Root kits: Digital evidence collection of volatile data

Admittedly, some of the information presented here is on the advanced side of the curve. However, for those who understand the growing need for digital forensics in fraud examination, the latest evolution in the field involves new forensic tools and methods for gathering evidence from live systems. I'll continue to bring you developments when I think that they may have an impact on the way we do fraud examinations of digital evidence. Please contact me at rcannon@ACFE.com for explanation of any information.

If you're tuned in at all to the news of current computer technology abuses then you've heard about the Sony copy protection controversy. Like other big music companies Sony is concerned about copyright infringement of digital music so it embedded a DRM (digital rights management) program on some of the music CDs it produces and distributes. When a user would open one of these CDs, the DRM would surreptitiously install itself on the user's computer and limit his ability to make illegal copies and to prohibit sharing with others who had no interest in legally buying it. This program is a subcategory of malicious software called "root kits." This DRM root kit is designed to hide itself from the Windows operating system so the user is unaware of its presence. Even if he did know it was on his system he couldn't remove it without crashing his system.

Root kits: nasty threat
Root kits are the number one threat to consumer and corporate computer systems and are increasingly being used for corporate espionage and the theft of intellectual property. Employees can unknowingly install these stealth programs on computers and negate some of the best security measures. Because of their stealthy nature a root kit can remain hidden indefinitely and continue to conduct its specific business without the user's knowledge. [Chris L.T. Brown in his new book "Computer Evidence: Collection & Preservation" (Charles River Media) goes into greater detail on root kits. I highly recommend it for anyone wanting to know more about digital evidence collection.]

An examiner can find the root kit's activity in the area of the computer system known as volatile or physical memory and commonly called RAM or Random Access Memory. Root kits can do several nasty things including secretly passing user name and password information through the Internet to a hacker who has pre-engineered the program to respond to his commands.

The uses are limitless for this type of malicious technology in perpetrating fraud schemes against both consumers and corporations. Hackers can deploy malicious code on root kits through e-mail attachments, seemingly harmless business documents, demo CDs, automatic downloads from Web sites, or through a new breed of phishing ploy known as "spear phishing."

A spear-phisher creates spoof e-mails that appear to be coming from a legitimate business associate announcing itself as a meeting change or an advance agenda. The receiver opens the attachment and the root kit is secretly deployed. It acts as a typical Trojan horse that opens up a back door to a computer system, which allows a hacker access to the entire system and potentially the network as well.

Corporate spy scandal
The spear-fishing attack needs a measure of social engineering to be successful as illustrated in a recent corporate spy scandal that rocked Israel. Eventually, 18 individuals were arrested for capitalizing on the distribution of this type of malicious software technology to aid in corporate espionage. The Washington Post Foreign Service and other news agencies reported in the summer of 2005 that a well-known Israeli professor discovered that material from a book he was writing was misquoted on the Internet. The copy was appearing without his permission in various forms and seemed at times to be purposefully misquoted to embarrass the professor.

Obviously, his computer contained some type of Trojan horse software that was stealing his files. Israeli authorities advised him to reformat his hard drive and reinstall his applications to erase any malicious software. However, after he did so the problem continued. The police forensically analyzed the computer and found a hidden root kit that they traced to the professor's former son-in-law (a software engineer) who had developed and deployed the special program to exact revenge after a difficult divorce from the professor's daughter. Police also found that the former son-in-law had stolen information from a number of industries including cable and satellite companies, auto dealers, and military products manufacturers. The malicious software was unwittingly installed by employees from demo software CDs and business e-mails. He then conspired with private investigators and corporate officials to sell the stolen inside information. Investigators haven't totally unraveled the case but it reportedly might also affect U.S. companies.

Think before pulling the plug
Beside these "mal-ware" programs there are a number of other temporary computer forensic "artifacts" (fragments of digital evidence) that could reside in volatile data when a computer is on but lost when the system is shut down or loses power. Most forensic examiners were trained in the "pull the plug" seizure technique when they needed to analyze digital evidence. Consequently, this has been their standardized mantra when they've trained other investigators and forensic auditors who might encounter digital evidence in the field but don't have a fully trained forensic examiner present to evaluate the scene. With the huge amounts of memory on today's computer systems and the memory-resident activities taking advantage of fast-growing temporary storage location, forensic examiners may have to reevaluate the usual approach to computer seizure to include the possible recovery of volatile data from RAM.

Volatile data differs from the data typically found on hard disks because it's in a constant state of change. When users intentionally store a file on a hard disk it resides there until it's deleted and then overwritten. Volatile data resides only temporarily as needed by the various system processes whether the user initiated them or the system otherwise engaged them to accomplish a particular task. Once the process or temporary need is passed, the space in memory is released to be overwritten as needed by another task. Unlike the hard disk data, data in memory must have power to remain. If the power is lost, the data disappears. When the system is restarted the process begins anew. That's the reason the help desk tells you to reboot when having problems because some programs are better at releasing memory they no longer need. Often a reboot solves the problem because you begin with a clean slate each time.

When collecting volatile data, investigators must understand that there are inherent risks. The evidence must be collected in the least possible intrusive way. Often one tool isn't sufficient to collect all the needed information. The examiner must limit his interaction with the live system to just what he needs to obtain the data because he can risk damaging the evidence. When the examiner is deciding if he needs to collect volatile data, he must determine if loss of any information will be detrimental to the case and if there are other less intrusive and more forensically sound ways to gather it. In other words, it isn't always necessary to collect information from a live system that's already static on the hard disk. Consulting with an experienced computer forensic examiner can help in reaching this decision.

IP, passwords, last page printed
One of the justifications for the collection of volatile data is the possible capture of IP (Internet protocol) connections being used by running applications. If external log sources aren't available then those connections will be lost when the system is disconnected from the power.

The risk of identity theft has caused greater use and availability of encryption (coding data so that it is unreadable except with the proper key to decipher), which is now offered on storage devices from thumb drives to external hard drives. It's often impossible to obtain evidence from the devices without passwords. Program passwords can sometimes be found resident in memory and contained in volatile data. Also, hacker code often contains passwords in use and resident in volatile data.

Another example of evidence found in volatile data could be information related to the last document printed from the suspect computer. Windows XP has greatly increased the speed with which print jobs traverse the network to arrive at the networked printer, leading to a decreased use of a print server (a shared server assigned to handle the files sent to the printer used as a temporary storage for the printed files). Most new printers have large hard disks that act as "print spoolers" - internal print servers. Instead of spooling the print job on the local machine, the print job is spooled in memory and then sent down the pipeline to the printer almost immediately. The increase in computer memory means there's less of a need to spool the file on the hard disk in a temporary file, which causes the spooled print job to remain only in volatile memory.

The new generation of network-enabled (the ability to conduct forensic examination via a network) forensic software products such as ProDiscover by Technology Pathways and Encase Enterprise Edition from Guidance Software allow the forensic examiner to discover and capture some of these processes in a forensically sound manner by accessing the data in the least intrusive manner possible. Most of the other forensic software manufacturers such as AccessData are planning to include this capability in future versions.
For those who are just wondering if you have a root kit running on your system, the software Root Kit Revealer will head you in the right direction. Available for download at www.sysinternals.com, the product doesn't actually identify a root kit but it does show you hidden processes that could be one. It's up to you to make your own identification and course for remediation.

Volatile situation
Today's forensic investigators must broaden their original thinking about computer seizure and digital evidence. Depending on the type of investigation, valuable inculpatory and exculpatory evidence may be residing in memory. Volatile data also can reside in other commonly used storage devices. Evaluate the pros and cons of attempting to obtain volatile data and if it might be necessary. The advice of a trained forensic examiner can help you evaluate the need for this potentially valuable digital evidence.

Richard D. Cannon, CFE, CFCE, is the forensic technology director for the ACFE.