Thursday, July 26, 2007

Keeping up with the joneses

I had the pleasure of sitting down the other day with a technology law professor and we began discussing the issues surrounding memory capture. Not only the impact that a collection might have on a system and how a lawyer might attack that capture being presented as evidence, but the fact that the industry lacks standards and follows best practices, which presents its own set of issues.

I was pointed to a tort case involving tugboats of all things. The case of the TJ hooper is a rather important one it would seem. As this is an oft-cited case, I'll leave it to readers to google for it. In short, the case surrounded a cargo company, a transport company and a barge company. The transportation company assigned a number of tugboats to pull the barges along the atlantic coastline from Virginia to New Jersey. The cargo was lost in a storm and the cargo company claimed the barge company was at fault. The barge company in turn claimed it was the fault of the towing company. Not for any real fault of the tugboats - they were seaworthy vessels structurally. The judge however decided the tugs were unseaworthy because they did not have radios onboard.

Radios on tugboats in 1928...This was not the standard, or even common place in that era. However, some companies did have them. It was argued that radios were a best practice, and that the tug company should be faulted for not having them. The case ended up being about custom versus negligence. Was it customary for tugs to carry radios, and was the tug company negligent for not carrying them.

The professor I spoke with termed this "keeping up with the joneses" and said it was up to us to set the current best practices and ensure that these best practices are followed by all practitioners, lest they be held liable for negligence because others are performing live response and memory captures.

So, what is current best practice for live response?

Many would say that current best practice is to capture memory before doing anything else on the system, because it is the most volatile source of data.

I support this as a best practice, however there's a major problem with this idea; Judgement. The issue with following best practice rather than a standard is that judgement calls must be made. Make the wrong judgement call and you could be held liable for negligence. So, perhaps the industry needs to define cases for the application of best practice. Undoubtedly someone will respond to this and claim that these cases have already been defined. I would argue that sure they've been defined, but only in a cursory manner, and I would ask in what location can I find these best practices stated and which is actually the best practice when opinions differ?

Do we then begin to claim that one person is more credentialed than another and therefore the less credible persons opinions are not to be followed?

Other questions that some would ask:
When should you use a USB key instead of a network capture?
Should you capture memory twice during your response(before and after execution of response tools)?

EDIT 8/2/07: This bears clarification. It's been suggested that memory captures be taken twice during a response effort from two different devices. I've also been asked the above question before.

Is it best practice to capture memory before doing anything else on the system, even though the time it takes to capture memory can be prohibitive?
If you're in a race against time what do you do?
Do you need to run 40 tools in a script, when much of that information can be gathered from memory?
Do you need to run 40 tools in a script when 20 will suffice?

So, when you're performing a live response, remember the TJ hooper, and since we all follow best practice due to lack of standard, unless we all start dancing to the same tune, negligence will be hanging overhead at every turn.


EDIT: When I say I want cases, I don't literally mean legal cases, although it would be nice to have those as well. I was referring to cases as scenarios for when to and when not to do certain things.

11 comments:

H. Carvey said...

...however there's a major problem with this idea; Judgement

I would submit that what you do not want is a series of cases, but rather education. If you provide a series of cases or instances, you're going to end up with a situation that doesn't fit any of those cases. However, if you provide education, then people can apply that education.

When should you use a USB key instead of a network capture?


Should you capture memory twice during your response(before and after execution of response tools)?

Why would you do that?

Is it best practice to capture memory before doing anything else on the system, even though the time it takes to capture memory can be prohibitive?

This is part of education. One must define 'prohibitive'. What is prohibitive for law enforcement may not be prohibitive for a consultant.

If you're in a race against time what do you do?

Depends on the situation. When developing security or CSIRP policies for an organization, there are certain base items that are consistent, but each organization must develop their own, based on their critical assets, infrastructure, organizational cultural, etc. The same may ultimately be true for memory acquisition...there are certain technical aspects that may apply across all verticals (consulting, law enforcement, etc), while specifics such as the questions you're asking will need to be addressed by each vertical.

Do you need to run 40 tools in a script, when much of that information can be gathered from memory?

Perhaps. Given that the tools to collect the same information from a memory dump are not readily available (yet), this may be an option, or even a requirement.

hogfly said...

I would submit that what you do not want is a series of cases, but rather education. If you provide a series of cases or instances, you're going to end up with a situation that doesn't fit any of those cases. However, if you provide education, then people can apply that education.

Very true. Let me ask you this though. If two people follow different sets of best practices, and train people independently we still end up with disparity in the industry. (I'm not suggesting that we can ever have a utopian industry where we all follow the same rules, but core best practices need to be followed.) For instance. Let's say I go to SANS and take the GCFA course, and then I go and take a CHFI course and learn different practices. Which is correct? If SANS is using techniques that are 5 years old, is it still best practice? It then becomes a question of credibility I suppose.

Why would you do that?

I'm not saying I would. I'm suggesting that I've been asked that question. It has been suggested in writing that two captures be taken - not necesssarily before and after response, but during.

I agree with everything else you've said but these are some issues(there are more) to be addressed in so far as relying on best practice versus standards.

I just ordered Mastering Windows Network Investigations to see how it compares to other writings and to see what best practices they are claiming should be followed. I'm sure it will be different than others.

Anonymous said...

Yes you want cases - case law is how precedent is set until the slower legislative law can take effect.

hogfly said...

Paul,
I understand how precedents are set. I think you may have misinterpreted what I was saying. By 'cases' I meant situations or circumstances. I should probably make a note of that given the topic.
Thanks!

H. Carvey said...

When I say I want cases, I don't literally mean legal cases, although it would be nice to have those as well. I was referring to cases as scenarios for when to and when not to do certain things.

I can see using examples, but the problem with using cases in this manner is that too many people out there will be focusing on the cases/scenarios themselves, and will then be stuck when presented with a situation that is sufficiently dissimilar from the cases.

Why would you do that?

I'm not saying I would. I'm suggesting that I've been asked that question. It has been suggested in writing that two captures be taken - not necesssarily[sic] before and after response, but during.


Given your view into and knowledge level of the topic, don't you think that you would be able to discuss the pros and cons of such a thing?

Also, could you post where this has been suggested in writing? I'd be very interested to read this material.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

actually, that's brilliant. Thank you. I'm going to pass that on to a couple of people.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Please write anything else!

Anonymous said...

dsQEJw Nice Article.