1 / 23

Forensic readiness: Preparing for the worst, and how to contain it.

Forensic readiness: Preparing for the worst, and how to contain it. `. Campbell Murray Technical Director, Encription Limited 09 July 2014. Who?. Campbell Murray Technical Director @ Encription > 16 years IT security experience Offensive and Defensive CESG CHECK Team Leader

balin
Download Presentation

Forensic readiness: Preparing for the worst, and how to contain it.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensic readiness: Preparing for the worst, and how to contain it. ` Campbell Murray Technical Director, Encription Limited 09 July 2014

  2. Who? • Campbell Murray • Technical Director @ Encription • > 16 years IT security experience • Offensive and Defensive • CESG CHECK Team Leader • Expert Witness

  3. Forensic Readiness • “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.” • Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation.

  4. Forensic Readiness • Events vs. Incidents • An “event” is a noticeable change to a system, environment, process, workflow or person. • An “incident” is an event that has a root human cause. • Therefore, all incidents are events, but not all events are incidents.

  5. Forensic Readiness • All DF investigations start with an incident • Crime e.g. Murder • Malware attack • Loss of data • Misconduct • Confidential information breach • Loss of money • Other digital incident

  6. Forensic Readiness • Early actions are critical • DF is dynamic and situation dependant • As an investigation progresses, often further information/evidence comes to attention which may alter focus. • e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation

  7. Forensic Readiness • Lots to consider when planning each case. • Hard to define which is most important > • Right people? • Who can you trust? • Confidentiality? • Initial assessment? • Risk?

  8. Forensic Readiness • DFS • Digital Forensics Strategy • What, how, who, why, where? • Form an hypothesis • Formulate all the possible scenarios • The hypothesis defines the strategy • What/Who to investigate • Must be flexible - escalation • Document the strategy!

  9. Forensic Readiness • Steps of the strategy • What is ‘ideal’ evidence • A document, an email, an image • What supports your hypothesis • Is it financially viable? • Does the investigation cost outweigh the incident?

  10. Forensic Readiness • Where would ideal evidence be found in each case? • Phone? • Email trail? • Presence/Absence from premises? • etc. • Focus investigation in these areas first.

  11. Forensic Readiness • Define the ‘Window of Opportunity’ • Narrow down the investigation to a time frame • Speed • Accuracy • Strategy

  12. Forensic Readiness • Strategy defines the scope • Where/what is the crime scene? • Has this incident concluded, or ongoing? • Observe and document • Written notes / Photographs / Statements • Gather evidence • Chain of custody

  13. Forensic Readiness

  14. Forensic Readiness • Chain of Custody case study • Employee suspected of exfiltrating data • Put on suspension pending investigation • Laptop / Phone seized • IT department all ‘have a look’ • No record of who did what • No legal case could be built, despite evidence • Employee compensated!!!!

  15. Forensic Readiness • But … there is more to it than that! • FR and the DDPRR model • Deter • Detect • Prevent • React • Recover

  16. Forensic Readiness • Raises some questions • How do you react without DDP? • Does the absence of deterrent change the scope / strategy / consequences? • Should you use a first responder? • Is investigation required at all? • Forensic readiness (eagerness) itself could cause an incident!

  17. Forensic Readiness • Triage • Follows strategy! • An enduring question is always … • Should you turn it off? • Case dependent. • Output of strategy led triage is the deciding factor.

  18. Forensic Readiness • Off / On decision primarily based on on-going damage and risks of causing a further incident. • Has the incident concluded? • Where is the ‘ideal’ evidence? • All factors that answer the Off/On question

  19. Forensic Readiness • What do you need for a readiness team? • Training! • Technical / Legal / Method / Custody of evidence • Equipment • Evidence bags / Digital camera / Screwdrivers / Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc.

  20. Forensic Readiness • An FR team should always contain: • Top level management • Non-IT department technical capability • Confidentiality • Well defined role descriptions • Third party support where necessary • Legal / Technical / HR

  21. Forensic Readiness • Key factors • Know your limits! • Do not attempt investigation you are not 100% comfortable with • Beware of witch hunting!

  22. ` Any questions?

  23. Thank You Campbell Murray Encription Limited www.encription.co.uk 0330 100 2345

More Related