In one case that I’ve heard about, an IPod had been linked to a MacBook, and it was important for them to know when the two were last ‘synced’. Now there are usually two ways to get evidence such as that out of a program. The first is to actually run the program, in this case ITunes, and use it to extract the data. THe other way is to bypass the program and get at the raw data files and use other tools to extract the needed information. In this case, there were a few files that ITunes uses to keep track of the synced IPods and when they were last synced.

Both approaches have their benefits. Working through the program is sometimes much easier that bypassing it, but it risks damaging the evidence, changing it in some way. Bypassing is more acceptable, but it can be very difficult if the evidence is encrypted or in a proprietary format. In rare cases, it makes it impossible to proceed.

The classic case of this is the computer savvy student breaking in to the school computer to change his grades, but as serious as that is, it can get even more serious. If you need to make electronic payments, the account numbers you have on file for your suppliers don’t take much to change. One break in, and all of a sudden you are paying someone who isn’t your supplier.

The best way to deal with this is to have clearly defined roles with minimum access given to your data. Your employees should have just enough information to do their jobs.

The three principles together define Information security policy.

In some places of work, the need for this is obvious. A doctor or lawyer needs to keep his client’s information confidential. The CIA has lots of secrets that the general public shouldn’t have. However, every office has information that needs to be held closely. Payroll, for example. Beyond just keeping salaries confidential, a payroll database has bank account information. A client list can be judged to be important enough to keep secret.

The real problem comes when you pair this with Availability. In short, those who are allowed to use data get access, and those who shouldn’t, don’t. You could simply shut off a computer that is being compromised to prevent access, but that would also deny access to those who need it. Sometimes, though, that is what you have to do to prevent an immediate threat.

One of the principles of Information Security is the concept of Availability. Simply put, your data, or your company’s data, should be available for your use. How is this an Info Security concept? Simply put, if your data is not available for you to use, do you really have it?

The classic attack on Availability is the Denial of Service attack. In it, a computer is bombarded with network traffic, overloading the computer or network card making it so no one else can access the resource. The computer needs to spend time dealing with all of these packets coming in over the network, and so it cannot give legitimate users the time they need.

It’s not just in the computer world that this exists. Say you have a library of books, but the building has been cut off by a flood. The rising water is a threat to the Availability of the books.

I’ve had to deal with a DOS attack once. I was working as an engineer for an IT Services company when a client called. His internet connection was extremely slow, and he wanted me to find the problem. I logged in to his firewall and found out he was right. The web interface for the firewall was extremely slow. I looked at the processor for the firewall and it was maxed out. The net connection was normal. It was the firewall that was being used. I checked the logs, and found that tons of traffic was coming from one IP address. For each packet that came from that address, the firewall had to process each command through every rule before denying it. To deal with it, I added a new rule denying the IP address and put it as the first rule. Instantly, everything was better. The firewall could dismiss the traffic instantly. Before I did that, the client could not use the internet.

For a resource to be valuable, it needs to be used. That is why Availability is so important.

The information security expert is involved before an incident happens. They go through and assess a location or system, find vulnerabilities and figure out how to deal with them in order to either prevent an attack or mitigate the damage from one.

The digital forensic expert usually arrives after an incident has happened, and figures out what went wrong. He doesn’t assess vulnerabilities, but actual damage. He doesn’t figure out what to do to prevent attacks. He finds out the exact nature of the attack that happened, if it is an attack at all.

How are these two related? Well both do a little bit of each other’s job. This is especially true during an ongoing attack. In that case, both roles need to be performed at the same time. A forensic examination gives important data as to the nature and severity of an attack. An assessment of security can identify ways of stopping and limiting damage.

In each case, both perform police like functions. Which one is more important? Whichever one you need.

Well, yes, it is. You may not be firing a magic bolt, but several computers, all over the world, are rendering an effect, moving your avatar, and recording the damage that that caused. At a very basic level, it makes a change on the hard disk recording the battle, and those little bits either have a charge or they don’t. And that is real and measurable.

The problem is, even that doesn’t seem real. Little magnetic bits on a platter? Can’t be touched. Can’t be seen. Doesn’t seem real. And how they are arranged makes them valuable? Certain arrangements of bits are more valuable than others?

Well yes. Consider a book. Any book. On the surface, its just leather with paper and ink inside. Open the book, though, and the value becomes clear. It can be read conveying information. A good novel can command a price. Take those same ink markings though and make them random, and its completely worthless. Or consider if the story inside is terrible. Or if the information it contains has been proven wrong.  All of that makes the value of the book go up or down as the case may be. The arrangement of those markings makes the book what it is. It is all important. If that statement seems a little out of proportion, consider the recent development of the e-book. No leather cover. No paper. No ink. But the black markings that appear on the screen mean you are reading, and have in your posession, The Adventures of Huckleberry Finn.

Now consider that in that e-book, its all made up of those same bits. The arrangement of those bits defines the book. If it isnt real, then you can’t read it. If you can’t read it, then you can’t write a book report on it. And you fail your English class. That’s real.

It comes down to this. If it can change something that is real, then it itself is real.

In the newest first person shooter, Modern Warfare 2, there’s a mission where you hook up a portable drive to a computer, then have to defend the house it is in. To let you know how long you have to defend the house, they put a status bar and time left on your heads up display.

Now all of that, hooking up the drive without sitting down at the keyboard and setting it all up, and not just ripping out the hard drive, that is wrong. The bit they get right is this:

On the heads up display the ‘time left’ jumps around. 3 minutes. 22 minutes. 44 minutes. 5 minutes. 37 minutes. Just like a real download does sometime.

Its a brilliant bit of realism, and so frustrating just as you are trying to survive long enough to get the drive and get out. You can never tell just how long something like that is going to take.

Sometimes this isn’t a problem. Sometimes the computer is in a secured area and the PC hasn’t been compromised. Sometimes its in an open office environment, and he was observed to be at the computer at the time in question.

Sometimes, though, the computer doesn’t even have a password, and anyone can walk in and use it. Most personal PCs are set like that. Even if you put a password on the account, it sometimes doesn’t mean anything if you are observed typing in the password. This actually happened to me once. I had set a password on my personal account on my daughter’s PC so she couldn’t be on the PC for more than an hour. She once watched me put in that password, and all of a sudden she had unlimited time. She was 5 at the time.

In cases like that, the best you can do is report that someone used ‘Joe’s’ account. To do more than that may be to assume too much, and that can lead to a loss of credibility. For a digital investigator, credibility is our stock in trade. If you don’t have that you won’t have anything.