Forensic readiness:
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Forensic readiness: Preparing for the worst, and how to contain it. PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

Forensic readiness: Preparing for the worst, and how to contain it. `. Campbell Murray Technical Director, Encription Limited 09 July 2014. Who?. Campbell Murray Technical Director @ Encription > 16 years IT security experience Offensive and Defensive CESG CHECK Team Leader

Download Presentation

Forensic readiness: Preparing for the worst, and how to contain it.

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Forensic readiness preparing for the worst and how to contain it

Forensic readiness:

Preparing for the worst,

and how to contain it.

`

Campbell Murray

Technical Director, Encription Limited

09 July 2014


Forensic readiness preparing for the worst and how to contain it

Who?

  • Campbell Murray

  • Technical Director @ Encription

  • > 16 years IT security experience

    • Offensive and Defensive

  • CESG CHECK Team Leader

  • Expert Witness


Forensic readiness

Forensic Readiness

  • “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.”

  • Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation.


Forensic readiness1

Forensic Readiness

  • Events vs. Incidents

  • An “event” is a noticeable change to a system, environment, process, workflow or person.

  • An “incident” is an event that has a root human cause.

  • Therefore, all incidents are events, but not all events are incidents.


Forensic readiness2

Forensic Readiness

  • All DF investigations start with an incident

  • Crime e.g. Murder

  • Malware attack

  • Loss of data

  • Misconduct

  • Confidential information breach

  • Loss of money

  • Other digital incident


Forensic readiness3

Forensic Readiness

  • Early actions are critical

  • DF is dynamic and situation dependant

  • As an investigation progresses, often further information/evidence comes to attention which may alter focus.

  • e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation


Forensic readiness4

Forensic Readiness

  • Lots to consider when planning each case.

  • Hard to define which is most important >

  • Right people?

  • Who can you trust?

  • Confidentiality?

  • Initial assessment?

  • Risk?


Forensic readiness5

Forensic Readiness

  • DFS

  • Digital Forensics Strategy

    • What, how, who, why, where?

  • Form an hypothesis

    • Formulate all the possible scenarios

  • The hypothesis defines the strategy

    • What/Who to investigate

  • Must be flexible - escalation

  • Document the strategy!


Forensic readiness6

Forensic Readiness

  • Steps of the strategy

  • What is ‘ideal’ evidence

  • A document, an email, an image

  • What supports your hypothesis

  • Is it financially viable?

    • Does the investigation cost outweigh the incident?


Forensic readiness7

Forensic Readiness

  • Where would ideal evidence be found in each case?

  • Phone?

  • Email trail?

  • Presence/Absence from premises?

  • etc.

  • Focus investigation in these areas first.


Forensic readiness8

Forensic Readiness

  • Define the ‘Window of Opportunity’

  • Narrow down the investigation to a time frame

  • Speed

  • Accuracy

  • Strategy


Forensic readiness9

Forensic Readiness

  • Strategy defines the scope

    • Where/what is the crime scene?

  • Has this incident concluded, or ongoing?

  • Observe and document

    • Written notes / Photographs / Statements

  • Gather evidence

    • Chain of custody


Forensic readiness10

Forensic Readiness


Forensic readiness11

Forensic Readiness

  • Chain of Custody case study

  • Employee suspected of exfiltrating data

  • Put on suspension pending investigation

    • Laptop / Phone seized

  • IT department all ‘have a look’

  • No record of who did what

  • No legal case could be built, despite evidence

  • Employee compensated!!!!


Forensic readiness12

Forensic Readiness

  • But … there is more to it than that!

  • FR and the DDPRR model

  • Deter

  • Detect

  • Prevent

  • React

  • Recover


Forensic readiness13

Forensic Readiness

  • Raises some questions

  • How do you react without DDP?

  • Does the absence of deterrent change the scope / strategy / consequences?

  • Should you use a first responder?

    • Is investigation required at all?

  • Forensic readiness (eagerness) itself could cause an incident!


Forensic readiness14

Forensic Readiness

  • Triage

  • Follows strategy!

  • An enduring question is always …

  • Should you turn it off?

  • Case dependent.

    • Output of strategy led triage is the deciding factor.


Forensic readiness15

Forensic Readiness

  • Off / On decision primarily based on on-going damage and risks of causing a further incident.

  • Has the incident concluded?

  • Where is the ‘ideal’ evidence?

  • All factors that answer the Off/On question


Forensic readiness16

Forensic Readiness

  • What do you need for a readiness team?

  • Training!

    • Technical / Legal / Method / Custody of evidence

  • Equipment

    • Evidence bags / Digital camera / Screwdrivers / Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc.


Forensic readiness17

Forensic Readiness

  • An FR team should always contain:

  • Top level management

  • Non-IT department technical capability

    • Confidentiality

  • Well defined role descriptions

  • Third party support where necessary

    • Legal / Technical / HR


Forensic readiness18

Forensic Readiness

  • Key factors

  • Know your limits!

    • Do not attempt investigation you are not 100% comfortable with

  • Beware of witch hunting!


Forensic readiness preparing for the worst and how to contain it

`

Any questions?


Thank you

Thank You

Campbell Murray

Encription Limited

www.encription.co.uk

0330 100 2345


  • Login