1 / 38

Forensics

Forensics. Learning Objectives. Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you will need in a typical corporate environment. Definition. Forensic:

paul2
Download Presentation

Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensics

  2. Learning Objectives • Definition of Forensics • Be able to understand process in building legally sound case • Identify forensic capabilities you will need in a typical corporate environment

  3. Definition • Forensic: • “…a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).” • The aim of forensic science is: • “…to demonstrate how digital evidence can be used to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.” Ref: Casey, “Digital Evidence and Computer Crime”, 2nd ed., section 1.6, p20.

  4. The Goal of Forensics • Forensics seeks to provide an accurate representation of extracted data: find out the truth • How was it lost? • What was lost? • What are my obligations concerning the loss?

  5. Forensics vs. Incident Handling • Closely tied together, but different • Data collection starts immediately as a part of incident handling • Data analysis is not a part of incident handling • The incident can sometimes be closed before forensic analysis is complete

  6. Legally Sound Data Collection • Security in Computing, chapter 9.5 • Goals • Build a solid case • Find out what was lost • Find out the truth

  7. Privacy Issues • Generally apply principles from the physical world • Can you: • Read my mail? • Listen to my phone call? • Obtain a copy of my phone bill?

  8. Applicable Statutes • Computer fraud and abuse act, 18USC1030 • Protects against unauthorized access (privacy intrusion)

  9. Applicable Statutes (2) • Federal Wiretap Act (18USC2510-22) • Protect data in transit (real-time) • Three key exceptions: • Provider • Consent • Trespasser

  10. Applicable Statutes (3) • Pen Registers and Trap and Trace Devices, 18USC3121-27 • Pen/trap or Trap & Trace • Real-time collection of header information • What is header information?

  11. Applicable Statutes (4) • The Electronics Communications Privacy Act • ECPA • Protects stored data (both headers and content) • What is the difference between read voice mail and unread voice mail?

  12. Applicable Statutes (5) • Patriot Act • Patches up ECPA and others by clearly defining how Law Enforcement can gather data • Renewed in early 2006 with only minor changes

  13. Applicable Statutes (6) • Other traditional statutes may apply • Trade secrets • Harassment • Copyright Infringement

  14. Applicable Statutes (7) • Summary • Headers vs. content • Real-time vs. stored • Complex and changing • Acting under the cover of law • What information can you share with law enforcement?

  15. Employee Rights • Bannering • What should be in an acceptable use policy? • Is bannering sufficient? • Pseudo-employees • Contractors • Consultants • Temps • Interns • Auditors • …

  16. Case Study(1) • Acceptable Use Violation • Indications • Initial course of action • What are you certain you can do? • What are you certain you can not do? • Where do you go forguidance?

  17. Regulatory Issues • Gramm-Leach-Bliley Act of 1999 (GLBA) • Protect consumer personal financial data • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Federal privacy protection for individually identifiable health information • Public Firms • SEC, NASD requirements for document retention

  18. Data Collection • Make copies of everything • Only work on copies • Create MD5 checksums

  19. Data Collection Toolkit • Software • Static binaries • Linux-based • Hardware • Cables, adapters • Very large drives • Chain of custody forms • Calibration procedure

  20. Case Study(2) • Bringing the evidence to court • Do you really have to explain an MD5 checksum of a hard drive to the jurors?

  21. Data on the Computer • In files • In log files • Browser history • Windows prefetch area • Slack space • Open network connections • Virtual memory • Physical memory • Network traces Lost when machine is powered off Lost if you wait too long Real-time only

  22. Data on Other Computers • Infrastructure logs • Web servers, mail servers • Archival systems • Network / Firewall logs • Intrusion detection systems • Everything that logs

  23. Data in Unexpected Places • Anti-virus alerts, real-time anti-virus scans • License enforcement / application metering • [anything]Management Software • Patch management • Software management • Configuration management • Asset management

  24. Case Study(3) • You receive a workstation anti-virus alert • Where do you expect to find log data?

  25. Case Study(4) • Data on someone else’s computer

  26. Gathering Data from People • Interviews • With others • With the suspect • Interview Techniques • Never reveal what you do or do not know Did you ever ask a first grader what happened in school today?

  27. Data Sources – Summary • Defense in depth == forensics in depth • Only you know all the potential data sources • It is always your responsibility to help identify and present the data

  28. Corporate Forensics

  29. The Big Question • Can you ever imagine this event/incident leading to a court case? • Yes: legally sound collection • No: more flexibility but fewer resources; often a good training execrcise • Always consider the costs: • Prosecution • Damage to reputation • Loss of corporate secrets

  30. Case Study(5) • A routine anti-virus alert (revisited)

  31. Preparations • Pre-planning • Training • Consider outsourcing • Managed cost • Impartial results • Add an addendum to your MSSP contract

  32. Decisions, Decisions • CSo, CIO, CEO, CLO • What decisions need to be made? • When and how do you receive elevated authority? • Admin rights • Right to monitor • How do you proceed when there is no decision?

  33. Case Study(6)

  34. Case Study(6)

  35. Case Study(6) • What can we learn from: • Email logs • Web server logs • Interviews • Human resources • Who would be involved in making decisions? • What are some possible outcomes?

  36. Law Enforcement • FBI • FTC • US Postal Inspectors • US Secret Service • Local law enforcement • Task forces and other institutions

  37. Law Enforcement • Build relationships beforehand • Cooperation leads to resource sharing • Law Enforcement does not know your network topology

  38. Conclusion • Definition of Forensics • Tell the story: what was lost, how it was lost • Be able to understand process in building legally sound case • Complex issues • Identify forensic capabilities you will need in a typical corporate environment • Only you know your topology

More Related