230 likes | 243 Views
Learn about forensic readiness and how to prepare for situations where digital forensics may be required. Understand the difference between events and incidents, and the critical early actions in a digital forensics investigation. Discover the steps involved in creating a digital forensics strategy, including the importance of defining the scope and window of opportunity. Learn about chain of custody and the key factors for building a forensic readiness team.
E N D
Forensic readiness: Preparing for the worst, and how to contain it. ` Campbell Murray Technical Director, Encription Limited 09 July 2014
Who? • Campbell Murray • Technical Director @ Encription • > 16 years IT security experience • Offensive and Defensive • CESG CHECK Team Leader • Expert Witness
Forensic Readiness • “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.” • Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation.
Forensic Readiness • Events vs. Incidents • An “event” is a noticeable change to a system, environment, process, workflow or person. • An “incident” is an event that has a root human cause. • Therefore, all incidents are events, but not all events are incidents.
Forensic Readiness • All DF investigations start with an incident • Crime e.g. Murder • Malware attack • Loss of data • Misconduct • Confidential information breach • Loss of money • Other digital incident
Forensic Readiness • Early actions are critical • DF is dynamic and situation dependant • As an investigation progresses, often further information/evidence comes to attention which may alter focus. • e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation
Forensic Readiness • Lots to consider when planning each case. • Hard to define which is most important > • Right people? • Who can you trust? • Confidentiality? • Initial assessment? • Risk?
Forensic Readiness • DFS • Digital Forensics Strategy • What, how, who, why, where? • Form an hypothesis • Formulate all the possible scenarios • The hypothesis defines the strategy • What/Who to investigate • Must be flexible - escalation • Document the strategy!
Forensic Readiness • Steps of the strategy • What is ‘ideal’ evidence • A document, an email, an image • What supports your hypothesis • Is it financially viable? • Does the investigation cost outweigh the incident?
Forensic Readiness • Where would ideal evidence be found in each case? • Phone? • Email trail? • Presence/Absence from premises? • etc. • Focus investigation in these areas first.
Forensic Readiness • Define the ‘Window of Opportunity’ • Narrow down the investigation to a time frame • Speed • Accuracy • Strategy
Forensic Readiness • Strategy defines the scope • Where/what is the crime scene? • Has this incident concluded, or ongoing? • Observe and document • Written notes / Photographs / Statements • Gather evidence • Chain of custody
Forensic Readiness • Chain of Custody case study • Employee suspected of exfiltrating data • Put on suspension pending investigation • Laptop / Phone seized • IT department all ‘have a look’ • No record of who did what • No legal case could be built, despite evidence • Employee compensated!!!!
Forensic Readiness • But … there is more to it than that! • FR and the DDPRR model • Deter • Detect • Prevent • React • Recover
Forensic Readiness • Raises some questions • How do you react without DDP? • Does the absence of deterrent change the scope / strategy / consequences? • Should you use a first responder? • Is investigation required at all? • Forensic readiness (eagerness) itself could cause an incident!
Forensic Readiness • Triage • Follows strategy! • An enduring question is always … • Should you turn it off? • Case dependent. • Output of strategy led triage is the deciding factor.
Forensic Readiness • Off / On decision primarily based on on-going damage and risks of causing a further incident. • Has the incident concluded? • Where is the ‘ideal’ evidence? • All factors that answer the Off/On question
Forensic Readiness • What do you need for a readiness team? • Training! • Technical / Legal / Method / Custody of evidence • Equipment • Evidence bags / Digital camera / Screwdrivers / Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc.
Forensic Readiness • An FR team should always contain: • Top level management • Non-IT department technical capability • Confidentiality • Well defined role descriptions • Third party support where necessary • Legal / Technical / HR
Forensic Readiness • Key factors • Know your limits! • Do not attempt investigation you are not 100% comfortable with • Beware of witch hunting!
` Any questions?
Thank You Campbell Murray Encription Limited www.encription.co.uk 0330 100 2345