The Australian Federal Police (AFP) is seeking to form partnerships with the private sector as part of its ambitious plans to ramp up its high-tech crime capabilities.
AFP investigations and technical operations director agent, Tim Morris, said that in addition to recruiting IT security specialists from industry to strengthen its skills base, informal partnerships are also being developed with large companies and academia.
A A$6.7 million (US$3.7 million) funding injection from the recent Federal Government budget will add five new staff to its 13-member electronic evidence team and add further staff to its seven-member high-tech crime team.
As well as increasing staff and its computer forensics capabilities, Morris said extensive training is under way to ensure 80 percent of AFP investigators are “e-literate” by the end of the year.
He said the training covers the basics of electronic evidence procedures; phase two of the training to build on skills already learnt will start next year.
As part of the plans to strengthen its computer skills base, Morris said skills development is planned for the computer forensics team in complex investigations.
“We are also upskilling our computer forensics team for high-end investigations; we are strengthening our high-tech crime skills across the board,” he said.
Speaking at the Auscert Asia Pacific Information Technology Security Conference 2002 on Queensland’s Gold Coast, Morris outlined preventative measures that industry can take to reduce computer crime such as maintaining systems that are regularly patched and monitored.
But if the worst happens and a crime does occur, he said companies should already have a security policy in place that includes an incident response plan and forensic plan.
Morris said these plans will assist in court proceedings and ensure evidence is available to undertake an investigation.
“Properly understanding how your system works — having things such as a comprehensive and up-to-date network diagram and knowing where relevant logs are — is a huge advantage when responding to an incident,” he said. This should also include tools in place to respond to an incident, recover information and collect evidence.
Morris said it takes little effort to have a “forensically sound” response, which is crucial if law enforcement is to become involved.
“Even the normal operation of a computer can destroy data that might be hiding in unallocated space, or in an operating system swap file,” he said.
To authenticate the evidence, Morris said companies should think about issues including the capture of volatile evidence such as information relating to active network connections, the imaging of hard disks, generating cheksums of the original and copied item to verify the accuracy of the copy and recording the clock offset from “real” time.
Finally, he said, there is the analysis process identifying anomalous entries in system logs, suspicious users, processes, files and other intruder remnants.
“You will also want to correlate evidence from these multiple sources using common reference points, normally time or IP address,” Morris said.
“The final aim of this process is to compile a chronological reconstruction of events which clearly outlines what took place and who was responsible for it. If all this is done, the evidence should be pretty convincing.”
The AFP is not the only organisation upskilling staff, the NSW Police Commercial Crime Agency is undertaking computer forensics training next week with US specialist Andrew Rosen of ASR Data Acquisition and Analysis.