Monday, April 09, 2007

Great news for IR and live response!

There was some great news recently for IR and live response!

Over the past couple of years, when discussing the viability and usefulness of live response, particularly as a source of evidence to be used in court, I have very often heard folks say, "I won't perform live response until there is case law to support its use."

Is it just me, or does sound like a chicken-or-the-egg thing? How can something be accepted in court if you're not willing to do the work and bring it into court in the first place? After all, look at everything that is used in court as evidence now, but at one time wasn't...fingerprints, DNA, even computer forensic evidence.

I was reading the TaoSecurity blog post regarding the Heckencamp case, and came across something interesting...that the court accepted a sysadmin's actions of logging into Heckencamp's computer to definitively determine that it was, in fact, the system being used to attack a mail server.

The Wired story mentions things like "counter-crack" and "counter-hacking", and I shudder at the use of both terms. The court's ruling includes a lot of discussion about expectation of privacy, but also includes such things as the fact that the sysadmin wasn't acting as an agent of law enforcement, but instead was acting to preserve the integrity of the mail server that was under attack. Basically, from what I can see in the opinion, the sysadmin confirmed that the system was used to attack the mail server by examining "network logs" and "after approximately 15 minutes of looking only in the temporary directory, without deleting, modifying, or destroying any files, Savoy [the sysadmin] logged off of the computer."

Okay, if anyone believes that nothing was modified in 15 minutes...well, that's a discussion for another time. After all, in order to access "network logs", a file would have had to have been accessed, modifying the last access time of the file...logging into the system itself would have modified logs, the contents of memory, etc...but I digress.

The Wired article ends in a monologue about vigilantism and student privacy, but that's not what I'm seeing here or interested in at all. Sure, the sysadmin used a username and password from a previous portion of his "investigation" to access Heckencamp's system, and the ethics of this can be argued until the cows come home. However, what I'm seeing is that live response may be starting to gain acceptance in court. If a sysadmin can log into a system and muck about for 15 minutes, why can't someone with a detailed process access a live system, collect necessary evidence as part of a thoroughly documented methodology, and then use that evidence in court?

8 comments:

hogfly said...

You're absolutely right. This is great news for those waiting for case law. Maybe now is the time for people to fully develop their live response procedures.

H. Carvey said...

More appropriately, IMHO, it's another reason to do so, right behind "required by a regulatory body (ie, FISMA, state/federal notification law, HIPAA, etc.) to do so", and "common sense". ;-)

Anonymous said...

A better reason yet is all the information a live capture can get with minimal modification to the system (i.e. loading the executable images into RAM). Even if a system is to be used in a criminal case, I don't think running dd.exe to dump the RAM, then immediately pulling the plug on a system could invalidate using the hard drive image afterwards. If a sysadmin poking about for 15 minutes doesn't invalidate a system as evidence, two minutes of dumping RAM to a network share (or netcat) shouldn't either.

An interesting possibility is using Process Monitor during the capture to see what all processes are doing, though its use may be exculpatory.

H. Carvey said...

Even if a system is to be used in a criminal case, I don't think running dd.exe to dump the RAM, then immediately pulling the plug on a system could invalidate using the hard drive image afterwards.

I agree, given the presence of a rigorous process or methodology, and justification for using it.

Remember, too, that depending upon how the new process (dd.exe) is run, there may be more than just a bit of memory used. On XP, a Prefetch file may be created.

Anonymous said...

This would be a huge help going forward.
Especially with detecting exploits which never touch the disk ( syscall proxies, etc) Also, correlating rootkit activities with data found on the disk is invaluable in my experience.

jaymcjay said...

Dimitry - Even more so with executables that are compressed and possibly encrypted on the disk (or not even there, as you said), but pristine within the memory.

H. Carvey said...

Jeff...

Exactly!

Anonymous said...

Agree. It's much quicker than reversing...