on the IT infrastructure are approximately doubling every year. This disturbing growth has already been confirmed in the first quarter of 2004.

Reasons for this increase in attacks are numerous. The current set of software tools used by hackers or malware developers (virus, worm, Trojan horse) are more powerful than ever and they allow the hackers to develop and deliver new attacks faster than ever before. Furthermore, high-tech crime (computer crime) has become more organized recently, with examples being reported of collaboration between virus developers and spammers, leading to a new wave of complex social engineering attacks. Also, managing the high number of vulnerabilities with limited resources, does not leave much time to organizations to implement correctly all the necessary patches and updates to the ICT infrastructure.

More than ever, a pro-active strategic approach to ICT security is rightly justified. However, you will never be able to completely block 100% of the attacks, so it is still important to detect attacks, and to be able to analyze the post-mortem information available in the traces and log files.

Computer Forensics
Computer forensics can be defined as the scientific study of electronic data, extracted from any storage medium. With the purpose of then using this electronic data as proof and evidence in a court of justice.

Forensic analysis first involves securely storing data then studying all data deemed to be suspect followed by presenting the data and conclusions to the court and applying the national and international legislation on reporting systems.

Critical to the acceptance of all forensic sciences in a court of justice, and therefore the most important things in computer forensics, are the accepted and established procedures, which underpin the acceptance of evidence within the legal processes in the court of justice.

For this reason, absolute priority is given to accuracy of traces within the data as found. In all cases a balance needs to be found between the accuracy of the data and the time spent on obtaining the evidence within that accurate data, without ever sacrificing the quality or the validity of that data as a piece of evidence.

A forensic analysis can be divided into four phases, namely: identification, preservation, analysis and reporting, as described in the following figure.

Phase one consists of identifying the incident. At times, this identification can be effortless while at other times it can prove considerably more complex, such as finding the cause and effect relationship between a server that has stopped functioning and a malicious employee, without the benefit of the logs of the affected server.

After identifying the incident, the investigator must then face the most critical phase of the process – that is to say, the phase of preserving the evidence. The evidence preservation phase must extend throughout the remaining phases and that can be seen as the "modus operandi" of any forensic investigation. This phase is so highly critical that if it is not carried out rigorously, all efforts spent working on the analysis would be of no value and the data deemed worthless in the courts of justice.

Below is a partial list of the elements required for the collection and initial preservation of a piece of evidence:

  • Assigning a single identifier to the evidence.

  • Date and time the evidence was collected.

  • Geographical location where the evidence was collected.

  • Surname and forenames of the person responsible for collection (MERA - Main Evidence Recovery Agent).

  • Initial characteristics of evidence preservation.

The analysis phase requires an advanced technical expertise and specialized tools. Each action must be recorded in a logbook, which should contain, for example, the piece of evidence analyzed, the date, the time in 24-hour clock format, the geographical location, the name of the person analyzing the portion, the reason for analysis, etc.

When analyzing the evidence, it is essential to know the reason for analyzing a piece of evidence, since in forensic analysis it is essential to justify any action that is carried out. This is a long and arduous process, but necessary for achieving quality results.

Lastly, the reporting phase involves not only analyzing the information needed to understand and describe the incident, but also, in many cases, drawing up a list of recommendations.

In many cases the recipients of the deliverables from this phase are members of the management group whose technical knowledge is usually rudimentary and whose main requirement is to have clear descriptions and indications about what happened, the consequences, and what needs to be done to prevent a reoccurrence.

Forensic Analysis – a Professional Service
When a company suffers a serious ICT incident, it can choose to handle the incident itself using internal staff or to hire the services of an external company specialized in ICT security. However, only a few very large companies will have the specialized staff and tools for dealing with true ICT Forensics Analysis and progress to the courts of justice. The best alternative is to hire professional ICT security experts, specialized in the area of forensic analysis, and fully capable to carry out successfully this type of investigation.

Over the past five years, Telindus has developed forensics services to help its customers in Europe and Asia to analyze security incidents, providing professional security analysts using state-of-the-art specialized tools.

To optimize the provision of forensic analysis services, Telindus has created over two years ago; a dedicated unit specialized in forensic analysis, the Telindus Computer Forensics Centre. To ensure that the Centre’s services reach the required professional standards, it has developed the methodologies, systems, personnel and secure physical environment required to provide a quality service.