1 / 37

Welcome Information Systems Security Association May 8, 2007

Welcome Information Systems Security Association May 8, 2007. FBI Update Handling of Digital Evidence. Agenda. Case Update FBI Activities Handling of Digital Evidence. FBI Cyber Investigations. Computer Intrusion Matters Innocent Images National Initiatives

josephhunt
Download Presentation

Welcome Information Systems Security Association May 8, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. WelcomeInformation Systems Security AssociationMay 8, 2007 FBI Update Handling of Digital Evidence

  2. Agenda • Case Update • FBI Activities • Handling of Digital Evidence

  3. FBI Cyber Investigations • Computer Intrusion Matters • Innocent Images National Initiatives • Intellectual Property Rights Matters • Internet Fraud

  4. Computer Intrusion Matters • Financial Institutions • Phishing schemes • Manufacturing • Installation of Warez site • USB Hacksaw • Universities • Insiders

  5. Innocent Images National Initiative • Undercover Operations • Travelers • Distributors • Peer-to-Peer networks

  6. Intellectual Property Rights • Theft of Trade Secret Investigations • Organizations need to protect information in accordance with legal requirements (Title 18 US Code Section 1832) • Recording Industry Association of America (RIAA) • Motion Picture Industry Association of America (MPAA) • Clothing Industry

  7. Internet Fraud • Click Fraud Investigation • Ralph John Peck

  8. Regional Cyber Action TeamMission • Respond to significant computer intrusions which threaten national critical infrastructures or impact the national economy or security. • Provide expertise and resources to assist affected Field Offices. • Augment Resources • Harvest data during the investigation and analyze that data to derive useful intelligence. • Strategic intelligence • Operational intelligence • Coordinate the Computer Intrusion Program’s major cases and initiatives from FBIHQ. • Botnet Initiative • Top Ten Hackers • DOE/FBI Working Group • Respond to Domestic & International Cyber Incidents

  9. Typical CAT Deployment • SSA (2) • Team Leaders • Experienced cybercrime agents • Deployability • Intelligence Analysts (2) • Operational intelligence • Conduct toll analysis, linkage analysis, public records searches, financial analysis, ACS and other database mining • Interface with Information Sharing & Analysis Section (ISAS) to produce assessments and bulletins, develop cases when not deployed in support of Field • ITS (2) • Technically trained specialists • Interacts with Technical Personnel • Review technical data/evidence • Assists in creation of technical solutions to house and analyze data within CATU

  10. Regional CAT • 46** members from four regions • Northeast • Southeast • Central • West • Augments CAT • “Cadre” concept • Specialized training, equipment, communication with HQ….within Field Office • Reduces response time

  11. Handling Digital Evidence

  12. Disclaimer • Do not attempt this without first seeking appropriate legal advice and documenting a legal opinion. • Each and every situation is unique and should be handled on a case by case basis. • All cases must be handled in accordance with a legal framework consistent with established laws and corporate policies.

  13. Objectives • What is Digital Evidence • Considerations with Digital Evidence • Guidelines for Seizing Digital Evidence • Guidelines for Seizing Live Digital Evidence • Preparing Your Case

  14. Typical Legal Process • Incident Occurs • Determine Nature and Scope • Policy Violation or Criminal Conduct • Investigation Initiated • Internal Corporate Investigation • Referral to Law Enforcement • Evidence is Collected • Digital Evidence vs. Physical Evidence • Follow Legal Protocol for Collection and Preservation • Interviews are Conducted • Direct Witnesses or Victims • Third Party Witnesses Such as ISPs • Legal Action is Initiated • Criminal or Civil • Administrative Sanctions Such as Employee Dismissal • May Result in Civil Action

  15. Computer Security Incident Response Team • Establish User Policies – Implementable, Enforceable and Function as Expected • Establish a CSIRT to Respond to Incidents Within Organizations and Support External Requests • Identify Operational Elements – Team Building

  16. Rules Governing Evidence Collection • US Constitution • 4th Amendment – Reasonable Expectation of Privacy • Is Government Action Involved? • The Wiretap Act • Omnibus Crime Control and Safe Streets Act of 1968 (18 USC Section 2501) • Electronic Communications Privacy Act • 18 USC Section 2701 • Privacy Protection Act • The PATRIOT Act

  17. What is Digital Evidence? • Any kind of storage device • Computers, CD’s, DVD’s, floppy disks, hard drives, thumb drives • Digital cameras, memory sticks and memory cards, PDA’s, cell phones • Fax machines, answering machines, cordless phones, pagers, caller-ID, scanners, printers and copiers • X-box, Playstation, etc.

  18. What is Digital Evidence?

  19. What is Digital Evidence?

  20. Considerations with Digital Evidence • Digital evidence is fragile • Recognizing potential evidence • The role of the computer in the crime/violation • Consent Search vs. Search Warrant • Forensic Analysis

  21. Guidelines for Seizing Digital Evidence • Secure the scene • Check computer for activity

  22. Guidelines for Seizing Digital Evidence • Determine if any information in the memory is important • If computer is “OFF” do NOT turn “ON”. • Photograph Monitor & Document active programs • Disconnect Internet/Ethernet Access • Disconnect Power Source

  23. Guidelines for Seizing Digital Evidence • Take all peripherals • Obtain passwords, if possible • Photograph scene • Process scene for other storage devices

  24. Guidelines for Seizing Live Digital Evidence • Four Phases of Incident Response1 • Preparation • Detection/Analysis • Containment, Eradication, and Recovery • Post-Incident Activity 1Computer Security Incident Handling Guide NIST 2004

  25. Guidelines for Seizing Live Digital Evidence • Preparation • Capability to respond • Preventing incidents • Response Tools • Contact list • Communication equipment • Software/Hardware • Facilities

  26. Guidelines for Seizing Live Digital Evidence • Detection and Analysis • Most challenging part to detect and assess • Software • Problems users report • Obvious signs • Assessment • Determine if incident needs attention • Develop incident category chart to prioritize

  27. Guidelines for Seizing Live Digital Evidence • Containment, Eradication, and Recovery • Develop containment strategy • Will vary based on the type of incident • Need to consider when to contain • Document every step • Evidence should be accounted for at all times • Consider screen captures before copying evidence • After acquiring volatile data, make disk image • Eradication and Recovery • After cleared from legal/law enforcement

  28. Guidelines for Seizing Live Digital Evidence • Post-Incident Activity • Perform debriefing • Lessons learned • Evidence Retention • Prosecution • Will need to clear with legal/law enforcement • Policy on data retention • 90 days, 180 days, etc for future incidents • Cost • Can be substantial depending on size and time period

  29. Guidelines for Seizing Live Digital Evidence • Document Everything • Attach Another Device or use Open Network Connection • Record System Date/Time • Determine Logon • Record Open Sockets

  30. Guidelines for Seizing Live Digital Evidence (cont.) • List Socket Processes • List Running Processes • List Systems Connected • Record Steps Taken • Save all Pertinent Data to External Device • Minimal Commands to Acquire Digital Evidence • Cause the Least Amount of Damage as Possible

  31. Preparing Your Case • Documentation • Preservation • Authentication

  32. Documentation • Documentation is a Reflection of Your Case • Problems Arise When Shortcuts are Taken • Conditions of All Evidence Needs to be Documented • Every Step Needs to be Documented

  33. Preservation • If Preservation Poor, Your Handling/Collecting Techniques Become Questionable. • Maintain Chain of Custody • Eliminate ANY Possibility of Contamination • Collection • Transportation • Storage • Follow Laws and Policies – NO shortcuts

  34. Authentication • If Authentication is Poor, Everything Comes into Question. • MD5 or SHA algorithm • Ensure bit-by-bit copy of original • Ensure evidence unaltered • Need to Demonstrate Evidence is… • What you say it is. • Came from where you say it did. • Has not been modified in any way since you last handled it. • No Silver Bullet

  35. General Do’s and Don’ts of Evidence • Minimize Handling/Corruption of Original Data • Account for Any Changes and Keep Detailed Logs of Your Actions • Maintain a detailed log of who handled the evidence and where stored and when transferred • Comply with the Five Rules of Evidence • Admissible • Authentic • Complete • Reliable • Believable (Criminal - Reasonable Doubt? Civil – Preponderance of the Evidence) • Do Not Exceed Your Knowledge • Follow Your Local Security Policy and Obtain Written Permission • Capture as Accurate an Image of the System as Possible • Be Prepared to Testify • Ensure Your Actions are Repeatable • Proceed From Volatile to Persistent Evidence • Don't Run Any Programs on the Affected System • Document Document Document!!!! 

  36. Resources • Digital Evidence in the Courtroom: A Guide for Preparing Digital Evidence for Courtroom Presentation – The National Center for Forensic Science • Handbook for Computer Security Incident Response Teams – CERT Coordination Center • Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations – US Department of Justice, Cybercrime.gov/searchmanual.htm • Computer Security Incident Handling Guide – NIST Special Publication 800-61

  37. Many Thanks To: • Sgt. Aaron DeLashmuttIowa State University Police168 Armory BuildingAmes, IA 50011 • Presented at: InfraGard – Des Moines, IA February 16, 2005

More Related