digital evidence incident response and computer forensics n.
Skip this Video
Download Presentation
Digital Evidence Incident Response and Computer Forensics

Loading in 2 Seconds...

play fullscreen
1 / 38

Digital Evidence Incident Response and Computer Forensics - PowerPoint PPT Presentation

  • Uploaded on

Digital Evidence Incident Response and Computer Forensics. The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Digital Evidence Incident Response and Computer Forensics' - tasanee

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
digital evidence incident response and computer forensics

Digital EvidenceIncident Response and Computer Forensics

The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts

assembled arises a certain grandeur.


  • Adj. - “of, relating to, or used in courts of law or public debate or argument"
    • From the Latin term forensis (forum)
  • Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective forensic as a noun
  • “Forensic Analysis of Digital Evidence”
digital evidence
Digital Evidence
  • “Information of probative value stored or transmitted in digital form”
    • Federal Crime Laboratory Directors - Scientific Working Group on Digital Evidence (SWGDE)
sources of digital evidence
Sources of Digital Evidence
  • Open Computer Systems
    • PC’s, Servers, Etc
  • Communication Systems
    • Telecommunications Systems
    • Transient Network (content) Data
    • Non-transient (log) Data
  • Embedded Computer Systems
    • PDAs, Cell Phones, iPods, Etc
problems with digital evidence
Problems with Digital Evidence
  • Digital data are trivial to falsify
  • Digital data are fundamentally arbitrary
  • Digital data are fundamentally abstract
    • Multiple Layers of Abstraction
  • Most analysis is performed on a digital copy
  • The form of digital data subjected to analysis is nearly always transformed in some way
problems with digital evidence1
Problems with Digital Evidence
  • Storage capacity is growing rapidly - 500 byte email = needle in a 750 GB “hay stack”
  • Low technical literacy of the public & judiciary means that explanations of analytic methods can be misunderstood and cause confusion
  • Reasonable doubt is easy to establish
reasonable doubt examples
Reasonable Doubt - Examples
  • The Trojan Defense - Karl Schofield of Reading UK - Charged with possessing 14 depraved images
  • Defense Expert Witness – Pictures could possibly be downloaded by a self-deleting trojan
  • Prosecutor - "The Crown would not be able to say he is the only person who knew of these images on his computer."
reasonable doubt examples1
Reasonable Doubt - Examples
  • Aaron Caffrey - when his PC took part in a DDoS attack on the Port of Houston said a Trojan did it
  • Julian Green – Similar to Schofield case - 172 indecent pictures – 11 Trojan applications found on PC - "I had never been in trouble before. In cases like this it is not innocent until proved guilty, but the other way around."
csi fbi survey 2005
CSI/FBI Survey 2005
  • 80% of Incidents are never reported
  • “The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity”
  • Trends show this percentage increasing
incident response
Incident Response
  • The practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference
  • 80% of organizations may not report incidents but they all must respond
  • Organizations need internal investigators to triage events using established practices
incident types
Theft of Trade Secrets

Rights Infringement


Intrusion Events

Tortious Interference

Malicious Code


Child Pornography

Denial of Service


Inappropriate Use

Evidence of other crimes

Incident Types
incident response lifecycle
Incident Response Lifecycle
  • Preparation
  • Detection and Analysis
  • Containment, Eradication and Recovery
  • Post Incident Activity
forensic science
Forensic Science
  • Belonging to courts of judicature or to public discussion and debate; used in legal proceedings or public discussions; argumentative; rhetorical; as, forensic eloquence or disputes
  • Relating to or dealing with the application of scientific knowledge to legal problems
digital forensic science
Digital Forensic Science
  • “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”

- Digital Forensic Research Workshop (2001)

digital forensic science1
Digital Forensic Science
  • Analysis of Computer Generated Evidence
    • Identification of Sources of Evidence
    • Preservation of Evidence
    • Analysis of Evidence
    • Presentation of Findings
  • Methodology must be secure, controlled, repeatable and auditable
  • More on methodology later
origins of forensic science
Origins of Forensic Science
  • 700 AD Chinese Use Fingerprints for ID
  • 1248 AD First recorded application of medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulation
eug ne fran ois vidocq
Eugène François Vidocq
  • Outlaw son of a Baker
  • In return for a suspension of arrest and a jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)
  • Introduced record keeping, ballistics, plaster casts for footprint analysis, etc
  • Founded the first modern detective agency and credit bureau
  • French Law Officer
  • Anthropometry/Bertillonage - Early system of biometrics using measurements of body parts to ID perpetrators / victims
  • Introduced use of crime scene photography and mug shots
edmond locard
Edmond Locard
  • Student of Bertillon
  • Professor of forensic medicine at the University of Lyons
  • Established the First Crime Laboratory
  • Developed Edgeoscopy and Poreoscopy
    • Standard 12 Points to ID a fingerprint
  • Developed Forensic Microscopy
  • Locard's Exchange Principle
locard s exchange principle
Locard’s Exchange Principle
  • Whenever two objects come into contact, a transfer of material will occur
locard s exchange principle1
Locard’s Exchange Principle
  • Provide examples of how this might apply to digital evidence in a computer intrusion event.
attributes affecting data fidelity
Attributes affecting data fidelity
  • Lack of standards & methodology
  • Correctness of translation and transformation mechanisms
  • Dependence on subjective reasoning
  • Excessive reliance on Tools*
  • Sound methodology is critical
basic methodology apiep
Basic Methodology - APIEP
  • Acquisition
  • Preservation
  • Identification
  • Evaluation
  • Presentation
methodology saferstein
Methodology - Saferstein
  • NJ Crime Lab Director (1971-1990)
  • Secure and Isolate the Scene
  • Record the Scene
  • Systematic Search for Evidence
  • Collect and Document Evidence
  • Maintain Chain of Custody
investigative process model casey
Investigative Process Model - Casey
  • Incident Alert
  • Assessment of worth
  • Incident Protocol
  • Preservation
  • Recovery Harvesting
  • Reduction
  • Organization and Search
  • Analysis
  • Reporting
  • Persuasion and Testimony
ir methodology mandia prosise
IR Methodology - Mandia & Prosise
  • Pre-Incident Preparation
  • Detection
  • Initial Response / Investigation
  • Formulate Response Strategy
  • Investigate the Incident
    • Data Collection
    • Data Analysis
  • Reporting
  • Resolution, Recovery, Security Measures
pre incident preparation
Pre-Incident Preparation
  • Establish Incident Response Goals
  • Designate Incident Response Team
  • Create Incident Response Policy
  • Acquire Hardware / Software
  • Establish Reporting Guidelines
  • Implement User Awareness Training
incident detection
Incident Detection
  • Document Observation Clearly
  • Suspicious System Behavior
  • Netflow Statistics
  • IDS / Firewall Logs
  • System Logs
  • Routine Audits / Assessments
  • Information Leaks
initial response
Initial Response
  • Document Everything Clearly
  • Interview Administrators / Witnesses
  • Review Logs / IDS Reports
  • Review Established Security Systems
  • Classify the Event
    • Denial of Service / Vandalism / Malicious Code
    • Unauthorized / Inappropriate Use
    • System Compromise / Multiple Component
formulate response strategy
Formulate Response Strategy
  • Has there been an event? (Is it a pipe?)
  • Does the law require a report?
  • What is the potential loss?
  • What is the cost of responding?
  • Critical systems, issues or data?
  • What is known of the perpetrator?
taking action
Taking Action
  • Has the cause been established?
  • Does it merit criminal prosecution?
  • Is legal action likely to be successful?
  • Is documentation /evidence sufficient for an effective investigation?
  • Will going public hurt the organization?
  • What other business impacts might exist?
handling internal employees
Handling Internal Employees
  • Dismissal – Policy is critical
  • Remediation – Security Controls
  • Letter of Reprimand
  • Reassignment / Revoke Access
  • Lessons Learned Document
data collection
Data Collection
  • Capture Network-Based Evidence
  • Live Versus Dead Response
  • Capture Transient Evidence - RAM
  • Acquire Image or Seize System
  • Amount of stored data can be huge
  • Maintain Chain of Custody
analysis and reporting
Analysis and Reporting
  • Forensic Analysis of Evidence
  • Reporting
    • Write Clearly and Plainly
    • Avoid acronyms and jargon
  • Resolution
    • Remediating Controls
    • Changes in process
summary incident response
Summary – Incident Response
  • Pre-Incident Preparation
  • Detection / Initial Report
  • Initial Response / Investigation
  • Formulate Response Strategy
  • Investigate the Incident
    • Data Collection
    • Data Analysis
  • Reporting
  • Resolution, Recovery, Security Measures