320 likes | 454 Views
Digital Investigations in Academic Environments. Presented by: Tony Martino Senior Forensic Examiner AMRIC Associates Ronald Longo Principal Member Keane & Beane P.C. About the Presenter – Anthony Martino. Senior Forensic Examiner – AMRIC Associates
E N D
Digital Investigations in Academic Environments Presented by: Tony Martino Senior Forensic Examiner AMRIC Associates Ronald Longo Principal Member Keane & Beane P.C.
About the Presenter – Anthony Martino • Senior Forensic Examiner – AMRIC Associates • Director of the Northeast Cyber Forensic Center at UC • Adjunct faculty - cyber security and forensics • Retired Sergeant from Utica Police Department • Member of the U.S. Secret Service ECTF • Over 10 years experience in the digital forensics field • Expert witness qualifications in state and federal courts
About the Presenter – Ronald Longo • Principal - Keane & Beane, P.C. • White Plains, NY • Fishkill, NY • Attorney specializing in Public Sector Labor Law and Education Law for over 30 years • Prior Experience as Assistant Town Attorney for Labor Matters, School Personnel Administrator and County Personnel Dept. Employee • Past President of New York State Public Employer Labor Relations Association
Topics • Digital evidence and forensics • Forensics vs IT • Data preservation & eDiscovery • Conducting internal investigations with digital evidence • Special considerations for academic environments • Designing digital device usage policies • Case studies
Digital Forensics • The ability to conduct analysis of digital data in a manner that: • Does not alter the original information • Conforms to industry accepted practices • Provides repeatable results • Meets the standards necessary to support criminal, civil or internal litigation
Digital Forensics Capabilities • Recovery of deleted information • Analysis of user activity • Timeline creation of data changes • User attribution for activity on shared systems • Preservation of data for future analysis or litigation
Digital Forensics Limitations • Forensics is not magic • Data that is not there can not be found • Data that has been corrupted or destroyed can not be restored to its original form • The recovery of deleted data is limited in scope and not guaranteed • Forensic examinations involve the application of scientific processes. The result is not always a smoking gun.
Data Preservation & eDiscovery • Digital data is volatile and easily destroyed or corrupted • Routine system processes • User activity • Intentional destruction • Well meaning “investigations” • Expired retention periods
Data Preservation & eDiscovery • Early preservation is paramount • Take systems offline • Create forensically sound duplicates • Locate external data • Identify log files or other surveillance information
Service Provider Data • The amount, type and retention period for data can vary widely between carriers. • Legal process required • ECPA • Preservation
Internal Investigations • Internal investigations are commonplace, but challenging • Trust may be hard to define • Most protections are outward facing • Digital evidence is commonplace • Policies may be inconsistent or silent on issues related to digital evidence • Some evidence is likely to exist on private devices • Privacy and confidentiality needs may conflict with investigative needs
Internal Investigations • Basic steps • Get legal assistance ASAP • Involve as few people as necessary • Consider after hours or sneak & peek operations • Preserve data and backups of potential evidence to protect against destruction due to long litigation waits • Adhere to legal and contractual limitations on searches and interviews • Get expert assistance
Internal Investigations • Interview Preparation
Internal Investigations • Interviews • Create a comfortable atmosphere • Be non-confrontational • Seek the truth. Not a predetermined outcome • Have and display empathy • Ask open ended questions • Shut up and listen • Use recording devices if permitted
Academic Environments • Special Considerations • Privacy needs • FERPA, local policies etc. • Students are likely far more technologically advanced • Educational goals and best practices for preventing improper faculty / students relationships are sometimes in conflict
Academic Environments • Educators have high public profiles • Outside influences can interfere with investigations • Fear of public exposure can reduce cooperation • Even unsubstantiated claims of impropriety with children can have catastrophic consequences • Investigation secrecy • Support for suspected staff members
Designing Usage Policies • Goals • To allow the use of technology to further the goals of the institution • Instructional needs • Community involvement • Parents • Media • To create an information infrastructure that allows access to information in a safe environment that is appropriate for a wide range of ages
Designing Usage Policies • User attribution is a must • Unique user names and passwords • Shared devices are commonplace • Mandate use of only personal credentials • Data exfiltration can be serious • Removable media • Dissemination of institutional data
Designing Usage Policies • Personal assignment of institution owned devices is common • Acceptable use • Personal use allowable? • Social media is a double edged sword • Excellent mechanism for reaching the public • Can be a dangerous place for faculty & students to mix • Every faculty / staff member should have an official communication mechanism • All communications with students/parents should be mandated to occur within this medium
Designing Usage Policies • User attribution is a must • Unique user names and passwords • Shared devices are commonplace • Mandate use of only personal credentials • Data exfiltration can be serious • Removable media • Dissemination of institutional data
Designing Usage Policies • Bring Your Own Device (BYOD) • Becoming more popular in corporate, government and academic environments • Can reduce technology needs and costs for the institution • Can increase employee productivity • Can lead to serious data security issues
Designing Usage Policies • Strong BYOD policies are a must • What specific devices are allowed • What are the required security standards • Prohibitions against data exfiltration • Employee separation policy • Cleansing of institution data from device • Examination of device before separation • Disconnection of device from connectivity to institution
Case Study 1 • Faculty member utilized social media and other non-official mechanisms to communicate with students • In violation of district policy • Complaints from parents over the content of communications are filed with school district • Ability to monitor or perform discovery on non-official media is difficult • Much of the evidence has been deleted or otherwise destroyed • The integrity of evidence collected from student's personal online accounts can be easily questioned
Case Study 2 • Faculty member is found to have inappropriate content on a district owned laptop computer • Faculty member admits that the content is his, but insists he did not place it on district computer • Subsequent forensic examination of the computer found that the content was automatically place on the computer by a backup process that occurred when a cellular phone was plugged in to the laptop. • District has no policy that prohibits the connection of personal devices to institution computers
Case Study 3 • A review of log files by IT shows that an employee has been utilizing a faculty office computer to view pornographic material. • A review of attendance logs shows that the employee in question was not actually present when the infractions occurred • A forensic examination of the computer showed that the browsing activity could be attributed to a different employee • Lax institutional policy on safeguarding user credentials allowed one employee to gain access to the passwords of his supervisor and co-workers and gain access to an unknown amount of sensitive data.
About AMRIC Associates • Capabilities • Digital Forensic Examinations • Private Investigation Services • Interviews & Interrogations • Surveillance • Expert Witness Testimony
Contacts 6444 Fly Road East Syracuse, New York 13057 315.437.5500 www.amric.com tonymartino@amric.com