by Diofanor Rodríguez
CPP
Criminals are increasingly familiar with technologies, their possibilities and their limitations, which means that, in many cases, especially in the field of information, having to travel to commit a felony is not really necessary and only needs a good computer equipment and average knowledge on the computer subject to try to breach systems in organizations.
To this is added that many of the "holes" or possibilities that criminals take advantage of, are those that our employees leave by carelessness or because they are part of the gangs dedicated to these cybercrimes. A recent study, generated by the company Donostiarra Servicios S21sec, shows that 85% of crimes through the systems are committed by the employees of the companies and from there it follows that many of the employees have a second activity to achieve other income, which paradoxically is to commit crimes against the company that gives them the work.
As we see the scenario is not encouraging. The situation is worse if we consider the fact that many of us who are dedicated to corporate security in organizations do not know (if in its entirety if in large part), how to prevent computer crimes and how to search, retrieve and reconstruct information through computers.
It is here where computer forensics plays a primary role as a support, it helps our security work.
Cybercrime
Let's start by saying that computer forensics is a systemic science, which is based on premeditated facts and then look for evidence and proceed to its analysis. Dan Farmer and Wietse Venema, the creators of the Forensics Toolkit, are generally recognized as the pioneers of computer forensics.
Currently, Brian Carrier is probably one of the world's leading experts on the subject.
In the computer sense, it is the applications that play a leading role in the collection of evidence and the information that is needed.
In computer forensics, the crime scene is not only referred to a specific physical place, but is given by the computer and the network to which it is connected, whether called LAN or WAN. As you can see, the scenario is complex, because the scene can be a world of visited sites, several emails and in general much of cyberspace.
It is of great interest to the man of integral security to know that at the time of reconstructing a crime scene through computers, this can be done through the records left by the systems and that can tell us if the operations were carried out through a partial or total modification of the information, what was the PC used, what were the tools and what kind of information was sent through the emails; just to mention some of the things that can be done.
It is necessary to understand that when a computer equipment is found where it is presumed that the illicit was committed, it must be left as it is. That is, if it is off it should stay that way and if it is on it should be left like that; whenever there are tests or records in the volatile memory of the computer, they will be lost if the way it was found is modified.
Reconstruction of the facts
It is important to bring up a question asked to Dr. Jeimy Cano, Systems and Computer Engineer at the Universidad de los Andes (Colombia), made by Virusprot in 2002 that literally says: "How long can it take to gather enough clues that give the author of an attack? The answer to that question was blunt: "It is a rather complicated question to answer, because many times the computer forensic must prepare to fail to identify the real person who committed the attack. For the versatility offered by the Internet to mask IP addresses, emails, among others suggests a great deal of technical knowledge and patience on the part of the attackers, who also consider "anti-forensic" strategies that limit investigations and their effectiveness. in some cases it can take years to do this." As we can see, things are not easy, but you can reach solutions when you really know who can help us.
We must remember that what is always wanted and needed is to keep the crime scene unaltered, as this is of vital importance for computer investigations.
Dr. Jeimy Cano in a conference held at the Faculty of Law of the Universidad de los Andes, said that to perform an expertise of the computer type you must respect at least seven steps to make it valid:
•Sterile forensic means should be used
•Maintain the integrity of the original media
•Identify possible evidence at the crime scene
•Properly label, control and transmit copies of research data, impressions and results
•Analysis of identified data
• Presentation and support of the results
•Validation and verification of the procedures applied
Failure to properly maintain these steps leads to events such as eliminating any possibility of persecution of the aggressor; whenever the crime scene is modified, the estimated damages cannot be calculated with a degree of certainty.
It is also important that when working on hard drives a clone copy is made, that is, one identical to the original copied bit by bit. In fact, it is advisable to make three copies of the original disk, it is also very important to ensure the tests in safes and in the case of disks avoid the places of magnetic interference that may affect them.
It is vitally important to work on the analysis of data communication. The interesting thing about this is two things: the first is the intrusion into a computer network or the misuse of them, and the second is the interception of data.
As we have seen, the possibilities that we have to contribute to the clarification of fraud, a theft of sensitive information, a partial or total adulteration of files and even the simple fact of wasting time due to misuse of the Internet and corporate mail are high. The interesting thing is that we can know that there are the tools and experts that make our security work more solid.
In this context, it is absolutely vital that the person who manages the corporate security of organizations works together with the IT manager to generate added value in our organizations. Well, we can't always be saying that's not my problem.
The challenge is therefore to understand the technology to give it the applications that are needed within our daily work in security. This science that is computer forensics is showing us many benefits if the application is correct, although obviously the subject is not simple, but if we at least manage to understand its foundations we will be contributing from our jobs to the achievement of the objectives of this science. And... remember, the crime scene should not be moved under any circumstances.
References: articles and interviews by Dr. Jeimy J. Cano, Ph.D, CFE. graduated from the Engineering and Master's Program in Systems and Computing of the Universidad de Los Andes.
Leave your comment