6 www.DFInews.com SUMMER 2014
from the editor
By now most of you will have read about the Heartbleed bug, a major vulnerability in OpenSSL. Heart-
bleed results from improper input validation (due to a missing bounds check) in the implementation of the
TLS heartbeat extension. The vulnerability is classified as a buffer over-read, a situation where software
allows more data to be read than should be allowed.
This vulnerability affects an estimated two-thirds of active Web servers—specifically those running
OpenSSL 1.0.1 through 1.0.1f, including many Apache and Nginx
servers. The vulnerability takes advantage of heartbeat support,
so servers using OpenSSL compiled without that feature are not
Heartbleed presents an interesting forensic challenge because
there is unlikely to be any indication that a data breach occurred. As
noted in the WildPackets Network Analysis and Monitoring Blog:
While most enterprises have solutions in place to store and
subsequently mine log data over relatively long periods of time,
it usually only provides reports of relatively high-level events
and cannot tell you how something happened, only that it did.
In the case of the Heartbleed bug, there may not even be any
log information from security systems since the vulnerability can
be exploited without triggering any alarms at all. However, a
network forensics solution can provide a recording of many days
or even weeks of network activity, making the task of determining the fingerprint of the attack, the depth of the penetration,
and the data that was compromised much easier to assess.
Typically an investigation begins when a breach is detected, in
this case many servers could have been affected without anyone realizing it and the trail could be cold before anyone begins to analyze
what data is available.
“Log data only provides reports of relatively high-level events and
cannot tell you how something happened, only that it did,” wrote Jay Botelho on re/code. “And in the
case of a bug like Heartbleed, there may not even be any log information from security systems, since the
vulnerability can be exploited without triggering any alarms at all.”
The forensic issues surrounding the Heartbleed bug illustrate some of the many challenges in network
forensics. The evidence is fleeting, the identity of the perpetrator is difficult to pinpoint given that the
internet makes it easy to mask one’s fingerprint, and once you’ve found a suspect, jurisdictional issues can
come into play when trying to charge the person or group that is implicated.
Over the next few months, I expect we’ll see a lot of information coming out about ways to detect and
investigate Heartbleed breaches. Information sharing on forums and groups like our LinkedIn and Twitter
groups will help us to make headway against what is just one of many curveballs thrown at digital forensic
investigators. We look forward to hearing your thoughts and success stories as you overcome this latest
investigation begins when
a breach is detected