1 / 38

Forensics - PowerPoint PPT Presentation

  • Updated On :

Forensics. Learning Objectives. Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you will need in a typical corporate environment. Definition. Forensic:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Forensics' - paul2

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Learning objectives
Learning Objectives

  • Definition of Forensics

  • Be able to understand process in building legally sound case

  • Identify forensic capabilities you will need in a typical corporate environment


  • Forensic:

    • “…a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).”

  • The aim of forensic science is:

    • “…to demonstrate how digital evidence can be used to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.”

      Ref: Casey, “Digital Evidence and Computer Crime”,

      2nd ed., section 1.6, p20.

The goal of forensics
The Goal of Forensics

  • Forensics seeks to provide an accurate representation of extracted data: find out the truth

    • How was it lost?

    • What was lost?

    • What are my obligations concerning the loss?

Forensics vs incident handling
Forensics vs. Incident Handling

  • Closely tied together, but different

  • Data collection starts immediately as a part of incident handling

  • Data analysis is not a part of incident handling

  • The incident can sometimes be closed before forensic analysis is complete

Legally sound data collection
Legally Sound Data Collection

  • Security in Computing, chapter 9.5

  • Goals

    • Build a solid case

    • Find out what was lost

    • Find out the truth

Privacy issues
Privacy Issues

  • Generally apply principles from the physical world

    • Can you:

      • Read my mail?

      • Listen to my phone call?

      • Obtain a copy of my phone bill?

Applicable statutes
Applicable Statutes

  • Computer fraud and abuse act, 18USC1030

    • Protects against unauthorized access (privacy intrusion)

Applicable statutes 2
Applicable Statutes (2)

  • Federal Wiretap Act (18USC2510-22)

    • Protect data in transit (real-time)

    • Three key exceptions:

      • Provider

      • Consent

      • Trespasser

Applicable statutes 3
Applicable Statutes (3)

  • Pen Registers and Trap and Trace Devices, 18USC3121-27

    • Pen/trap or Trap & Trace

    • Real-time collection of header information

      • What is header information?

Applicable statutes 4
Applicable Statutes (4)

  • The Electronics Communications Privacy Act

    • ECPA

    • Protects stored data (both headers and content)

    • What is the difference between read voice mail and unread voice mail?

Applicable statutes 5
Applicable Statutes (5)

  • Patriot Act

    • Patches up ECPA and others by clearly defining how Law Enforcement can gather data

    • Renewed in early 2006 with only minor changes

Applicable statutes 6
Applicable Statutes (6)

  • Other traditional statutes may apply

    • Trade secrets

    • Harassment

    • Copyright Infringement

Applicable statutes 7
Applicable Statutes (7)

  • Summary

    • Headers vs. content

    • Real-time vs. stored

    • Complex and changing

  • Acting under the cover of law

    • What information can you share with law enforcement?

Employee rights
Employee Rights

  • Bannering

    • What should be in an acceptable use policy?

    • Is bannering sufficient?

  • Pseudo-employees

    • Contractors

    • Consultants

    • Temps

    • Interns

    • Auditors

Case study 1
Case Study(1)

  • Acceptable Use Violation

    • Indications

    • Initial course of action

    • What are you certain you can do?

    • What are you certain you can not do?

    • Where do you go forguidance?

Regulatory issues
Regulatory Issues

  • Gramm-Leach-Bliley Act of 1999 (GLBA)

    • Protect consumer personal financial data

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)

    • Federal privacy protection for individually identifiable health information

  • Public Firms

    • SEC, NASD requirements for document retention

Data collection
Data Collection

  • Make copies of everything

  • Only work on copies

  • Create MD5 checksums

Data collection toolkit
Data Collection Toolkit

  • Software

    • Static binaries

    • Linux-based

  • Hardware

    • Cables, adapters

    • Very large drives

  • Chain of custody forms

  • Calibration procedure

Case study 2
Case Study(2)

  • Bringing the evidence to court

    • Do you really have to explain an MD5 checksum of a hard drive to the jurors?

Data on the computer
Data on the Computer

  • In files

  • In log files

  • Browser history

  • Windows prefetch area

  • Slack space

  • Open network connections

  • Virtual memory

  • Physical memory

  • Network traces

Lost when machine is powered off

Lost if you wait too long

Real-time only

Data on other computers
Data on Other Computers

  • Infrastructure logs

    • Web servers, mail servers

  • Archival systems

  • Network / Firewall logs

  • Intrusion detection systems

  • Everything that logs

Data in unexpected places
Data in Unexpected Places

  • Anti-virus alerts, real-time anti-virus scans

  • License enforcement / application metering

  • [anything]Management Software

    • Patch management

    • Software management

    • Configuration management

    • Asset management

Case study 3
Case Study(3)

  • You receive a workstation anti-virus alert

    • Where do you expect to find log data?

Case study 4
Case Study(4)

  • Data on someone else’s computer

Gathering data from people
Gathering Data from People

  • Interviews

    • With others

    • With the suspect

  • Interview Techniques

    • Never reveal what you do or do not know

      Did you ever ask a first grader what happened in school today?

Data sources summary
Data Sources – Summary

  • Defense in depth == forensics in depth

  • Only you know all the potential data sources

    • It is always your responsibility to help identify and present the data

The big question
The Big Question

  • Can you ever imagine this event/incident leading to a court case?

    • Yes: legally sound collection

    • No: more flexibility but fewer resources; often a good training execrcise

    • Always consider the costs:

      • Prosecution

      • Damage to reputation

      • Loss of corporate secrets

Case study 5
Case Study(5)

  • A routine anti-virus alert (revisited)


  • Pre-planning

  • Training

  • Consider outsourcing

    • Managed cost

    • Impartial results

    • Add an addendum to your MSSP contract

Decisions decisions
Decisions, Decisions

  • CSo, CIO, CEO, CLO

  • What decisions need to be made?

  • When and how do you receive elevated authority?

    • Admin rights

    • Right to monitor

  • How do you proceed when there is no decision?

Case study 62
Case Study(6)

  • What can we learn from:

    • Email logs

    • Web server logs

    • Interviews

    • Human resources

  • Who would be involved in making decisions?

  • What are some possible outcomes?

Law enforcement
Law Enforcement

  • FBI

  • FTC

  • US Postal Inspectors

  • US Secret Service

  • Local law enforcement

  • Task forces and other institutions

Law enforcement1
Law Enforcement

  • Build relationships beforehand

  • Cooperation leads to resource sharing

  • Law Enforcement does not know your network topology


  • Definition of Forensics

    • Tell the story: what was lost, how it was lost

  • Be able to understand process in building legally sound case

    • Complex issues

  • Identify forensic capabilities you will need in a typical corporate environment

    • Only you know your topology