CSI and Information Security – searching for the perfect evidence?

Eveyone’s either watched or at least heard of CSI – Crime Scene Investigation. With the spin-offs, there are three out of five nights a week in Prime Time where you may learn about trace evidence, bullet trajectories, and splatter patterns. It’s been such a phenomenon that Criminal Justice is the most popular/fastest growing new major in colleges.

One thing that comes up every now and again on the show surrounds evidence and collection; someone kicks a gun out of position, forgets to wear gloves while picking something up, or there was a fire due to someone’s carelessness. During the trial, while the CSI agent is on the stand, the defendant’s attorney asks the agent about the evidence in question. The attorneys refer to the seal on the evidence bag, the agent’s signature across it and the evidence locker logbook showing check in/checkout times. The signature represents that the evidence was not compromised (anti-tamper). The seal is a chain of custody protection, as each handler puts an official, new one on when they’re done. The evidence logbook, plus the lab tests and procedures depicts the evidence’s complete history.

These ideas translate well to the digital world. There is also a chain of custody. It’s very tight and very well documented for cases where there may be a federal offense, such as child pornography or counterfeiting. Digital Signatures replace the seal and signature, providing non-repudiation in the same fashion. File, error, and audit logs replace the evidence locker logbook.

There are a couple of points lost in translation. Is there a way to prevent the digital equivalent of wiping the gun clean?

Current best practices digitally sign audit logs, providing a tamper indicator, and dependent on the methods used, even a tamper resistance. Digital signatures are far from perfect, although they are legally binding. About a year ago, the first technique for reproducing a SHA1 signature became feasible for a non-nation state (nation state equals money and resources of say China / Russia). This is the digital version of the old fashioned check scheme.

But that doesn’t account for the forgery or even theft of the evidence logbook? Especially with the digital equivalent of a crooked cop (which might actually be a crooked cop), but is more likely an IT administrator and generically known as a trusted insider or just the insider threat.

One of the ideas Jeff Jonas brought to my attention was the immutable log. This log cannot be changed, essentially auditing that requires a digital ‘breaking of glass’ upon access. You know when it’s happened, and its nearly impossible to undo. Monitoring these logs provides an interesting insight into the enterprise’s operation. When do people look at logs? Normally, reports are used for system health. Logs are a second tier analysis – the administrator already noticed an anomaly and is diagnosing the problem, or someone with ill intent wants to cover their tracks.

Jeff’s example of Kimitick intrigued me. I would like to add ERUCES to the mix, with their recently patented Hidden Link technology .

A key sits off-site, and the only remnant on the local machine exists as an encrypted key pointer. From log creation the file remains encrypted, always on disk and only small pieces while in memory. The key stays in a crypto module or Hardware Security Module (HSM) on the local/log creating machine, the Hidden Link remains as part of the file, and not an administrator nor anyone else may access the file w/o first asking for the key. This key access remains off-site, potentially within a third party auditor’s control, say maybe the SEC or FAA for compliance assessments.

Now this doesn’t necessarily create an immutable log. As my university professor in security always said, “If you get your hands on the hardware, all bets are off”. Smart man when you consider the Cold Boot research discoveries in February. I bet that was on very few people’s Threat/Vulnerability Analysis. From that perspective it becomes more important for a system to have more parts with a wider distribution, a digital two people to launch the nukes rule.

Of course, more parts and procedures makes the entire system more fragile, and definitely less elegant. I’m sure there are ways to manipulate the programs writing the logs, or the system architects could slip a mickey into the system for the express purpose of defrauding the likes of the Societe General. Obviously not the best example; they never even checked their logs. I hope you get the drift.


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>