1 / 32

Digital Investigations in Academic Environments

Digital Investigations in Academic Environments. Presented by: Tony Martino Senior Forensic Examiner AMRIC Associates Ronald Longo Principal Member Keane & Beane P.C. About the Presenter – Anthony Martino. Senior Forensic Examiner – AMRIC Associates

anka
Download Presentation

Digital Investigations in Academic Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Digital Investigations in Academic Environments Presented by: Tony Martino Senior Forensic Examiner AMRIC Associates Ronald Longo Principal Member Keane & Beane P.C.

  2. About the Presenter – Anthony Martino • Senior Forensic Examiner – AMRIC Associates • Director of the Northeast Cyber Forensic Center at UC • Adjunct faculty - cyber security and forensics • Retired Sergeant from Utica Police Department • Member of the U.S. Secret Service ECTF • Over 10 years experience in the digital forensics field • Expert witness qualifications in state and federal courts

  3. About the Presenter – Ronald Longo • Principal - Keane & Beane, P.C. • White Plains, NY • Fishkill, NY • Attorney specializing in Public Sector Labor Law and Education Law for over 30 years • Prior Experience as Assistant Town Attorney for Labor Matters, School Personnel Administrator and County Personnel Dept. Employee • Past President of New York State Public Employer Labor Relations Association

  4. Topics • Digital evidence and forensics • Forensics vs IT • Data preservation & eDiscovery • Conducting internal investigations with digital evidence • Special considerations for academic environments • Designing digital device usage policies • Case studies

  5. Digital Evidence

  6. Digital Forensics • The ability to conduct analysis of digital data in a manner that: • Does not alter the original information • Conforms to industry accepted practices • Provides repeatable results • Meets the standards necessary to support criminal, civil or internal litigation

  7. Digital Forensics Capabilities • Recovery of deleted information • Analysis of user activity • Timeline creation of data changes • User attribution for activity on shared systems • Preservation of data for future analysis or litigation

  8. Digital Forensics Limitations • Forensics is not magic • Data that is not there can not be found • Data that has been corrupted or destroyed can not be restored to its original form • The recovery of deleted data is limited in scope and not guaranteed • Forensic examinations involve the application of scientific processes. The result is not always a smoking gun.

  9. Forensics vs IT

  10. Data Preservation & eDiscovery • Digital data is volatile and easily destroyed or corrupted • Routine system processes • User activity • Intentional destruction • Well meaning “investigations” • Expired retention periods

  11. Data Preservation & eDiscovery • Early preservation is paramount • Take systems offline • Create forensically sound duplicates • Locate external data • Identify log files or other surveillance information

  12. Example: Cellular Phone Evidence VS

  13. Where is the Evidence?

  14. Service Provider Data • The amount, type and retention period for data can vary widely between carriers. • Legal process required • ECPA • Preservation

  15. Internal Investigations • Internal investigations are commonplace, but challenging • Trust may be hard to define • Most protections are outward facing • Digital evidence is commonplace • Policies may be inconsistent or silent on issues related to digital evidence • Some evidence is likely to exist on private devices • Privacy and confidentiality needs may conflict with investigative needs

  16. Internal Investigations • Basic steps • Get legal assistance ASAP • Involve as few people as necessary • Consider after hours or sneak & peek operations • Preserve data and backups of potential evidence to protect against destruction due to long litigation waits • Adhere to legal and contractual limitations on searches and interviews • Get expert assistance

  17. Internal Investigations • Interview Preparation

  18. Internal Investigations • Interviews • Create a comfortable atmosphere • Be non-confrontational • Seek the truth. Not a predetermined outcome • Have and display empathy • Ask open ended questions • Shut up and listen • Use recording devices if permitted

  19. Academic Environments • Special Considerations • Privacy needs • FERPA, local policies etc. • Students are likely far more technologically advanced • Educational goals and best practices for preventing improper faculty / students relationships are sometimes in conflict

  20. Academic Environments • Educators have high public profiles • Outside influences can interfere with investigations • Fear of public exposure can reduce cooperation • Even unsubstantiated claims of impropriety with children can have catastrophic consequences • Investigation secrecy • Support for suspected staff members

  21. Designing Usage Policies • Goals • To allow the use of technology to further the goals of the institution • Instructional needs • Community involvement • Parents • Media • To create an information infrastructure that allows access to information in a safe environment that is appropriate for a wide range of ages

  22. Designing Usage Policies • User attribution is a must • Unique user names and passwords • Shared devices are commonplace • Mandate use of only personal credentials • Data exfiltration can be serious • Removable media • Dissemination of institutional data

  23. Designing Usage Policies • Personal assignment of institution owned devices is common • Acceptable use • Personal use allowable? • Social media is a double edged sword • Excellent mechanism for reaching the public • Can be a dangerous place for faculty & students to mix • Every faculty / staff member should have an official communication mechanism • All communications with students/parents should be mandated to occur within this medium

  24. Designing Usage Policies • User attribution is a must • Unique user names and passwords • Shared devices are commonplace • Mandate use of only personal credentials • Data exfiltration can be serious • Removable media • Dissemination of institutional data

  25. Designing Usage Policies • Bring Your Own Device (BYOD) • Becoming more popular in corporate, government and academic environments • Can reduce technology needs and costs for the institution • Can increase employee productivity • Can lead to serious data security issues

  26. Designing Usage Policies • Strong BYOD policies are a must • What specific devices are allowed • What are the required security standards • Prohibitions against data exfiltration • Employee separation policy • Cleansing of institution data from device • Examination of device before separation • Disconnection of device from connectivity to institution

  27. Case Study 1 • Faculty member utilized social media and other non-official mechanisms to communicate with students • In violation of district policy • Complaints from parents over the content of communications are filed with school district • Ability to monitor or perform discovery on non-official media is difficult • Much of the evidence has been deleted or otherwise destroyed • The integrity of evidence collected from student's personal online accounts can be easily questioned

  28. Case Study 2 • Faculty member is found to have inappropriate content on a district owned laptop computer • Faculty member admits that the content is his, but insists he did not place it on district computer • Subsequent forensic examination of the computer found that the content was automatically place on the computer by a backup process that occurred when a cellular phone was plugged in to the laptop. • District has no policy that prohibits the connection of personal devices to institution computers

  29. Case Study 3 • A review of log files by IT shows that an employee has been utilizing a faculty office computer to view pornographic material. • A review of attendance logs shows that the employee in question was not actually present when the infractions occurred • A forensic examination of the computer showed that the browsing activity could be attributed to a different employee • Lax institutional policy on safeguarding user credentials allowed one employee to gain access to the passwords of his supervisor and co-workers and gain access to an unknown amount of sensitive data.

  30. About AMRIC Associates • Capabilities • Digital Forensic Examinations • Private Investigation Services • Interviews & Interrogations • Surveillance • Expert Witness Testimony

  31. Contacts 6444 Fly Road East Syracuse, New York 13057 315.437.5500 www.amric.com tonymartino@amric.com

  32. Questions

More Related