In the back-alley world of computer crime, the government “cats” are getting better at catching the hacker “mice.” But justice is often slow and never sure. Only solid evidence can arm the prosecution for the strongest possible case against a criminal.
That’s the message from RCMP Staff Sgt. Denis Roberge, a forensic analyst and investigator in charge of Internet investigations. Roberge’s first advice to public sector managers who might be confronted with a computer crime is simple — make a plan. When a successful attack takes place, he says, you need a system in place to deal with it.
“It shouldn’t be a surprise,” says Roberge. “People should have contact names and numbers, and guidelines about which police force to notify. They should have some kind of plan formalized within the organization saying: ‘When there is a criminal incident, we call these people.’”
In today’s online environment, of course, systems are constantly probed for weaknesses, so managers should not call police for non-threatening port scans or similar events, Roberge advises. In fact, such activity might not even be criminal. “If you’re walking down the street and trying doors to see if they’re locked, are you trespassing? I think one lawyer would say yes, and another would say no. It’s a very grey zone.” Roberge says two kinds of activities should prompt an immediate call to law enforcement officials: “Under the Criminal Code, when it comes to computers, we look at hacking, which is unauthorized use of computers — our main focus — and denial of service, which is mischief to data.” Where a crime has been committed, Roberge notes, there is one activity managers must not neglect: “Make notes. It may not go to court, but if it does, without good notes, the case could fail.”
Randy Sutton takes much the same approach. Sutton, a founding partner of Ottawa-based IT security consultancy Elytra Enterprises, is often called in to help with evidence gathering in computer crimes. When a successful attack takes place, he says, “the first thing you do is shut the computer down.” “The trick is to get access to all the data that’s left on that drive, so if you target the bad guy, you want to seize the machine at the most strategic time, when evidence is still present.”
Roberge agrees, saying managers should try to preserve the evidence, which means not attempting to delete files or remove the virus. Just like in the movies, “chain of custody” is also important. “When you seize any piece of evidence, you must be able to account for every minute until it goes to court,” Roberge says. “Where was it? Was it under lock and key? At no time should it be left on a desk, for example, with nobody in the room. Unfortunately, most people don’t know this.” Administrators are under pressure to maintain service, so their natural impulse is to clean up the drive and get it back online as quickly as possible. But before that happens, Roberge says, they should make an exact image of the drive.
“It is usually feasible. Network managers can do this – take the original that was targeted and lock it up. The duplicate can then be cleaned up and placed back on the network. Then they’re back in business. It can take as little as a few minutes, so when you think of getting a conviction in court, it is time well spent.” Even the forensic software tools used to examine the affected drives can be questioned in court by defence lawyers.
As Elytra’s Sutton says, “If you are going to take it to a court of law, you have to be able to prove that the tools you used to acquire the evidence are legitimate and approved, certified and recognized in industry for being effective.” Open source tools must be complemented with licensed commercial tools, Sutton says, because, “you can’t go to court with open source. The defence can always question whether the thing actually works or not.”
Roberge says it is not necessarily time-consuming for people to help with a prosecution. “We try to minimize it as much as we can. . . . Once we have an interview on site, from the first day, there is not a lot of time involvement for network administrators. Lots of cases never get to trial because most of the time, it is a guilty plea. To have a LAN manager physically go to court is quite unusual.”
Richard Bray (firstname.lastname@example.org) is an Ottawa journalist who specializes in information technology issues.