Digital evidence incident response and computer forensics
1 / 38

Digital Evidence Incident Response and Computer Forensics - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Digital Evidence Incident Response and Computer Forensics. The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Digital Evidence Incident Response and Computer Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Digital evidence incident response and computer forensics

Digital EvidenceIncident Response and Computer Forensics

The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts

assembled arises a certain grandeur.


What do you see

What do you see?



  • Adj. - “of, relating to, or used in courts of law or public debate or argument"

    • From the Latin term forensis (forum)

  • Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective forensic as a noun

  • “Forensic Analysis of Digital Evidence”

Digital evidence

Digital Evidence

  • “Information of probative value stored or transmitted in digital form”

    • Federal Crime Laboratory Directors - Scientific Working Group on Digital Evidence (SWGDE)

Sources of digital evidence

Sources of Digital Evidence

  • Open Computer Systems

    • PC’s, Servers, Etc

  • Communication Systems

    • Telecommunications Systems

    • Transient Network (content) Data

    • Non-transient (log) Data

  • Embedded Computer Systems

    • PDAs, Cell Phones, iPods, Etc

Problems with digital evidence

Problems with Digital Evidence

  • Digital data are trivial to falsify

  • Digital data are fundamentally arbitrary

  • Digital data are fundamentally abstract

    • Multiple Layers of Abstraction

  • Most analysis is performed on a digital copy

  • The form of digital data subjected to analysis is nearly always transformed in some way

Problems with digital evidence1

Problems with Digital Evidence

  • Storage capacity is growing rapidly - 500 byte email = needle in a 750 GB “hay stack”

  • Low technical literacy of the public & judiciary means that explanations of analytic methods can be misunderstood and cause confusion

  • Reasonable doubt is easy to establish

Reasonable doubt examples

Reasonable Doubt - Examples

  • The Trojan Defense - Karl Schofield of Reading UK - Charged with possessing 14 depraved images

  • Defense Expert Witness – Pictures could possibly be downloaded by a self-deleting trojan

  • Prosecutor - "The Crown would not be able to say he is the only person who knew of these images on his computer."

Reasonable doubt examples1

Reasonable Doubt - Examples

  • Aaron Caffrey - when his PC took part in a DDoS attack on the Port of Houston said a Trojan did it

  • Julian Green – Similar to Schofield case - 172 indecent pictures – 11 Trojan applications found on PC - "I had never been in trouble before. In cases like this it is not innocent until proved guilty, but the other way around."

Csi fbi survey 2005

CSI/FBI Survey 2005

  • 80% of Incidents are never reported

  • “The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity”

  • Trends show this percentage increasing

Incident response

Incident Response

  • The practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference

  • 80% of organizations may not report incidents but they all must respond

  • Organizations need internal investigators to triage events using established practices

Incident types

Theft of Trade Secrets

Rights Infringement


Intrusion Events

Tortious Interference

Malicious Code


Child Pornography

Denial of Service


Inappropriate Use

Evidence of other crimes

Incident Types

Incident response lifecycle

Incident Response Lifecycle

  • Preparation

  • Detection and Analysis

  • Containment, Eradication and Recovery

  • Post Incident Activity

Forensic science

Forensic Science

  • Belonging to courts of judicature or to public discussion and debate; used in legal proceedings or public discussions; argumentative; rhetorical; as, forensic eloquence or disputes

  • Relating to or dealing with the application of scientific knowledge to legal problems

Digital forensic science

Digital Forensic Science

  • “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”

    - Digital Forensic Research Workshop (2001)

Digital forensic science1

Digital Forensic Science

  • Analysis of Computer Generated Evidence

    • Identification of Sources of Evidence

    • Preservation of Evidence

    • Analysis of Evidence

    • Presentation of Findings

  • Methodology must be secure, controlled, repeatable and auditable

  • More on methodology later

Is it time for a break yet

Is it time for a break yet?

Origins of forensic science

Origins of Forensic Science

  • 700 AD Chinese Use Fingerprints for ID

  • 1248 AD First recorded application of medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulation

Eug ne fran ois vidocq

Eugène François Vidocq

  • Outlaw son of a Baker

  • In return for a suspension of arrest and a jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)

  • Introduced record keeping, ballistics, plaster casts for footprint analysis, etc

  • Founded the first modern detective agency and credit bureau



  • French Law Officer

  • Anthropometry/Bertillonage - Early system of biometrics using measurements of body parts to ID perpetrators / victims

  • Introduced use of crime scene photography and mug shots

Edmond locard

Edmond Locard

  • Student of Bertillon

  • Professor of forensic medicine at the University of Lyons

  • Established the First Crime Laboratory

  • Developed Edgeoscopy and Poreoscopy

    • Standard 12 Points to ID a fingerprint

  • Developed Forensic Microscopy

  • Locard's Exchange Principle

Locard s exchange principle

Locard’s Exchange Principle

  • Whenever two objects come into contact, a transfer of material will occur

Locard s exchange principle1

Locard’s Exchange Principle

  • Provide examples of how this might apply to digital evidence in a computer intrusion event.

Attributes affecting data fidelity

Attributes affecting data fidelity

  • Lack of standards & methodology

  • Correctness of translation and transformation mechanisms

  • Dependence on subjective reasoning

  • Excessive reliance on Tools*

  • Sound methodology is critical

Basic methodology apiep

Basic Methodology - APIEP

  • Acquisition

  • Preservation

  • Identification

  • Evaluation

  • Presentation

Methodology saferstein

Methodology - Saferstein

  • NJ Crime Lab Director (1971-1990)

  • Secure and Isolate the Scene

  • Record the Scene

  • Systematic Search for Evidence

  • Collect and Document Evidence

  • Maintain Chain of Custody

Investigative process model casey

Investigative Process Model - Casey

  • Incident Alert

  • Assessment of worth

  • Incident Protocol

  • Preservation

  • Recovery Harvesting

  • Reduction

  • Organization and Search

  • Analysis

  • Reporting

  • Persuasion and Testimony

Ir methodology mandia prosise

IR Methodology - Mandia & Prosise

  • Pre-Incident Preparation

  • Detection

  • Initial Response / Investigation

  • Formulate Response Strategy

  • Investigate the Incident

    • Data Collection

    • Data Analysis

  • Reporting

  • Resolution, Recovery, Security Measures

Pre incident preparation

Pre-Incident Preparation

  • Establish Incident Response Goals

  • Designate Incident Response Team

  • Create Incident Response Policy

  • Acquire Hardware / Software

  • Establish Reporting Guidelines

  • Implement User Awareness Training

Incident detection

Incident Detection

  • Document Observation Clearly

  • Suspicious System Behavior

  • Netflow Statistics

  • IDS / Firewall Logs

  • System Logs

  • Routine Audits / Assessments

  • Information Leaks

Initial response

Initial Response

  • Document Everything Clearly

  • Interview Administrators / Witnesses

  • Review Logs / IDS Reports

  • Review Established Security Systems

  • Classify the Event

    • Denial of Service / Vandalism / Malicious Code

    • Unauthorized / Inappropriate Use

    • System Compromise / Multiple Component

Formulate response strategy

Formulate Response Strategy

  • Has there been an event? (Is it a pipe?)

  • Does the law require a report?

  • What is the potential loss?

  • What is the cost of responding?

  • Critical systems, issues or data?

  • What is known of the perpetrator?

Taking action

Taking Action

  • Has the cause been established?

  • Does it merit criminal prosecution?

  • Is legal action likely to be successful?

  • Is documentation /evidence sufficient for an effective investigation?

  • Will going public hurt the organization?

  • What other business impacts might exist?

Handling internal employees

Handling Internal Employees

  • Dismissal – Policy is critical

  • Remediation – Security Controls

  • Letter of Reprimand

  • Reassignment / Revoke Access

  • Lessons Learned Document

Data collection

Data Collection

  • Capture Network-Based Evidence

  • Live Versus Dead Response

  • Capture Transient Evidence - RAM

  • Acquire Image or Seize System

  • Amount of stored data can be huge

  • Maintain Chain of Custody

Analysis and reporting

Analysis and Reporting

  • Forensic Analysis of Evidence

  • Reporting

    • Write Clearly and Plainly

    • Avoid acronyms and jargon

  • Resolution

    • Remediating Controls

    • Changes in process

Incident timeline

Incident Timeline

Summary incident response

Summary – Incident Response

  • Pre-Incident Preparation

  • Detection / Initial Report

  • Initial Response / Investigation

  • Formulate Response Strategy

  • Investigate the Incident

    • Data Collection

    • Data Analysis

  • Reporting

  • Resolution, Recovery, Security Measures

  • Login