Controversial measures to force passwords and encryption keys from suspected computer criminals may not always be necessary, if workplace staff are as well-trained in evidence gathering as Professor Henry Wolfe would like them to be.
Such keys, being frequently entered on the keyboard, may still lurk in RAM, which should be carefully copied along with the contents of hard disk and other media in any forensic evidence gathering process, he says.
Such evidence could be gathered either by professional investigators working for law-enforcement authorities or by well trained internal staff.
Wolfe, from Otago University’s security research group, gave a Computer Society audience a rundown of the “arms race” between forensic experts and criminals at a breakfast meeting last month. While there are specialists computer-forensic experts, they are still not easy to find, are overworked and costly, he says. Training of internal staff in proper forensic procedure should be part of the increasing attention that IT departments have to pay to security.
If someone is suspected in advance of secreting illict information, an almost invisible “tapping” device on the keyboard cable or a piece of software covertly installed in the system will also be useful in capturing passwords and keys. This is theoretically easy within a workplace, though consultant Ian Mitchell pointed out last year that employment contracts must be carefully written to provide for surveillance and make sure the employee knows it may happen.
If a law-enforcement agency is doing the key capture, “I assume they would have a warrant,” says Wolfe. However, he also dealt with completely covert and undetectable means of surveillance such as “Tempest” techniques for interception and interpretation of radiation from a display screen, to reproduce the data appearing on the screen.
Overlooking the unusual places where data may lurk could compromise the rightful arrest and conviction of a criminal, Wolfe notes.
Nowadays, such non-computer devices as cellphones have considerable memory in which to secrete data. Mini-disks and memory cards and storage dongles designed to slip into a pocket could be overlooked. In one case a vital encryption algorithm was concealed in a finger-ring.
The first lesson of investigating a crime is to preserve the evidence and not to interfere with the original, Wolfe says.
Copies should be taken of everything and investigators should work with the copies, not the originals. The link between the copies and the originals must be demonstrable with careful documentation and hash totals taken of original and copy to guard against accusations that the data was changed.
In his articles for security publications, Wolfe emphasises the role of management in committing to a probable need for forensic expertise, providing funding for training and equipment and closely co-ordinating any investigative exercise.
The oddest evasive devices put in place by suspects include a computer constructed inside an innocent-looking wooden box on a cupboard shelf; the investigating officer returned carrying the monitor and keyboard, insisting they were the only computer devices in the suspect’s work area.
Another suspect placed cables around the doorway of his computer-room to generate a strong magnetic field on pressing a concealed foot-switch. This erased the contents of the hard drive as the officers were carrying it out of the room.