Forensic IT & Theft of IP€¦ · 28.1% by copying files to a floppy disk; 21.9% by burning copies...
Transcript of Forensic IT & Theft of IP€¦ · 28.1% by copying files to a floppy disk; 21.9% by burning copies...
Forensic IT & Theft of IP
April 2009
2
Key topics
Forensic IT – What is it?
Application of Forensic IT
Threats to Data
Value of Metadata
Theft of Intellectual Property (IP)
Dealing with the reality of Theft of IP
Relevance of employment agreements, contracts and policy.
Relevant Legislation – Criminal Law/Privacy
Obstacles for investigators
How to Manage the Risk
3
4
5
6
IBAS Study – Trends & Attitudes
69.6% of workers have stolen corporate documents and information
58.7% think that taking IP is as acceptable as exaggerating an insurance claim
Most commonly stolen IP includes:
email address books 54.3%
sales proposals / presentations 32.6%
customer databases / contact information 30.4%
53.1% of business professionals who have stolen IP have done so using a personal
email account;
28.1% by copying files to a floppy disk;
21.9% by burning copies of files to CD
Increases in Webmail storage increases the risk of IP theft
“…data thieves eye up Google, Yahoo! and Lycos email accounts as “virtually
bottomless electronic swag bags..”
School IP may be in the custody and care of an unknown entity in Google etc!
http://www.ibas.com
7
Cyber-Ark Survey - 2008
300 professional IT staff surveyed
88 percent of IT administrators would take valuable and sensitive company information with them
Target information included CEO's passwords, customer db, R & D plans, financials, M & A plans, and most importantly the company's list of privileged passwords.
One third of the IT administrators would take the privilege password list
One third of companies revealed that they believe …data being leaked out of their companies and going to their competitors or criminals…via USB sticks, iPods, Blackberry's and laptops - or sent over email
One third of IT administrators surveyed admit to having written down privileged passwords on a post-it note
One third of IT staff admitted to snooping around the network, looking at highly confidential information
(http://www.cyber-ark.com/news-events/pr_20080827.asp)
8
Common Risk Management Faults
Misplaced faith in employees
Don‟t recognise the reality/risk of loss of IP through the departure of staff
Physical assets are recognised and collected prior to leaving
(laptop/keys/phone/building pass) but no process for collection of electronic data
Often it is some time later that there is any need to look at the data on the
computer – if it is re-issued to staff all may be lost.
Ownership of assets
Inadequate Policy
Lack of ongoing education of policy
9
Departure Process
Don‟t wait for the departure date – activate logging, monitor network etc as soon as
departure is known/suspected
Collect physical assets prior to the employees departure (laptop/keys/ mobile phone &
blackberry/building pass)
Capture & archive electronic data:
Email (local and server)
Local profile
Network shares
Personal computer
10
Liberty v Scott
May 97 – Scott commenced employment as Chief Account Manager for Liberty Financial
1999 Resigned
2000 Exactly 6 months later commenced with Bluestone Group
January 01 „comparative table‟ published by Bluestone - allegedly contained IP stolen
from Liberty
Valued at $32.3 million
18 months after resignation email reviewed
Identified he had regularly sent emails to his private email address
Email with attachments 2 hours before his resignation
Deleted some or all of his email 2 weeks before departure – allegedly in compliance
with a company instruction
Anton Pillar Order executed - Home computer systems imaged
Forensics identified 28 „relevant‟ documents that had been sent to his home email
address
Minefield of legal argument re Privilege/Privacy/Relevance
11
IT Infrastructure Management
Management & Surveillance of IT Infrastructure
IT systems are business systems
Require ongoing management/interaction/access to ensure they are in good working
order, resolve faults etc
Determine systems are not being abused by staff
Ensure users are complying with policy
Guard important IP
Monitor departing staff
12
Privacy Legislation
NSW Workplace Surveillance Act 2005
Employees must be given notice
Surveillance must be in accordance with policy
Take reasonable steps to ensure employee understands policy
*Vic – Guidelines on Workplace E-mail, Web Browsing and Privacy
Develop a policy
Promulgate to staff
Clearly state what staff use of email/www is permitted
Set out what information is logged and who has rights to access that information i.e.
who‟s doing it & what are they looking at)
Tell staff how monitoring will be done
www.privacy.gov.au/internet/email/index.html
13
Employment Contract & Staff Policy
What policy is in place and is it owned by staff?
Are network surveillance and monitoring sufficiently covered off?
Have policy documents been acknowledged by the staff i.e. in writing
Is there an ongoing education process i.e. info sessions, flyers etc
User interaction such as “Log on - on screen acknowledgement”
What sort of culture is encouraged in the workplace
Passwords shared?
Weak
Not aged
How are privately owned assets such as laptops addressed?
Does it address the use of webmail accounts & messenger programs, facebook, twitter
etc?
14
Access to the computer
Who owns the laptop computer used by the employee?
Is it the employees:
Part of employment agreement
Purchased by them
Salary sacrifice
Is it the employers:
Purchased by the employer and given to the employee for use including reasonable
personal use
Shared access by other employees
Is it not clear who owns it:
Partly financed by employer and employee
15
Forensic IT 101
16
Definition: ‘Forensic I.T.’
Forensic I.T. (Computer Forensics) deals with the:
Identification
Acquisition
Analysis
Presentation of computer evidence
The field is relatively new to the private sector but it has been the mainstay of
technology-related investigations and intelligence gathering in law enforcement and
military agencies since the late 1980's
17
Sources of Data
Electronic media:
Hard disks (1TB)
USB thumb drives (32/64GB)
Multimedia Cards
PDA‟s & Mobiles
CD/DVD
Standalone PCs
Network servers
18
IPod (etc)
We‟re all familiar with the IPod range (aren't we?) New range of
products coming to the market….
19
Imaging & Copying
Imaging:
Forensic
Bit by bit copy
Unallocated clusters
Pagefile
Deleted files
Copying
File level only
No deleted documents
Changes the metadata of documents
20
Demo examination of USB
Explorer View
Forensic View
21
Tools Available
Encase (You are provided with the analysis results)
Unallocated disk space
Remnant data
Cache/Pagefile
Internet history
Document metadata
Clearwell (You investigate the data)
Logical docs
Internet cache
Deleted email
Various others
CD Burning/Internet History/Mobile Phones
22
Analysis – What to look for?
Internet History:
Job advertisements
Business registration
Real Estate inquiries
Email Review
Work documents sent to private email address
Emails with attachments fwd to themselves????
Use of web mail accounts – bypassing email infrastructure
Instant Messenger
Chat between the user and other employees
Solicitation for them to join
Distribution of documents
Discussion of their plans to leave, what they‟redoing, when, how etc
Disclose associations not previously known
23
Case Example – Attempt to Erase Evidence
Email received by Principal from a “young lady”
Alleged improper communication btwn herself and a teacher
Revealed a planned liaison
Student threatened media if school did not take appropriate action
Next email went to school board
Teacher was interviewed by Principal
Teachers computer reformatted due to „problems‟
Analysis identified evidence of:
Communication with student via webmail
Other related correspondence
Sexual liaison with other couples
Letter mentioning previous similar incident
Met with Principal and lawyer after which he resigned
24
Mobile Phones & PDA’s
Onboard memory
Stored numbers
Calls made
Calls received
SIM Card
SMS in and out
MMS in and out
Memory Cards
Any type of document
25
Mobile Phones
26
Activity of Interest on a Computer
Use of USB flash drives
CD/DVD burning activity
Use of web based email accounts
Recovery of deleted Files
Identifying deletion of files
Other web activity
Chat sessions (MSN/My HeadBook etc)
Recently accessed files
27
Threats to Data/Evidence
Culture
Access via network
Remote access
Colleagues
Re-issue of computer
Automated tasks i.e. Virus scan/Defrag
Proof of identity
Level of user authentication
Who has physical access to computer
Password strength/age etc
28
Metadata
29
30
Blair Document
31
32
Case Example - Metadata
Submission of lease extension
The date the document was physically delivered critical due to deadlines
Physical document delivered on Friday 21 December 2007 bore the written date of 21
December 2007
Next copy delivered on following Monday was dated 20 December 2007 (Complied with
the cut-off date for lease submission)
Insolvent – Administrator was sued over failure of lease renewal
Litigation & Discovery process
No computers available for discovery (upgraded/trashed)
3 diskettes handed over – last minute discovery (found these at secretary‟s home)
Recovered a deleted document – cover for lease submission – date shown 21 December
Metadata showed document bore a face date of 21 December, had been created 20 Dec,
but last modified March 08 – just before litigation!
33
You’re The Victim
What Are The Reporting Options?
It‟s a criminal offence – report it to the police
Pursue it civilly – get legal advice
We don‟t want the bad press (do nothing)
Good money after bad (do nothing)
What's been taken wont make a big difference (do nothing)
34
Criminal Law and Theft of IP
35
Identity
Dishonestly
Appropriates
Property
Belonging to Another
Intent to Permanently Deprive
Theft Points of Proof
36
Definition of Property
Property includes money and all other property real or personal including things in
action and other intangible property.
Over time courts of law have determined that the definition of Property does not include
Intellectual Property.
37
Theft – Case Law
Oxford V Moss 1978
Defendant stole examination paper for the purpose of copying the questions.
Charged with Theft
Dismissed by Magistrate as information is not property
Appeal by prosecution dismissed – confidential information held not to be property
R v Ian Douglas George 1991
Relates to the theft of a customer list on magnetic tape from his employer.
“Mere information or knowledge may never be property as held in Oxford v Moss. But
the tape is more than mere information, it is a tangible tape processed in such a way that it
contains magnetic impulses……It is therefore property within the meaning of the act the
same way as a written book containing names and addresses of customers to whom the
owner mails material.”
38
Computer Trespass – Case Law
DPP –v- Murdoch [1993] 1 VR 406
Revolves around the issue of not having lawful authority
“In the case of a hacker it will be clear that he has no authority to enter the system. In
the case of an employee the question will be whether that employee has authority to effect
the entry with which he stands charged.
If however there are limits upon the permission given to him to enter that system it will
be necessary to ask was the entry within the scope of that permission? If it was, then no
offence was committed; if it was not then he has entered the system without lawful authority
to do so.”
Determining whether an employee is authorised to access areas of the computer system
will be largely determined by reference to the organisations' internal technology use
policy
39
Recommendations
Identify „Key‟ employees
Departure Process for suspected (or anticipated?) sudden departures:
Monitor activity on the network
Home dir
Private email accounts
Implement robust workable policy
Educate staff
Identify your IP
Employment Agreements
Get on the front foot! Be pro-active and investigate.
Make an effort to prevent theft of IP occurring - far more effective and
economical
(Would you examine an employeesiPod?)