Digital forensics remains a young science, often drawing upon professionals from both law enforcement and computer sciences. Where traditional forensics have established protocols in collecting blood and physical evidence from a crime scene, the methods of collection and protocols used for online crimes are still evolving. Often there is no one crime scene. And, as the price of storage continues to decrease, there are mountains of data to pour through, yet very few specialists who are able to devote the kinds of man-hours required. I recently spoke with Dave Merkel, vice president of products for Mandiant, a company that handles incident response and digital forensics for some of the top businesses in the world. Dave is also a former agent with the U.S. Air Force Office of Special Investigations, a sort of mini FBI within the military. He offered a very sober perspective on the efforts to catch online criminals. In many cases, the scope of the investigation is dramatically narrowed from the outset due to costs.
In reality, no one has the time to devote to a single case that the investigators on CSI do. As an investigator, Markel said, "you think about the crime. A lot of times you'll be asking questions about how serious the crime is, therefore how much effort will go into solving it. If you're talking about antiterrorism investigation, national security, etc., the sky's kind of the limit in terms of what you choose to do or the cleverness you may choose to apply, because the budgets involved will facilitate that. You can afford to be more expansive in what you're looking at. When you start talking about crimes that are less severe in nature, or perhaps use the word "mundane," a lot of times those things fall out of scope due to cost.
We even had human intelligence, because the bad guy, in seeing us patch the infrastructure, admired the techniques and engaged us in dialogue--which was shocking.
"If you flip that and take criminal situations out of the picture and look at civil, that does come down to reasonableness if you look at the proceedings between the various parties in the court and raw cost. We can look for data all day long. The question is, how much do you want to spend, how much time do you want us to take? What level of detail do you want to go (to)? And you have to draw the line somewhere. It's a risk management-risk reward kind of equation that's applied to how much you need to look at." Bottom line, sometimes important data goes undiscovered.
Years ago, a forensics investigator told me he could figure out what happened in the machine; the problem was connecting that to a specific individual. Merkel says he was lucky. "We were going after a particular bad guy, and he was hacking our infrastructure, compromising a common exploit present in our Web servers and running wild through the infrastructure, And we had run the whole operation, gathered a lot of various forms of evidence because we did at one point want to get the bad guy. That was one where we wanted to solve crimes.
The second (the investigation) crosses an international border, it has to be a pretty severe issue in order to engage enough agencies and actually get them interested to go after who's involved.
My employer at the time was very aggressive about wanting to pursue those issues. And we did have to take it all the way back to hands-on keyboard, where we processed all the digital evidence We even had human intelligence, because the bad guy, in seeing us patch the infrastructure, admired the techniques and engaged us in dialogue--which was shocking. You engage in dialogue with the bad guy who's actively hacking your stuff . It was a fascinating operation."
"And then we even got it back to the point where we knew where he was physically. We were able to engage law enforcement, then work with them in an operation to link his hands to the keyboard which involved corresponding with the bad guy. Bad guy talking to us. Bad guy taking some actions at a time when we knew he was taking them. We could monitor from server side what was going on. And the police literally breaking the door in half with a battering ram at the time that occurred and picking the bad guy up at that time."
But Merkel says "Something that interesting is not the standard of care I'd say in 99 of 100 cases." Today, there's a lot of activity from the Pacific rim, a lot of activity from China and Korea. But, in the reality , said Merkel, "if you're working with law enforcement or various other agencies to try and prosecute or pursue those matters, the second it crosses an international border, it has to be a pretty severe issue in order to engage enough agencies and actually get them interested to go after who's involved. In a lot of circumstances, you won't see that at all because the agencies involved may take it and go off and do whatever they're going to do with it. Because there are larger issues that you may not know (anything) about that they wrap that into."
Then there are Botnets
"These days we see attacks that appear to originate in some guy's living room, who's got his PC or laptop as part of a botnet, and who knows where the command and control elements are coming from for those kinds of attacks. It's not just a single attacker or a single system that's involved in the attack, but tens or hundreds of thousands in some certain circumstances and being able to actually trace those back effectively gets extremely difficult."
That's not to say we've given up on online crime. Merkel thinks that investigators need to filter their investigations from the beginning, narrow what they're looking for. As common desktop hard drives starting being measured in terabytes, something has to change. This may blind them to additional crimes or supporting evidence, but, in the drive toward getting a settlement or a conviction, at least investigators will get some hard evidence toward a solid conviction. For more on how investigators might start handling large volumes of data in the near future, see this blog.
You can hear more of my interview with Dave Merkel in this week's Security Bites podcast.
Should we be doing more to prosecute online criminals? TalkBack to me.