One way to secure the weak chain link

The enterprise IT market is becoming crowded with specialized products aimed at cyber security. Many of them adapt packet analysis on IP networks. Taking advantage of the fact that switching operates essentially at wire speed and that storage, in dollars per terabyte, keep falling, these products capture all packets, in some cases replicating offline for forensic analysis, in others analyzing packets as the flow by and recording metrics to log.

Some, such as Solera Networks, look purely for anomalies indicating cyber threats. They record and can playback, almost like tape, recent network activity with the added function of deep inspection of each packet. Real traffic can be compared to a database of known works and viruses, but looking for new threat behaviors must happen offline.

Others products, like Splunk, are used partly for cyber forensics and partly for application monitoring. They also use the packet coming into the network as the basic element for understand of and visibility into the network.

These products are located at the network hub, typically as a dedicated rack appliance, and they report either through their own dashboard or via another network monitor.

But security and network administrators also have to worry about a constant source of cyber evils, namely the end points their networks support. The bulk of end points are PCs. Judging from the attack patterns, the traditional anti-virus products and personal firewalls don’t seem to be that effective at stopping worms and viruses from reaching the network servers.

I spoke the other day with Aaron Barr, who heads up a four-month-old federal unit of HB Gary, whose Digital DNA resides in the RAM of PCs on the network. That’s where malware lives, and from where its behavior can be seen and analyzed by looking into the code itself. Looking at behavior is distinguished from looking at profiles like standard anti-virus products. Barr said detecting behavior — for instance, keystroke logging — is preferable because it takes into account the fact that malware self morphs as a way of evading profile-based detection.

Keep in mind that analysis and reporting tools are not intended for search-and-destroy, but rather to give the network operations staff a near real-time picture of what is going on and whether there are dangerous infections aimed at capturing keystrokes or other information.

Now the question is whether the mechanism exists for organizations to efficiently share information on threats so that response isn’t always a step behind the perps putting malware into the wild, where it hunts for vulnerable organizations.

Forensic disk imaging in the comfort of your lab

When it comes to computer forensics, the chain-of-custody and no-tamper rules of evidence apply just as surely as they do for blood samples, patches of hair or bullets pried out of walls. For the many federal agencies who deal increasingly with computer forensics, there is no magic cure for maintaining chain of custody proof.

But how can an investigator or prosecutor know and prove a drive’s contents have not been tampered with? The answer is to hook it up to a one-way cable equipped with a write-blocking device that prevents writing to the suspect drive, while extracting an image of the drive and writing the image onto a target drive for later analysis.

Now WiebeTech, part of CRU-Dataport, is about to ship a device that can turn a workstation into a wrote-blocked extractor for 3.5-inch and 2.5-inch IDE and SATA hard drives, as well as USB thumb drives, for which a forensic image is needed. Very simply, the Forensic LabDock is a standard, 5.25-inch CD-drive sized bay you install in any PC cabinet. The bay does two things. It incorporates write-block software. And it provides an easy slot in which to plug drives into and pull them out once the forensic image is made. The smaller drives require an adapter tray.

James Wiebe told me he thinks lots of forensic investigators would like to have a workstation or console capability to image hard drives in the convenience of a lab and on a fixed workstation. He was showing a prototype at the FOSE show in Washington today, and said the product will ship in May or June with a retail price of around $450.

The device seems to plug a hole in the forensics field between lab-use external frames for holding bays and completely external cable solutions that connect to laptops. A logical piece of mechanical engineering.