I have been part of the Incident Response and Digital Forensics world now for about ten years. During my tenure, I have come across an alarming and unfortunately reoccurring theme in that a huge number of “investigators” have not been exposed to the basics of investigative methodology. They have toolkits, and dongles, and can use industry buzzwords like “forensic image” and “registry analysis”, but the actual in-depth knowledge of what those (and many others) terms mean and why they are important elude them. It is for this reason the SpiderLabs Incident Response Team developed and implemented the Sniper Forensics methodology.
In this first part, we are going to cover some of the absolute basics of investigative methodology that are common to all disciplines of forensic science. These are time honored principles that, when applied properly, can introduce simplicity into an otherwise complex situation, and yield concrete results. Specifically, I am referring to Occam’s Razor, Locard’s Exchange Principle, and the relative newcomer, The Alexiou Principle.
William of Occam (or Ockham) was a Franciscan Friar in England during the 14th century, and is considered to be one of the major contributors of medieval thought. He wrote treatises on logic, physics, and theology, but for our purposes, we will stick to his work in the area of theology, specifically a theory he developed named, “Occam’s Razor”.
Often communicated in the Latin, “lex parsimoniae”, this principle states that when selecting a hypothesis, the one that makes the fewest number of new assumptions is more likely to be correct. Of Occam’s Razor, Sir Isaac Newton was quoted as saying, “We are to admit no more causes of natural things than such as are both true and sufficient to explain their appearances. Therefore, to the same natural effects we must, so far as possible, assign the same causes.”
Let’s bring these ideas into the modern vernacular, and more specifically, into the world of cyber forensic investigations. I believe the most accurate modern translation of “lex parsimoniae” would be, “keep is simple stupid” or the “KISS” principle.
Modern computing environments can confuse an investigator with all of the possibilities that may be part an incident. One can easily develop “analysis paralysis” simply due to the huge data sets that can reach into the hundreds of gigabytes or terabytes. It is not feasible to think you are going to be able to walk in, image a 3 Terabyte NAS, and load it into a Forensic Program and hope it works. This is where Occam’s Razor can become a critical component of your investigative methodology…limiting your data sample to the components that are part of the incident, nothing else.
By limiting yourself to a hypothesis with few assumptions (remember…keep it simple), you can eliminate a great deal of the fog of investigation form your view. This will allow you focus on what is likely the real nature of the incident. Now this is not to say that some incidents cannot be very complex, because they can and often are. But, allow the evidence to be as Newton indicates, “true” and “sufficient” to explain its existence. I think you will be amazed how much clarity and focus this will provide to your investigations.
Dr. Edmond Locard was a forensic scientist in Lyons, France during the early 20th century until his death in 1966. He is regarded as the father of modern forensic science, establishing the first crude forensics lab in a two-room attic in 1910.
Dr. Locard established something referred to as “Locard’s Exchange Principle” or “Locard’s Theory”. It was best summarized by Paul L. Kirk in 1953…
“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”
To summarize, this principle basically states that residual traces of every action will be left behind by the perpetrator, you simply have to know what they are and where to look.
Applying this to cyber forensic investigations, actions like remote logins, file creation, deletion, and modifications, plugging in a USB device, connecting to a wireless access point, and opening a digital photograph will leave residual evidence of that event having taken place. This data is cold, hard, and indisputable. Knowing where to find it will prove initially more difficult than interpreting it.
The final theory we will cover in this post is The Alexiou Principle. This theory was initially developed by Mike Alexiou, but was not documented until 2009 when I asked him if I could write it down and name it after him. Like Occam’s Razor, and Locard’s Exchange Principle, The Alexiou Principle uses logic to introduce simplicity into what is otherwise a complex situation.
The Alexiou Principle is comprised of the following four elements:
- What question are you looking to answer?
- What data do you need to answer the question?
- How do you extract and analyze that data?
- What does the data tell you?
By following these four simple steps, an investigation, no matter how complicated, can be broken down into smaller more manageable fragments. By simply documenting each question, identifying the data element(s) necessary to answer that question, extracting and analyzing that data, and then allowing the data to provide you with an answer, you can conduct provide concrete answers in a very short period of time…clearly and concisely. Additionally, this principle has a built in safeguard that prevents the practitioner from making up answers, or drawing a conclusion that is contradictory to the evidence. If employed, any answer apart from the logical one, will become blatantly obvious to the investigator or others on the team.
In conclusion, we have discussed (at a high level) the theories used to formulate a comprehensive investigation plan. By using logic and time honored principles that are employed in every other discipline of forensic science, these theories will also help the user introduce simplicity into what is otherwise a very complicated world – that of cyber forensic investigations.
In the next part, we will cover how using the Sniper Forensics methodology will guide the investigator in determining what to “Snipe”. This will be a critical component in implementing the methodology successfully, so don’t miss out!