Digital evidence incident response and computer forensics
Sponsored Links
This presentation is the property of its rightful owner.
1 / 38

Digital Evidence Incident Response and Computer Forensics PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Digital Evidence Incident Response and Computer Forensics. The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts

Download Presentation

Digital Evidence Incident Response and Computer Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Digital EvidenceIncident Response and Computer Forensics

The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts

assembled arises a certain grandeur.


What do you see?


  • Adj. - “of, relating to, or used in courts of law or public debate or argument"

    • From the Latin term forensis (forum)

  • Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective forensic as a noun

  • “Forensic Analysis of Digital Evidence”

Digital Evidence

  • “Information of probative value stored or transmitted in digital form”

    • Federal Crime Laboratory Directors - Scientific Working Group on Digital Evidence (SWGDE)

Sources of Digital Evidence

  • Open Computer Systems

    • PC’s, Servers, Etc

  • Communication Systems

    • Telecommunications Systems

    • Transient Network (content) Data

    • Non-transient (log) Data

  • Embedded Computer Systems

    • PDAs, Cell Phones, iPods, Etc

Problems with Digital Evidence

  • Digital data are trivial to falsify

  • Digital data are fundamentally arbitrary

  • Digital data are fundamentally abstract

    • Multiple Layers of Abstraction

  • Most analysis is performed on a digital copy

  • The form of digital data subjected to analysis is nearly always transformed in some way

Problems with Digital Evidence

  • Storage capacity is growing rapidly - 500 byte email = needle in a 750 GB “hay stack”

  • Low technical literacy of the public & judiciary means that explanations of analytic methods can be misunderstood and cause confusion

  • Reasonable doubt is easy to establish

Reasonable Doubt - Examples

  • The Trojan Defense - Karl Schofield of Reading UK - Charged with possessing 14 depraved images

  • Defense Expert Witness – Pictures could possibly be downloaded by a self-deleting trojan

  • Prosecutor - "The Crown would not be able to say he is the only person who knew of these images on his computer."

Reasonable Doubt - Examples

  • Aaron Caffrey - when his PC took part in a DDoS attack on the Port of Houston said a Trojan did it

  • Julian Green – Similar to Schofield case - 172 indecent pictures – 11 Trojan applications found on PC - "I had never been in trouble before. In cases like this it is not innocent until proved guilty, but the other way around."

CSI/FBI Survey 2005

  • 80% of Incidents are never reported

  • “The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity”

  • Trends show this percentage increasing

Incident Response

  • The practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference

  • 80% of organizations may not report incidents but they all must respond

  • Organizations need internal investigators to triage events using established practices

Theft of Trade Secrets

Rights Infringement


Intrusion Events

Tortious Interference

Malicious Code


Child Pornography

Denial of Service


Inappropriate Use

Evidence of other crimes

Incident Types

Incident Response Lifecycle

  • Preparation

  • Detection and Analysis

  • Containment, Eradication and Recovery

  • Post Incident Activity

Forensic Science

  • Belonging to courts of judicature or to public discussion and debate; used in legal proceedings or public discussions; argumentative; rhetorical; as, forensic eloquence or disputes

  • Relating to or dealing with the application of scientific knowledge to legal problems

Digital Forensic Science

  • “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”

    - Digital Forensic Research Workshop (2001)

Digital Forensic Science

  • Analysis of Computer Generated Evidence

    • Identification of Sources of Evidence

    • Preservation of Evidence

    • Analysis of Evidence

    • Presentation of Findings

  • Methodology must be secure, controlled, repeatable and auditable

  • More on methodology later

Is it time for a break yet?

Origins of Forensic Science

  • 700 AD Chinese Use Fingerprints for ID

  • 1248 AD First recorded application of medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulation

Eugène François Vidocq

  • Outlaw son of a Baker

  • In return for a suspension of arrest and a jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)

  • Introduced record keeping, ballistics, plaster casts for footprint analysis, etc

  • Founded the first modern detective agency and credit bureau


  • French Law Officer

  • Anthropometry/Bertillonage - Early system of biometrics using measurements of body parts to ID perpetrators / victims

  • Introduced use of crime scene photography and mug shots

Edmond Locard

  • Student of Bertillon

  • Professor of forensic medicine at the University of Lyons

  • Established the First Crime Laboratory

  • Developed Edgeoscopy and Poreoscopy

    • Standard 12 Points to ID a fingerprint

  • Developed Forensic Microscopy

  • Locard's Exchange Principle

Locard’s Exchange Principle

  • Whenever two objects come into contact, a transfer of material will occur

Locard’s Exchange Principle

  • Provide examples of how this might apply to digital evidence in a computer intrusion event.

Attributes affecting data fidelity

  • Lack of standards & methodology

  • Correctness of translation and transformation mechanisms

  • Dependence on subjective reasoning

  • Excessive reliance on Tools*

  • Sound methodology is critical

Basic Methodology - APIEP

  • Acquisition

  • Preservation

  • Identification

  • Evaluation

  • Presentation

Methodology - Saferstein

  • NJ Crime Lab Director (1971-1990)

  • Secure and Isolate the Scene

  • Record the Scene

  • Systematic Search for Evidence

  • Collect and Document Evidence

  • Maintain Chain of Custody

Investigative Process Model - Casey

  • Incident Alert

  • Assessment of worth

  • Incident Protocol

  • Preservation

  • Recovery Harvesting

  • Reduction

  • Organization and Search

  • Analysis

  • Reporting

  • Persuasion and Testimony

IR Methodology - Mandia & Prosise

  • Pre-Incident Preparation

  • Detection

  • Initial Response / Investigation

  • Formulate Response Strategy

  • Investigate the Incident

    • Data Collection

    • Data Analysis

  • Reporting

  • Resolution, Recovery, Security Measures

Pre-Incident Preparation

  • Establish Incident Response Goals

  • Designate Incident Response Team

  • Create Incident Response Policy

  • Acquire Hardware / Software

  • Establish Reporting Guidelines

  • Implement User Awareness Training

Incident Detection

  • Document Observation Clearly

  • Suspicious System Behavior

  • Netflow Statistics

  • IDS / Firewall Logs

  • System Logs

  • Routine Audits / Assessments

  • Information Leaks

Initial Response

  • Document Everything Clearly

  • Interview Administrators / Witnesses

  • Review Logs / IDS Reports

  • Review Established Security Systems

  • Classify the Event

    • Denial of Service / Vandalism / Malicious Code

    • Unauthorized / Inappropriate Use

    • System Compromise / Multiple Component

Formulate Response Strategy

  • Has there been an event? (Is it a pipe?)

  • Does the law require a report?

  • What is the potential loss?

  • What is the cost of responding?

  • Critical systems, issues or data?

  • What is known of the perpetrator?

Taking Action

  • Has the cause been established?

  • Does it merit criminal prosecution?

  • Is legal action likely to be successful?

  • Is documentation /evidence sufficient for an effective investigation?

  • Will going public hurt the organization?

  • What other business impacts might exist?

Handling Internal Employees

  • Dismissal – Policy is critical

  • Remediation – Security Controls

  • Letter of Reprimand

  • Reassignment / Revoke Access

  • Lessons Learned Document

Data Collection

  • Capture Network-Based Evidence

  • Live Versus Dead Response

  • Capture Transient Evidence - RAM

  • Acquire Image or Seize System

  • Amount of stored data can be huge

  • Maintain Chain of Custody

Analysis and Reporting

  • Forensic Analysis of Evidence

  • Reporting

    • Write Clearly and Plainly

    • Avoid acronyms and jargon

  • Resolution

    • Remediating Controls

    • Changes in process

Incident Timeline

Summary – Incident Response

  • Pre-Incident Preparation

  • Detection / Initial Report

  • Initial Response / Investigation

  • Formulate Response Strategy

  • Investigate the Incident

    • Data Collection

    • Data Analysis

  • Reporting

  • Resolution, Recovery, Security Measures

  • Login