The Real World of Computer Forensics

In today's business environment, any company, from small to large, can count on facing unwanted incidents and formal litigation. And since most companies use computer networks to process financial transactions and to handle the sheer amount of information associated with their business, computer data will inevitably be involved in any unwanted incident or litigation attempt. As such, it's the smart companies, and IT departments, who understand that they will need to be in a position to efficiently deal with this information - and that means in a computerized format - when responding to incidents or litigation.

To help facilitate that understanding, and to better prepare businesses to address these needs, this article will introduce you to computer forensics, e-discovery, and litigation support; which are powerful tools you can use during an incident or during your next litigation.

Computer forensics, defined, is the process of preserving, identifying, producing, and analyzing computer data for the purpose of incident management or pending litigation. Computer forensics can be used for the production of documents for litigation or it can be used by an expert witness to form an opinion regarding the action of a computer's user. This article briefly discusses three of the real criminal and civil cases I have participated in, where computer forensics directly affected a company's outcome. Exploring these cases will provide a good idea of what situations can occur, and some of the issues you would have to contend with.

(Some of the names of the victim companies have been sanitized to protect the innocent when the case was not in public record.)

US v Duronio

UBS-Painewebber (UBS-PW) is a financial institution that provides stock trading to their customers. Like most companies, UBS-PW process the stock transactions from all over the United States using a large computer network consisting of over 2,000 servers dedicated to the task of stock transactions. UBS-PW experienced a reduction in profits like most companies after the Sept. 11, 2001 attacks. This in turn meant that most employees would not be taking home the bonuses they were initially promised in the preceding year.

Angered over the size of his bonus, on Monday, March 4, 2002, a former UBS-PW systems administrator named Roger Duronio executed a logic bomb, which is a malicious program that destroys computer data at a preset time. The bomb disabled a large number of the servers responsible for executing the stock trades when the stock market opened at 9:30 AM EST, costing UBS-PW a loss of over 3 million dollars in the recovery effort. In addition, the recovery effort was not immediately and completely effective. According to court testimony, the effects of the logic bomb attack were felt long after the attack was cleaned up. Simultaneous to the attack, Duronio placed several "put" stock purchases with UBS-PW's stock shares, which effectively bet against the company and would make money for Duronio when the stock lost value due to the logic bomb attack.

It was up to the computer forensic experts to piece together Roger Duronio's actions and present it to a jury that might not understand all of the technical details of what happened. I was the computer forensic expert for the government, and testified for five straight days regarding the logic bomb attack and Mr. Duronio's involvement.

I was able to track Duronio's steps by examining several pieces of data: First, I was provided with tape backups from the servers affected during the logic bomb attack. Like an arson crime scene, the logic bomb effectively destroyed the contents of the transaction servers, and the tape backups held the next best set of data. Upon tediously reconstructing each file available from several tape backup snapshots, I was able to review the programs Duronio had created and executed on the transaction servers.

I was also given the virtual private network (VPN) logs from the UBS-PW network. These logs contained the information about each connection into the UBS-PW network that originated from the outside world. I correlated the connections from outside UBS-PW's network with the servers involved in the logic bomb attack. Each connection associated with the modification and execution of the logic bomb was traced back to Duronio's home address and/or his user account. Lastly, I was provided with forensic images of the computer systems inside Duronio's home, which were seized by the U.S. Secret Service. On the home computers I discovered a logic bomb that was consistent with the attack on the UBS-PW network.

This past fall, Duronio was found guilty and sentenced to the maximum of 97 months in prison for the crime. Without the ability to piece together his attack through computer forensics, Duronio may have attacked UBS-PW and never been caught.

US v Alexey Ivanov & Vasily Gorshkov

Around the year 2000, a series of companies across the U.S. received extortion emails from a group of hackers. The emails stated that their computer networks had been hacked, and threatened to publicly expose their data, such as stolen credit card numbers, unless a payment was made. Specifically, the email stated that if the victim company agreed to pay a small fee, the hackers would fix the security flaws in the victim's network and not publicly expose their data. As proof that the networks had been compromised, the emails included personal passwords of the people they were extorting.

The source of the attacks appeared to originate from overseas, where United States jurisdiction is ineffective. In response, law enforcement officials turned the tables with a con of their own: they successfully lured two individuals suspected of this crime from Chelyabinsk, Russia, with a job offer to be security professionals. The officials posed as businessmen from a fictitious company they created in order to catch the hackers. The officials captured network traffic proving the attacks were caused by Alexey Ivanov and Vasily Gorshkov in order to arrest them after they were on U.S. soil.

In this case we were provided data from Mr. Ivanov and Mr. Gorshkov's computers, data from the victim's computer network, and data from their servers which still existed in Russia. (The FBI transferred the data from Russia to the U.S.) Within the data, we were able to determine that the two individuals broke into computer networks across the United States, and that they extorted numerous companies. After examining every file on their computers, it was obvious that Ivanov and Gorshkov were involved in the hacks because the tools were found on their systems.

In addition, a number of transcripts and emails were also found on proving that they executed the attacks and communicated with the victim company. In more than one instance, a script was used to profit from their crime.Ivanov and Gorshkov siphoned money off of the stolen credit card numbers in an elaborate scheme using a popular online auction web site. The hackers would purchase fictitious items up for bid that they owned, and this process put the money from the stolen credit cards into their account. This crime was nicely automated using a series of relatively simple computer programs.

For this crime, Mr. Ivanov and Mr. Gorshkov were convicted and sent to prison. Without the ability to tie these individuals to the attacks through computer forensics, a cross-border attack such as this would have gone unpunished.

A Large Financial Company

In the past two years, another large financial company that executed stock transactions on behalf of their clients was hit by computer crime. This time, the crime was not committed against the company directly. The crime was actually committed against the computer systems of numerous customers that used the financial company's resources. The hackers would capture the user name and password of customers, and then use them to log in and transfer money in the victim's accounts.

A number of customers began complaining, and threatened a class-action lawsuit because they believed the financial institution lost their accounts to hackers. In reality, the company's security was tight. We were called in to use computer forensics in order to verify that they company was not compromised. Their suspicions were correct, they had not been compromised.

In addition, we were asked to review the computer systems of several customers of the financial institution. Each customer was in a different geographical location and did not personally know any of the other victims. We found that the attacks on the accounts all stemmed from the same piece of malicious malware installed on the customers' computers. The malware collected the username and password that the customer used to log into the financial institution and sent them to the hacker. The customers' computers picked up and installed the malware while surfing on the Internet.

In this case, computer forensics was important because it pinpointed the origin of the crime to malicious websites that installed malicious software using exploits in the web browser and operating system. The computer forensics showed that the financial company was not to blame for the transactions. As a result, the financial institution was not frivolously taken to court, and in return, they worked with the customers to secure their computer systems for the future. Since the attackers appeared to be outside U.S. jurisdiction and in unfriendly countries, the individual(s) responsible for this incident have not been caught.

In all three cases I have discussed above, the truth of what happened lay in the computer evidence. Without computer forensics, the truth would have gone untold, and the evidence needed to convict or track down the perpetrators would not have been attainable. If one file had been missed or misinterpreted, the outcome could have been worse in all three cases.

If you are reading this and thinking "That will never happen to me," I guarantee that is exactly what the victim thought before the incident occurred. In future articles, I will discuss what your company can do to prepare for computer-related incidents, efficiently investigate them, and effectively tackle even the largest litigation.

Keith Jones is a senior partner and co-owner of Jones, Rose, Dykstra & Associates, and specializes in computer forensics, electronic discovery, litigation support and information security consulting. He is the author of two computer forensic books: Real Digital Forensics and The Anti-Hacker Tool Kit."