slide1
Download
Skip this Video
Download Presentation
Forensic readiness: Preparing for the worst, and how to contain it.

Loading in 2 Seconds...

play fullscreen
1 / 23

Forensic readiness: Preparing for the worst, and how to contain it. - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

Forensic readiness: Preparing for the worst, and how to contain it. `. Campbell Murray Technical Director, Encription Limited 09 July 2014. Who?. Campbell Murray Technical Director @ Encription > 16 years IT security experience Offensive and Defensive CESG CHECK Team Leader

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Forensic readiness: Preparing for the worst, and how to contain it.' - balin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Forensic readiness:

Preparing for the worst,

and how to contain it.

`

Campbell Murray

Technical Director, Encription Limited

09 July 2014

slide2
Who?
  • Campbell Murray
  • Technical Director @ Encription
  • > 16 years IT security experience
    • Offensive and Defensive
  • CESG CHECK Team Leader
  • Expert Witness
forensic readiness
Forensic Readiness
  • “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.”
  • Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation.
forensic readiness1
Forensic Readiness
  • Events vs. Incidents
  • An “event” is a noticeable change to a system, environment, process, workflow or person.
  • An “incident” is an event that has a root human cause.
  • Therefore, all incidents are events, but not all events are incidents.
forensic readiness2
Forensic Readiness
  • All DF investigations start with an incident
  • Crime e.g. Murder
  • Malware attack
  • Loss of data
  • Misconduct
  • Confidential information breach
  • Loss of money
  • Other digital incident
forensic readiness3
Forensic Readiness
  • Early actions are critical
  • DF is dynamic and situation dependant
  • As an investigation progresses, often further information/evidence comes to attention which may alter focus.
  • e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation
forensic readiness4
Forensic Readiness
  • Lots to consider when planning each case.
  • Hard to define which is most important >
  • Right people?
  • Who can you trust?
  • Confidentiality?
  • Initial assessment?
  • Risk?
forensic readiness5
Forensic Readiness
  • DFS
  • Digital Forensics Strategy
    • What, how, who, why, where?
  • Form an hypothesis
    • Formulate all the possible scenarios
  • The hypothesis defines the strategy
    • What/Who to investigate
  • Must be flexible - escalation
  • Document the strategy!
forensic readiness6
Forensic Readiness
  • Steps of the strategy
  • What is ‘ideal’ evidence
  • A document, an email, an image
  • What supports your hypothesis
  • Is it financially viable?
    • Does the investigation cost outweigh the incident?
forensic readiness7
Forensic Readiness
  • Where would ideal evidence be found in each case?
  • Phone?
  • Email trail?
  • Presence/Absence from premises?
  • etc.
  • Focus investigation in these areas first.
forensic readiness8
Forensic Readiness
  • Define the ‘Window of Opportunity’
  • Narrow down the investigation to a time frame
  • Speed
  • Accuracy
  • Strategy
forensic readiness9
Forensic Readiness
  • Strategy defines the scope
    • Where/what is the crime scene?
  • Has this incident concluded, or ongoing?
  • Observe and document
    • Written notes / Photographs / Statements
  • Gather evidence
    • Chain of custody
forensic readiness11
Forensic Readiness
  • Chain of Custody case study
  • Employee suspected of exfiltrating data
  • Put on suspension pending investigation
    • Laptop / Phone seized
  • IT department all ‘have a look’
  • No record of who did what
  • No legal case could be built, despite evidence
  • Employee compensated!!!!
forensic readiness12
Forensic Readiness
  • But … there is more to it than that!
  • FR and the DDPRR model
  • Deter
  • Detect
  • Prevent
  • React
  • Recover
forensic readiness13
Forensic Readiness
  • Raises some questions
  • How do you react without DDP?
  • Does the absence of deterrent change the scope / strategy / consequences?
  • Should you use a first responder?
    • Is investigation required at all?
  • Forensic readiness (eagerness) itself could cause an incident!
forensic readiness14
Forensic Readiness
  • Triage
  • Follows strategy!
  • An enduring question is always …
  • Should you turn it off?
  • Case dependent.
    • Output of strategy led triage is the deciding factor.
forensic readiness15
Forensic Readiness
  • Off / On decision primarily based on on-going damage and risks of causing a further incident.
  • Has the incident concluded?
  • Where is the ‘ideal’ evidence?
  • All factors that answer the Off/On question
forensic readiness16
Forensic Readiness
  • What do you need for a readiness team?
  • Training!
    • Technical / Legal / Method / Custody of evidence
  • Equipment
    • Evidence bags / Digital camera / Screwdrivers / Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc.
forensic readiness17
Forensic Readiness
  • An FR team should always contain:
  • Top level management
  • Non-IT department technical capability
    • Confidentiality
  • Well defined role descriptions
  • Third party support where necessary
    • Legal / Technical / HR
forensic readiness18
Forensic Readiness
  • Key factors
  • Know your limits!
    • Do not attempt investigation you are not 100% comfortable with
  • Beware of witch hunting!
slide22

`

Any questions?

thank you
Thank You

Campbell Murray

Encription Limited

www.encription.co.uk

0330 100 2345

ad