Forensics. Learning Objectives Definition of Forensics Be able to understand process in building...
-
date post
18-Dec-2015 -
Category
Documents
-
view
221 -
download
1
Transcript of Forensics. Learning Objectives Definition of Forensics Be able to understand process in building...
![Page 1: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/1.jpg)
Forensics
![Page 2: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/2.jpg)
Learning Objectives
• Definition of Forensics
• Be able to understand process in building legally sound case
• Identify forensic capabilities you will need in a typical corporate environment
![Page 3: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/3.jpg)
Definition
• Forensic:– “…a characteristic of evidence that satisfies its
suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).”
• The aim of forensic science is: – “…to demonstrate how digital evidence can be used
to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.”
Ref: Casey, “Digital Evidence and Computer Crime”,2nd ed., section 1.6, p20.
![Page 4: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/4.jpg)
The Goal of Forensics
• Forensics seeks to provide an accurate representation of extracted data: find out the truth– How was it lost?– What was lost?– What are my obligations concerning the loss?
![Page 5: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/5.jpg)
Forensics vs. Incident Handling
• Closely tied together, but different
• Data collection starts immediately as a part of incident handling
• Data analysis is not a part of incident handling
• The incident can sometimes be closed before forensic analysis is complete
![Page 6: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/6.jpg)
Legally Sound Data Collection
• Security in Computing, chapter 9.5
• Goals– Build a solid case– Find out what was lost– Find out the truth
![Page 7: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/7.jpg)
Privacy Issues
• Generally apply principles from the physical world
– Can you:• Read my mail?• Listen to my phone call?• Obtain a copy of my phone bill?
![Page 8: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/8.jpg)
Applicable Statutes
• Computer fraud and abuse act, 18USC1030– Protects against unauthorized access (privacy
intrusion)
![Page 9: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/9.jpg)
Applicable Statutes (2)
• Federal Wiretap Act (18USC2510-22)– Protect data in transit (real-time)– Three key exceptions:
• Provider• Consent• Trespasser
![Page 10: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/10.jpg)
Applicable Statutes (3)
• Pen Registers and Trap and Trace Devices, 18USC3121-27– Pen/trap or Trap & Trace– Real-time collection of header information
• What is header information?
![Page 11: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/11.jpg)
Applicable Statutes (4)
• The Electronics Communications Privacy Act– ECPA– Protects stored data (both headers and
content)
– What is the difference between read voice mail and unread voice mail?
![Page 12: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/12.jpg)
Applicable Statutes (5)
• Patriot Act– Patches up ECPA and others by clearly
defining how Law Enforcement can gather data
– Renewed in early 2006 with only minor changes
![Page 13: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/13.jpg)
Applicable Statutes (6)
• Other traditional statutes may apply– Trade secrets– Harassment– Copyright Infringement
![Page 14: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/14.jpg)
Applicable Statutes (7)
• Summary– Headers vs. content– Real-time vs. stored– Complex and changing
• Acting under the cover of law– What information can you share with law
enforcement?
![Page 15: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/15.jpg)
Employee Rights
• Bannering– What should be in an acceptable use policy?– Is bannering sufficient?
• Pseudo-employees– Contractors– Consultants– Temps– Interns– Auditors– …
![Page 16: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/16.jpg)
Case Study(1)
• Acceptable Use Violation– Indications– Initial course of action– What are you certain you can do?– What are you certain you can not do?– Where do you go for
guidance?
![Page 17: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/17.jpg)
Regulatory Issues
• Gramm-Leach-Bliley Act of 1999 (GLBA)– Protect consumer personal financial data
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)– Federal privacy protection for individually
identifiable health information
• Public Firms– SEC, NASD requirements for document
retention
![Page 18: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/18.jpg)
Data Collection
• Make copies of everything
• Only work on copies
• Create MD5 checksums
![Page 19: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/19.jpg)
Data Collection Toolkit
• Software– Static binaries– Linux-based
• Hardware– Cables, adapters– Very large drives
• Chain of custody forms
• Calibration procedure
![Page 20: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/20.jpg)
Case Study(2)
• Bringing the evidence to court– Do you really have to explain an MD5
checksum of a hard drive to the jurors?
![Page 21: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/21.jpg)
Lost when machine is powered off
Lost if you wait too long
Data on the Computer
Real-time only
• In files• In log files• Browser history• Windows prefetch area• Slack space• Open network connections• Virtual memory• Physical memory• Network traces
![Page 22: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/22.jpg)
Data on Other Computers
• Infrastructure logs– Web servers, mail servers
• Archival systems
• Network / Firewall logs
• Intrusion detection systems
• Everything that logs
![Page 23: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/23.jpg)
Data in Unexpected Places
• Anti-virus alerts, real-time anti-virus scans
• License enforcement / application metering
• [anything]Management Software– Patch management– Software management– Configuration management– Asset management
![Page 24: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/24.jpg)
Case Study(3)
• You receive a workstation anti-virus alert– Where do you expect to find log data?
![Page 25: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/25.jpg)
Case Study(4)
• Data on someone else’s computer
![Page 26: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/26.jpg)
Gathering Data from People
• Interviews– With others– With the suspect
• Interview Techniques– Never reveal what you do or do not know
Did you ever ask a first grader what happened in school today?
![Page 27: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/27.jpg)
Data Sources – Summary
• Defense in depth == forensics in depth
• Only you know all the potential data sources– It is always your responsibility to help identify
and present the data
![Page 28: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/28.jpg)
Corporate ForensicsCorporate Forensics
![Page 29: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/29.jpg)
The Big Question
• Can you ever imagine this event/incident leading to a court case?– Yes: legally sound collection– No: more flexibility but fewer resources; often
a good training execrcise– Always consider the costs:
• Prosecution• Damage to reputation• Loss of corporate secrets
![Page 30: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/30.jpg)
Case Study(5)
• A routine anti-virus alert (revisited)
![Page 31: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/31.jpg)
Preparations
• Pre-planning
• Training
• Consider outsourcing– Managed cost– Impartial results– Add an addendum to your MSSP contract
![Page 32: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/32.jpg)
Decisions, Decisions
• CSo, CIO, CEO, CLO
• What decisions need to be made?
• When and how do you receive elevated authority?– Admin rights– Right to monitor
• How do you proceed when there is no decision?
![Page 33: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/33.jpg)
Case Study(6)
![Page 34: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/34.jpg)
Case Study(6)
![Page 35: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/35.jpg)
Case Study(6)
• What can we learn from:– Email logs– Web server logs– Interviews– Human resources
• Who would be involved in making decisions?
• What are some possible outcomes?
![Page 36: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/36.jpg)
Law Enforcement
• FBI
• FTC
• US Postal Inspectors
• US Secret Service
• Local law enforcement
• Task forces and other institutions
![Page 37: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/37.jpg)
Law Enforcement
• Build relationships beforehand
• Cooperation leads to resource sharing
• Law Enforcement does not know your network topology
![Page 38: Forensics. Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d265503460f949fcb35/html5/thumbnails/38.jpg)
Conclusion
• Definition of Forensics– Tell the story: what was lost, how it was lost
• Be able to understand process in building legally sound case– Complex issues
• Identify forensic capabilities you will need in a typical corporate environment– Only you know your topology