US ATTACK: Forensic tools may play role in investigation
- 13 September, 2001 08:00
With investigations already well under way, U.S. federal agencies, including the Federal Bureau of Investigation (FBI), will turn to a variety of technologies to help them to identify those involved with Tuesday's terrorist attacks in the U.S. Such technologies could include digital forensic tools, according to security experts at digital security consulting firm, @stake Inc.
"The investigation is going to be very physical, checking such things as flight records and credit records. I'm not sure what area of digital security may be used right now, but forensic tools will most likely play a part at some point. Probably at this stage there will not be a lot of direct forensic evidence needed," said Phil Huggins, @stake's managing security architect in the company's U.K. office.
According to Huggins, telephone taps, on both land lines and mobile telephones will play a key role in the investigation as will the FBI's controversial Carnivore Internet surveillance tool.
Called DCS1000 by the FBI, Carnivore is a software program that monitors packets of data passing through an ISP's (Internet service provider's) network. Officials at the FBI declined to comment on any details of its investigation.
Similar to Carnivore are the software programs set up by the U.K. government to support the Regulation of Investigatory Powers Act (RIPA), passed last year. "Most definitely, the U.K. government will play an integral part in the investigations since RIPA provides such sweeping powers," Huggins said.
RIPA requires ISPs in the U.K. to track all data traffic passing through their computers and route it to the Government Technical Assistance Center (GTAC). The GTAC has been established in the London headquarters of the U.K. security service, MI5 -- the U.K. equivalent of the FBI. Though the U.K. Home Office declined to comment on any involvement, it may or may not have in ongoing investigations into the terrorist attracts, U.K. Prime Minister Tony Blair on Tuesday pledged that the U.K. will "stand shoulder to shoulder with the U.S."
According to Huggins, @stake has also offered its services to the federal government to aid in the investigation, but he did not know if the company was as of yet involved in tracking down the terrorists. "We have worked very closely with federal agencies in the past, as we have a lot of employees who are former FBI employees and White House security staff," Huggins said. One such employee is Edward Appel, who is currently on @stake's Technical Advisory Board and was for 28 years an FBI executive specializing in counterintelligence and counterterorrism.
Investigators are already looking for data to implicate or identify targets that they can in turn focus on to assist in collecting further data against the terrorists and to also collect data that could be used in future court proceedings, Huggins said.
"They will be looking at computer systems which produce and store detailed logging information. It is the very unsexy side of data investigations. Things like airport logs and mobile phone call logs will all be looked at. Investigators will obviously be trying to find as much information as possible on those who were involved in planning the attacks and there will be some work with live instant analysis. Every contact leaves a trace, however small, " Huggins said.
One tool that Huggins believes may be used to track digital data is The Coroners Toolkit (TCT), a suite of freeware tools, parts of which @stake distributes. TCT was originally written by Dan Farmer, a researcher for Earthlink Networks, and Wietse Venema a researcher at IBM Corp.'s T.J. Watson Research Center.
"TCT is a standard tool, or rather a collection of tools that are designed to assist in a forensic examination of a computer. It's designed for Unix systems, but it can also get some data collection and analysis from non-Unix disks and media," Huggins said.
Huggins pointed out that though it may be a time-consuming process, data files will be recovered and reconstructed to try and piece together evidence. "Once you delete a file, contrary to popular belief, it doesn't just go away. You have an index that can then be used to trace information," he said.
One aspect of TCT is something called grave-robber, a program that controls a number of other tools, all working to capture as much information as possible about a potentially compromised system and its files, Huggins said.
And though TCT can collect a massive amount of data, separate tools are needed to analyze that data -- tools that @stake has written in-house which it calls TCTUTIL. "The TCTUTIL tools are for investigations using the file and directory name layer, for viewing deleted file names and it also gives mappings between the different file system layers," Huggins said.
"One thing for certain, the correlation and analyses of all of the digital data will be a key factor in any investigation. There will be many librarians and clerks who will be trying to analyze the systems. It could take months," Huggins said.
While there are a number of tools that have been recently created to aid in investigations, tools such as TCT are important because the data collected by the programs is trusted by courts of law in the U.S. and can be used as evidence.
"Rather than test these tools, which involves a lot of complicated technology and the understanding of related technologies, courts instead rely on tools that have been used in past trials -- even if there are technologies that are more up-to-date and effective. TCT is certainly one of those tools as it's been used many times in court cases," Huggins said.
TCT can be accessed at http://www.fish.com/tct/ and http://www.porcupine.org/forensics/.