Due to recent developments in counter-forensic technologies such as strong encryption, it may soon be necessary for forensic analysts to use system penetration or "hacking" techniques in order to obtain forensic evidence, a process here referred to as "Hostile Forensics". This issue is not one that has been adequately discussed in the forensic community at large, and as such there has been very little planning or public collaboration to discuss issues and define standards, tactics, strategies and best practices. It is a particular problem for U.S. law enforcement, that currently has few (if any) legal ways to pro-actively obtain permission to use penetrations in a law enforcement operation. This document represents the results of a thought experiment by the author about how one might structure a Hostile Forensics operation with the greatest degree of assurance possible, and to perform an investigation into the issues and approaches of penetration-based forensics.
Whether or not Hostile Forensics would be legal, or indeed even a good idea, remains to be seen, and will vary from place to place and legal context. Certainly, in some very specific circumstances, such as a covert investigation of an organization's own property where consent has been obtained, there is already a case to be made for the legality of these techniques. It is hoped that by detailing a methodology that includes strong internal controls, analysts will be able to provide at least some assurance that the evidence obtained is trustworthy. Similarly, with adequate internal controls, the opportunity for an unethical analyst to plant evidence or otherwise "frame" an innocent person should be greatly reduced. In this way, it is hoped that forensic investigators will be able to perform their function for society while still respecting the rights of the individual - a challenge that is sure to become more and more difficult as technologies such as encryption become more wide-spread.
This document has two parts. The first part is an overview of the issues surrounding digital forensics in the modern age, as perceived by a technical practitioner but legal layman. The second part of the paper is an attempt to outline a general methodology and set of controls and techniques that might be used to perform a Hostile Forensics operation. A non-technical reader may be more interested in the first part, whereas a strictly technical reader may be more interested in the latter.
Current Version (1.0):
Example internal controls spreadsheet:
http://lachniet.com/forensics/2011-06-15_Sycophant_Inc_HF_Controls.ods (Open Document Format)
http://lachniet.com/forensics/2011-06-15_Sycophant_Inc_HF_Controls.xls (Excel Format)
SANS Blog post for discussion: