Unveiling cyber threats that can impact investigations
Many cyber investigations require a comprehensive understanding of any cyber threats or malware infestation that may impact examinations. The impacts to criminal investigations, civil litigation, human resource actions and incident response engagements can be serious, depending upon the specific threats or malware discovered.
For example, identifying steganography (or data hiding) applications being used by employees to leak sensitive information from inside an organization could have far reaching implications. Identifying Trojans or Rootkits in legal cases, can lead to the 'Trojan horse defense' where the suspect claims that a Trojan was responsible for the illegal activity that has been proven to have taken place on their computer or network. This defense has actually proven successful in a number of cases. In the case of Aaron Caffrey’s alleged attack on the Port of Houston's IT systems, Caffrey claimed a Trojan was responsible, even though forensic analysts were unable to find evidence of Trojans on his computer. Caffrey was able to convince the jury that some Trojans are designed to self-delete after execution and this is why discovery was unsuccessful.
C-TAK (an EnCase App Central App) is designed to assist investigators in identifying such threats and is able to do so from within the EnCase v7 environment. Identification of cyber threats and/or remnants of their behavior is vital in order to provide investigators with key evidence regarding both the category of threat and the specific threat instance. Doing so allows the investigator to better understand the cause, effect and functional capabilities of discovered threats or malicious software.
To utilize C-TAK one would access EnCase App Central, download the App, and install the associated EnPack. Once installed, C-TAK is directly available from the EnScript menu. After processing the case in the standard way with EnCase v7, simply select C-TAK from the EnScript menu.
This in turn will launch C-TAK which searches all objects within the currently selected case for artifacts relating to cyber weapons and malware.
Once C-TAK has completed the scan, a detailed report of the resulting findings is provided. This summary report includes the category, program and files that are associated with each threat.
In order to ensure these findings are included directly with the EnCase evidence, C-TAK automatically bookmarks the relevant evidence associated with the resulting findings.
The result is a rapid and integrated method for identifying vital cyber threats and malware discovered during any EnCase investigation. As of this writing, Rootkits, Trojans and Data Hiding applications are included within C-TAK’s search space. Quarterly updates will include additional categories along with updates to the core Rootkit, Trojan and Data Hiding Threat sets. The next update is scheduled for late July 2013, and will include a broad array of anti-forensic tools, used by criminals to cover their tracks.