Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 38

forensics - PowerPoint PPT Presentation

  • Uploaded on

Forensics. Learning Objectives. Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you will need in a typical corporate environment. Definition. Forensic:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'forensics' - paul2

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
learning objectives
Learning Objectives
  • Definition of Forensics
  • Be able to understand process in building legally sound case
  • Identify forensic capabilities you will need in a typical corporate environment
  • Forensic:
    • “…a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).”
  • The aim of forensic science is:
    • “…to demonstrate how digital evidence can be used to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.”

Ref: Casey, “Digital Evidence and Computer Crime”,

2nd ed., section 1.6, p20.

the goal of forensics
The Goal of Forensics
  • Forensics seeks to provide an accurate representation of extracted data: find out the truth
    • How was it lost?
    • What was lost?
    • What are my obligations concerning the loss?
forensics vs incident handling
Forensics vs. Incident Handling
  • Closely tied together, but different
  • Data collection starts immediately as a part of incident handling
  • Data analysis is not a part of incident handling
  • The incident can sometimes be closed before forensic analysis is complete
legally sound data collection
Legally Sound Data Collection
  • Security in Computing, chapter 9.5
  • Goals
    • Build a solid case
    • Find out what was lost
    • Find out the truth
privacy issues
Privacy Issues
  • Generally apply principles from the physical world
    • Can you:
      • Read my mail?
      • Listen to my phone call?
      • Obtain a copy of my phone bill?
applicable statutes
Applicable Statutes
  • Computer fraud and abuse act, 18USC1030
    • Protects against unauthorized access (privacy intrusion)
applicable statutes 2
Applicable Statutes (2)
  • Federal Wiretap Act (18USC2510-22)
    • Protect data in transit (real-time)
    • Three key exceptions:
      • Provider
      • Consent
      • Trespasser
applicable statutes 3
Applicable Statutes (3)
  • Pen Registers and Trap and Trace Devices, 18USC3121-27
    • Pen/trap or Trap & Trace
    • Real-time collection of header information
      • What is header information?
applicable statutes 4
Applicable Statutes (4)
  • The Electronics Communications Privacy Act
    • ECPA
    • Protects stored data (both headers and content)
    • What is the difference between read voice mail and unread voice mail?
applicable statutes 5
Applicable Statutes (5)
  • Patriot Act
    • Patches up ECPA and others by clearly defining how Law Enforcement can gather data
    • Renewed in early 2006 with only minor changes
applicable statutes 6
Applicable Statutes (6)
  • Other traditional statutes may apply
    • Trade secrets
    • Harassment
    • Copyright Infringement
applicable statutes 7
Applicable Statutes (7)
  • Summary
    • Headers vs. content
    • Real-time vs. stored
    • Complex and changing
  • Acting under the cover of law
    • What information can you share with law enforcement?
employee rights
Employee Rights
  • Bannering
    • What should be in an acceptable use policy?
    • Is bannering sufficient?
  • Pseudo-employees
    • Contractors
    • Consultants
    • Temps
    • Interns
    • Auditors
case study 1
Case Study(1)
  • Acceptable Use Violation
    • Indications
    • Initial course of action
    • What are you certain you can do?
    • What are you certain you can not do?
    • Where do you go forguidance?
regulatory issues
Regulatory Issues
  • Gramm-Leach-Bliley Act of 1999 (GLBA)
    • Protect consumer personal financial data
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    • Federal privacy protection for individually identifiable health information
  • Public Firms
    • SEC, NASD requirements for document retention
data collection
Data Collection
  • Make copies of everything
  • Only work on copies
  • Create MD5 checksums
data collection toolkit
Data Collection Toolkit
  • Software
    • Static binaries
    • Linux-based
  • Hardware
    • Cables, adapters
    • Very large drives
  • Chain of custody forms
  • Calibration procedure
case study 2
Case Study(2)
  • Bringing the evidence to court
    • Do you really have to explain an MD5 checksum of a hard drive to the jurors?
data on the computer
Data on the Computer
  • In files
  • In log files
  • Browser history
  • Windows prefetch area
  • Slack space
  • Open network connections
  • Virtual memory
  • Physical memory
  • Network traces

Lost when machine is powered off

Lost if you wait too long

Real-time only

data on other computers
Data on Other Computers
  • Infrastructure logs
    • Web servers, mail servers
  • Archival systems
  • Network / Firewall logs
  • Intrusion detection systems
  • Everything that logs
data in unexpected places
Data in Unexpected Places
  • Anti-virus alerts, real-time anti-virus scans
  • License enforcement / application metering
  • [anything]Management Software
    • Patch management
    • Software management
    • Configuration management
    • Asset management
case study 3
Case Study(3)
  • You receive a workstation anti-virus alert
    • Where do you expect to find log data?
case study 4
Case Study(4)
  • Data on someone else’s computer
gathering data from people
Gathering Data from People
  • Interviews
    • With others
    • With the suspect
  • Interview Techniques
    • Never reveal what you do or do not know

Did you ever ask a first grader what happened in school today?

data sources summary
Data Sources – Summary
  • Defense in depth == forensics in depth
  • Only you know all the potential data sources
    • It is always your responsibility to help identify and present the data
the big question
The Big Question
  • Can you ever imagine this event/incident leading to a court case?
    • Yes: legally sound collection
    • No: more flexibility but fewer resources; often a good training execrcise
    • Always consider the costs:
      • Prosecution
      • Damage to reputation
      • Loss of corporate secrets
case study 5
Case Study(5)
  • A routine anti-virus alert (revisited)
  • Pre-planning
  • Training
  • Consider outsourcing
    • Managed cost
    • Impartial results
    • Add an addendum to your MSSP contract
decisions decisions
Decisions, Decisions
  • CSo, CIO, CEO, CLO
  • What decisions need to be made?
  • When and how do you receive elevated authority?
    • Admin rights
    • Right to monitor
  • How do you proceed when there is no decision?
case study 62
Case Study(6)
  • What can we learn from:
    • Email logs
    • Web server logs
    • Interviews
    • Human resources
  • Who would be involved in making decisions?
  • What are some possible outcomes?
law enforcement
Law Enforcement
  • FBI
  • FTC
  • US Postal Inspectors
  • US Secret Service
  • Local law enforcement
  • Task forces and other institutions
law enforcement1
Law Enforcement
  • Build relationships beforehand
  • Cooperation leads to resource sharing
  • Law Enforcement does not know your network topology
  • Definition of Forensics
    • Tell the story: what was lost, how it was lost
  • Be able to understand process in building legally sound case
    • Complex issues
  • Identify forensic capabilities you will need in a typical corporate environment
    • Only you know your topology