CIS2750 - Securing Information Systems

Chapter 13, Cyber Detective; Chapter 14, Introduction to Forensics; Chapter 15, Cybersecurity Engineering


Chapter 13 focuses on investigative skills. It takes us on a short tour of web searches. Objectives important to this lesson:

  1. Obtaining contact information
  2. Obtaining court records
  3. Obtaining criminal records
  4. Using newsgroups
Chapter 13

The chapter begins with some references to previous chapters, and the idea that an identity thief might begin with a few simple searches and build a crime on them. The author makes it clear that his intent is to teach you what you may not know so you can expect it and potentially defend against it.

His discussion begins with some general search advice, some of which is dated. Most of us would not start a search on Yahoo, although it always recommended to run searches through different engines to get the most variety in your results. Of the search sites listed, I might recommend and, although the information you are looking for could be found on Facebook or LinkedIn if the target is likely to have used either. Of course, some people don't like public scrutiny. Others do.

The text briefly mentions online court records. As I have had the need to do so, I have found several useful sites associated with local court systems which have been helpful in finding my own records. Finding the records of others can be useful, but make sure you have permission to go looking before you consider doing so.

The text is correct, that there are both federal and state web sites where one might look up registered or convicted sex offenders, but we are cautioned that data is not always correct. I have had the need to edit databases of such information in the past when requested by official sources who determined that errors had been stored in the data. Correcting errors, and logging such corrections, are necessary parts of being a database administrator. I felt mixed relief and loss when my job changed and I no longer had the responsibility or ability to make changes in such data.

The text provides links to run searches for current and released prison inmates, as well as for court records. These can be useful, but once again, we are reminded to confirm any data that we gather from such searches.

The chapter's information about Usenet newsgroups is less current and less useful than the rest of the chapter. It is unlikely to be of as much use as the other sources that the author discusses.

Chapter 14, Introduction to Forensics


Chapter 14 has a good bit more to say about cyber forensic work. Objectives important to this lesson:

  1. What is cyber forensics
  2. Forensic hard drive copies
  3. Forensic tools

This chapter does not introduce cyber forensics, but it would provide a good introduction to it if you had not read the previous chapters. The word "forensic" has several definitions, but the one the chapter concerns itself with is the one from CERT on page 386: using scientific procedures to collect, preserve, analyze, and present valid legal evidence in court cases.

Forensic concerns can be contrary to IT operating principles. Our first instinct should be to repair a device or restore it to proper operating status. In a situation in which there may be something to prove in a courtroom, we are required to isolate, contain, and otherwise NOT change the state of a device whose condition points to a crime. This is not something that every technical person is trained for. As such, it may be necessary to immediately consult with senior staff or specialists who may advise us, or may begin a forensic investigation themselves.

The following is a list of concerns that apply to collection or seizure of devices, data, or other items that may be submitted as evidence in a court. It assumes that you are an IT employee of the corporate entity whose equipment will be searched. The rules are a bit different if police are searching for evidence of a crime.

  1. Does the organization have a policy that allows for a search for evidence? (An exhibit submitted to a court is not evidence (as a court defines the work) until it is accepted as such by a judge. The word "evidence" is used here in the general sense, something that seems like it may be needed to prove a case.)
    If there is such a policy, does it apply to all staff, and have the staff associated with the potential evidence agreed to the policy?
  2. Is there a reasonable cause for a search to be made?
  3. Is the scope of the search permissible?
    Items 2 and 3 are based on the fourth amendment to the United States Constitution. As explained by this user friendly web page, the amendment relates to personal property, not to property owned by the party conducting the search. It is still required, however, that a search be made in a context that is justified by the conditions/situation/accusation that led to the search. You can't search for something in a place where you would not expect to find it.
  4. Verify that the organization owns the "containers" to be searched, such as computers, phones, file folders, external storage devices, and network devices.
  5. The search must be authorized by appropriate management, by an audit requirement, or by an actual subpoena.

A plan for a forensic investigation (looking for evidence, and presumably looking for the truth) should include three aspects that will affect the costs:

  • How much it will cost to conduct the basic investigation? - This is a frequent topic when there is a request for information from email. Setting up a holding area, restoring archived mail to that area, and examination by expert staff all cost more than daily operations cost. Any investigation will have costs that may not be acceptable to the requester.
  • How long will the investigation take? - Making our own staff available to do it may be less expensive, and take less time, than granting access to an outside agency, and holding their hand while they figure out our system.
  • What parts of the data to be examined are sensitive? - Sometimes the answer is "all of it", which will elevate the cost, and extend the time it will take to do it, since care must be taken to protect the rights of persons whose personally identifiable information may be contained in the data.

The chapter continues with general advice about keeping a hands off policy regarding equipment that is being examined. You should never make any changes to devices in evidence. The accepted process is to make an exact copy of storage media, and to conduct your examination on the copy. This preserves the state of the seized equipment, and keeps it available to make another copy should that become necessary due to any accident in the investigation. The text covers some methods of making a forensic image of equipment by several means.

The text addresses the less desirable situation of having to examine a device and being unable to make a forensic copy of it. The author points out that equipment that has been take during the arrest of a subject may still be running, which may require not just copying data, but examining the device's RAM, running applications and processes, and data that may be in the process of being moved from one location to another.

Any organization that conducts forensic examinations should have established rules about documentation, such as documenting who collected anything, where it came from, how it was stored and protected, and who looked at it while it was in custody. Rules about the care of such evidence are often referred to as rules about Chain of Custody or Chain of Evidence.

The text presents guidelines from several investigative agencies that are all compatible, but that vary a bit from one set of rules to another. The agencies discussed are:

  • the FBI
  • the United States Secret Service
  • the Council of Europe Convention on Cybercrime
  • the Scientific Working Group on Digital Evidence

The chapter continues with a discussion of some common tools used in forensic examination. Follow this link to an article that provides the names, descriptions, and links to more information about twenty three forensic tools. In this section, the chapter discusses what you might look for and what tools you might use if the only things you have at hand are the accessible utilities in a given operating system. For instance, all browsers download data and save files. All operating systems keep logs of significant events. Files can be deleted, but they are not really gone until the operating system reuses the storage space the deleted files were in. If the seized device has not been used since the deletion, the files may still be in place.

The chapter goes on for several more pages which will be mainly interesting to professional in this part of cyber security and to students who have a interest in exploring that profession.

Chapter 15, Cybersecurity Engineering


Chapter 15 is pretty short, but the author tries to introduce another related specialty to the reader. Objectives important to this lesson:

  1. What is cyber systems engineering
  2. Applying cybersecurity to cyber systems engineering

The introduction discusses two approaches to cybersecurity. The first is about management skills. This is nonsense. You will never defend a system from cyber attack by only being a good manager. The chapter deals mostly with the other approach, the one that is more about technology.

The author fiddles about for another page or two, then begins the discussion of computer systems engineering. A system engineer should be a purposeful investigator, a serious designer, a seeker of practical solutions, and a valiant defender of company assets. The text discusses conducting ongoing research on attacks that have been detected in similar installations, on using appropriate planning and design documents, and being conversant with the laws and regulations that apply to the company paying for the designer's knowledge, expertise, and creativity.

If you are having any problems with the author's take on this version of the profession you have been considering, try the video below to get some more absorbable ideas.

As this is the last chapter you are assigned to read in the text, it is likely that you have already stopped reading the book since this chapter appears to contain a good deal of fluff. That being the case, at least take a look at the diagrams and charts in the text to get an idea of how to read one when it shows up in an interview