Tony Soprano's dislike of computers is well-known, but in 2007, it's hard to keep a business running without one. (Another argument for creator David Chase ending the show after five seasons, but too late now.) Tony knows that yesterday's bookie can't compete with a txt-ing young punk offloading his risky punts on Betfair, and that though tradition's important, sometimes old-school thinking just doesn't cut it. To stay on top, a business has to move with the times.
So how would you build a computer for the boss? Obfuscation -- just hiding things -- won't work, because interested parties have a lot of time when it comes to a high-value target like Tony. Obvious encryption probably won't work either, because knowing that passwords and keys exist is half the fight, after which one can debate the finer points of brute force versus rubber hose methods of deriving them. It's just as important to keep things simple as it is to use the right tools for the job.
When the Feds come knocking
The goal is to provide useful business computer functions -- documents, number crunching, and communications -- while minimizing exposure to forensics processes. In other words, the usual step-by-step computer forensics process followed by the feds or a nosy detective would be considered a series of attack surfaces against which the system has to provide preventative or mitigating defenses.
When law enforcement climbs in the window and finds a computer system of interest, they usually follow a series of consistent steps:
- Deal with the person of interest and photograph the scene
- Identify the computer system of interest, power it off, and document the details
- Transport the hardware to a secure location for analysis, and record the process by video or other log
- Document the system times and dates as well as the data dates and times
- Make and verify bit-for-bit copies of hard disks, external drives, CDs or DVDs and flash memory
- Examine the data for keywords, images, and activity
- Examine the swap and temp files, file slack and unallocated space
- Identify data anomalies that might expose hidden encrypted data
- Document findings and prosecute
Network forensics people tend to box the whole previous process as "host forensics" and look further for activity in the environment where the system was situated or through which it passed. They'll usually have a look at:
- Network devices to find where and when a system was present
- ARP table entries to verify systems' presence and activity
- Dates & times to correlate activity with other sources
- Log files showing connections or sockets
- Analyzer traces, along with any tap and trace results
- Traffic pattern recognition to identify use patterns and anomalies
- Data or patterns identifiable from network hashes
- Reconstruction of sessions to derive activities and context
A lot of this assumes that systems are not mobile, and that network communications are consistent or identifiable by timing or traffic patterns. That's a good place to start.