SecurityArena

Computer Crime Investigations

Computer Security Incident response team (CSIRT)

The team should have members from senior management, the network administrator, security officer, network engineer or software programmer, member from legal department and a contact for public affairs. Team should have following items:

• List of outside agencies and resources to contact or report to.
• List of computer forensics experts to contact.
• Steps on how to secure and preserve evidence.
• Steps on how to search for evidence
• List of items that should be included on the report.
• A list that indicates how the different systems should be treated in this type of situation.

Sequence of Incident Reporting

An organization's networked systems security policy should include an information dissemination policy identifying, among others, whom to notify in the event of an intrusion and in what order.

• The first contact should be with the responsible manager and other managers who need to be made aware.
• The next in order of importance should be the internal public relations point of contact.
• Next, the Local Computer Security Incident Response Team (CSIRT), if one exists, should be contacted.

Sequence of Actions by CSIRT

• A suspected crime is reported.
• CSIRT will investigate the report and determine that an actual crime has been committed.
• Team determines that a crime has been carried out.
• Senior management be informed immediately.
• In case suspect is an employee, a human resources representative is called.
• Document all events; starting time of the crime along with the company employees and resources involved.
• Company decides whether it will conduct its own forensics investigation or call in external experts.
• If external experts are called in, the attacked system is left alone, to preserve as much evidence of the attack as possible.
• If company decides to conduct its own forensics investigation, then computer forensics procedures start.

Computer Forensics investigation

• 1st step. Remove the system from the network, dump the contents of the memory, power down the system, and make a sound image of the attacked system and perform forensic analysis on this copy. This will ensure that the evidence stays unharmed on the original system in case some steps in the investigation actually corrupt or destroy data. Also the memory of the system should be dumped to a file before doing any work on the system or powering it down.

Wires and cables should be labeled, and a photograph of the labeled system and surroundings should be taken before it is actually disassembled. Media should be write-protected. Storage should be dust free, kept at room temperature without much humidity, and, of course, not close to any strong magnets or magnetic fields.

• 2nd step / Chain of custody. Must follow a very strict and organized procedure when collecting and tagging evidence.
  • It dictates that all evidence be labeled with information indication who secured and validated it.
  • The chain of custody is a history that shows how evidence was collected, analyzed, transported and preserved in order to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.
• The life cycle of evidence. It includes following:
  • Collection and identification
  • Storage, preservation and transportation.
  • Presentation in court
  • Being returned to victim or owner.

Event Handling

• Incident handling should be closely related to disaster recovery planning and should be part of the company’s disaster recovery plan.
• Both are intended to react to some type of incident that requires a quick reaction so that the company can return to normal operations.
• Employees need to know how to report an incident to the incident-handling team.
• The process must be centralized, easy to accomplish, convenient, and welcomed.