FORZA Ð Digital Forensics Investigation Framework that...

eWalker Consulting Ltd.eWalker Consulting Ltd.

FORZA FORZA –– Digital Forensics Digital ForensicsInvestigation Framework thatInvestigation Framework thatincorporate legal issuesincorporate legal issues(DFRWS 2006)(DFRWS 2006)

Ricci IEONG,

Founder and Principal Consultant,

eWalker Consulting Ltd. (HK)

DFRWS

2006


2006

08

14

AgendaAgenda

! Revisit of two digital forensics cases

! Missing Link between these cases and existingforensics model and framework

! What is the feature of FORZA framework?

! Application of the FORZA framework?

! Benefit of using FORZA?

! Next steps


Cases revisitCases revisit

DFRWS

2006


2006

08

14

Case 1: US Case 1: US vsvs GorshkovGorshkov

! Oct 1999:" Seattle FBI received a complaint from a local Internet Services

Provider, Speakeasy

" Online commerce system intrusion including server hosting andcredit card transaction

" Solicitation for computer security consulting via email from“subbsta”

" Threat escalation

! Dec 1999" Speakeasy knocked offline

DFRWS

2006


2006

08

14


! Similar timeframe in 1999" FBI received complaint from Online Information

Bureau, Vernon, CT" The online commerce servers were compromised and

credit card information were stolen" Solicitation for computer security consulting via

email from “subbsta”" Origin of attack were found to be generated from CTS

in San Diego

DFRWS

2006


2006

08

14


! What did the FBI do?" Identify the common and difference between the case

" Collect evidence and information from CTS

" Confirm that the incident is from tech.net.ru which isfrom Chelyabinsk Russia

" Identifies Alexey Ivanov (aka subbsta)

DFRWS

2006


2006

08

14


! Then what did the FBI do next?" Call Ivanov for security job opportunity" Setup Undercover operation" Setup Honeypot

! Using collected user name and passwords, FBI login to suspects’machine (tech.net.ru) and dump out 4 CD-ROM of data.

! Afterwards hire experts to perform analysis" Identification of OS" Reconstruct system directory overview" Determine system control" Analyze hacking utilities" Analyze of Perl scripts functions" Reconstruct the story of tech.net.ru hacking

! Presentation of the case in court

DFRWS

2006


2006

08

14

Case 2: Case 2: HKSAR vs CHAN NAI MINGHKSAR vs CHAN NAI MING

DFRWS

2006


2006

08

14


! Officer-in-Charge (OC) received information from intelligence team. Thatcomplaint was initiated by Copyright Owner that some new torrent ofnew movies were found in HK newsgroup

! 10 Jan 2005" A customs officer browsed a HK movie newsgroup and saw a reference to Big Crook having

uploaded a file to the BitTorrent newsgroup, which related to a film called "Daredevil“." There were images of inlay cards from the film, which had a picture of a statuette

superimposed onto them and a .torrent file." The .torrent file was downloaded and activated by the officer and showed the seeder's IP

address, where the source seed was located." The officer downloaded the film, as did two of the other downloaders, before the connection

was broken! 11 January 2005

" the same procedure was followed with two other films called "Red Planet" and "MissCongeniality".

! 10 – 11 Jan 2005" Communicated with ISP and Forum for the IP address and account owner of the IP address.

! 12 Jan 2005, 7:00am" Laid ambush outside the defendant's home

DFRWS

2006


2006

08

14


DFRWS

2006


2006

08

14


! Defendant is before this court facingthree charges" Section 118(1)(f) of the Copyright Ordinance, Cap

528. of attempting to distribute an infringing copy ofa copyright work, other than for the purpose of or inthe course of any trade or business, to such an extentas to affect prejudicially the rights of the copyrightowner;

" Three alternative charges of obtaining access to acomputer with dishonest intent, contrary to section161(1) (c) of the Crimes Ordinance, Cap 200.

DFRWS

2006


2006

08

14

Questions from the twoQuestions from the twocasescases

! Did the investigators followed any digital forensicsframework?

! Is information collected over network from suspect’slocation considered to be sufficient evidence?

! What evidence be collected in order to put forward thecase?

! When legal aspects should be incorporated?

! If you encountered similar case, what should you do?

! What procedures we should advise a beginnerinvestigator to follow?


Digital Forensics ModelsDigital Forensics Models

DFRWS

2006


2006

08

14

Casey’s

Model

Comparison of variousComparison of variousForensics ModelForensics Model

DOJ ModelDFRWS ModelLee’s

Model

Reith, Carr, Gunsch’sModel (2002)Séamus Ó Ciardhuáin’s Model (2004)

Beebe & Clark's Model (Aug 2004)

X

X X

X

Legal aspects

Different OS platformNew IT technology

DFRWS

2006


2006

08

14

Forensics ModelForensics Model

! There are a number of ForensicsInvestigation Procedures established" Each organization developed their own procedures

" Due to change of technology, different procedureshave been derived

! Most of them concentrate in the forensicsinvestigation procedures

DFRWS

2006


2006

08

14

PollittPollitt’’ss ZachmanZachman Forensics ForensicsModelModel

! As Politt mentioned, forensics modelconcentrate on forensics procedures

! Mark Pollitt explained the Zachman’s model forforensics.

! But Pollitt also mentioned that Zachman is notgood for forensics model.

DFRWS

2006


2006

08

14

Revisit Revisit ZachmanZachman Forensics ForensicsModelModel

! But different roles, framework title could beselected

! In fact, there are other ways to select entities inZachman Framework


From From ZachmanZachman, SABSA, SABSAto FORZAto FORZA

DFRWS

2006


2006

08

14

Issues of current forensicsIssues of current forensicsmodelmodel

! But those procedures are a bit different from each other becauseof their focus in the part of the procedure.

! Business owner, system owner, technical staff and legalstaff involvement has not been included.

! Also there is no unified forensics investigation framework! According to security documentation such as ISO13569 and ITIL

standard, security documentation should be better organized into:" Framework" Standard" Policy" Technical Procedures

DFRWS

2006


2006

08

14

ZachmanZachman Model Model

! Zachman model outlines the requirement indeveloping Enterprise Architecture model.

! Requirements are listed as" What" Why" How" When" Where" Who

! Roles can be selected based on user

DFRWS

2006


2006

08

14

ZachmanZachman Model (Cont.) Model (Cont.)

! Explanation of Zachman model roles,requirement" The Planner View (Scope/Contextual Model)

" The Owner View (Business/Conceptual Model)

" The Designer View (System/Logical Model)

" The Builder View (Technology/Physical Model)

" The Subcontractor View (DetailedRepresentations/out-of-context)

DFRWS

2006


2006

08

14

ZachmanZachman Framework Framework

DFRWS

2006


2006

08

14

SABSA ModelSABSA Model

! Systems and Business Security Architecture (SABSA)! The Framework has evolved since 1995 as a holistic business-driven

approach for delivering cohesive security solutions to business andgovernment.

! SABSA is a model and a methodology for developing risk-drivenenterprise information security architectures and for deliveringsecurity infrastructure solutions that support critical businessinitiatives.

! SABSA is a Zachman based Security Model! the SABSA Matrix also uses the same six questions that are used in

the Zachman Framework and which were so eloquently articulatedby Rudyard Kipling in his poem ‘I Keep Six Honest Serving Men’:What, Why and When, How, Where and Who?

DFRWS

2006


2006

08

14

SABSA Model (Cont.)SABSA Model (Cont.)

! Explanation of SABSA model roles, requirement" The Business View (Contextual Security Architecture)

" The Architect’s View (Conceptual Security Architecture)

" The Designer’s View (Logical Security Architecture)

" The Builder’s View (Physical Security Architecture)

" The Tradesman’s View (Component Security Architecture)

" The Facilities Manager’s View (Operational SecurityArchitecture)

DFRWS

2006


2006

08

14

SABSA MatrixSABSA Matrix


FORZA FrameworkFORZA Framework

DFRWS

2006


2006

08

14

Attributes in DigitalAttributes in DigitalForensicsForensics

IT Security

Confidentiality Availability

Integrity

Digital

Forensics

Relevancy

Reconnaissance

Reliability

DFRWS

2006


2006

08

14

FORensics-ZAchmanFORensics-ZAchman Model Model

! FORZA framework is derived based onZachman

! It is an extended model that coversvarious forensics model using Zachmanmodel.

! Focus more on the static attributes of theforensics aspects

DFRWS

2006


2006

08

14


! Roles in Digital Forensics" Investigator in Chief/Officer in Charge (Contextual Investigation Layer)" System Owner (Contextual Layer)" Legal Advisor (Compliance Advisory Layer)" Security/System Architect/Auditor (Conceptual Security Layer)" IT Forensics Specialists (Technical Preparation Layer)" Forensics Investigators/System Administrator/Operator (Collection

Layer)" Forensics Investigators/Forensics Analysts (Analysis Layer)" Legal Prosecutor (Presentation layer)

DFRWS

2006


2006

08

14


Timeline of theentire event forPresentation

Entities inLitigationProcedures

Legal JurisdictionLocation

Legal PresentationProcedures

LegalPresentationAttributes

LegalPresentationObjectives

Legal Prosecutor(Presentation layer)

Event TimelineReconstruction

Entity andEvidenceRelationshipAnalysis

Network AddressExtraction andAnalysis

Forensics AnalysisProcedures

Event DataReconstruction

ForensicsExaminationObjectives

ForensicsInvestigators/ForensicsAnalysts(Analysis Layer)

ForensicsAcquisitionTimeline

ParticipantsInterviewingand Hearing

Site NetworkForensics DataAcquisition

ForensicsAcquisition/SeizureProcedures

On-site ForensicsData Observation

ForensicsAcquisitionObjectives

ForensicsInvestigators/SystemAdministrator/Operator(Collection Layer)

HypotheticalForensics EventTimeline

Forensics EntityModel

Forensics DataGeography

Forensics StrategyDesign

Forensics DataModel

ForensicsInvestigationStrategyObjectives

IT Forensics Specialists(Technical PreparationLayer)

Security Timingand Sequencing

Users andSecurity EntityModel

Security Domainand NetworkInfrastructure

SecurityMechanisms

SystemInformation andSecurity ControlModel

System/SecurityControlObjectives

Security/SystemArchitect/Auditor(Conceptual SecurityLayer)

LegalTimeframe

Legal Entities &Participants

Legal GeographyLegal Procedures forfurther investigation

Legal Backgroundand preliminaryissues

Legal ObjectivesLegal Advisor(Compliance AdvisoryLayer)

Business &IncidentTimeline

Organization &Participantsrelationship

BusinessGeography

Business & SystemProcess Model

Business & EventNature

BusinessObjectivesSystem Owner (if any)

(Contextual Layer)

InvestigationTimeline

InitialParticipants

InvestigationGeograhy

Requested InitialInvestigation

Event NatureInvestigationObjectives

ChiefInvestigator/Officer inCharge (ContextualInvestigation Layer)

TimePeopleNetworkFunctionDataMotivation

WhenWhoWhereHowWhatWhy

DFRWS

2006


2006

08

14

How to integrate currentHow to integrate currentmodelmodel

! Incorporate various forensics investigationprocedures

! Focus on forensics investigation aspects. Moretowards forensics investigation process

! Basic concept derived on the core aspects offorensics investigation" Collection of digital evidence related to the case and suitable to

legal consideration

" Preservation of digital evidence

" Reconstruct timeline and preserve chain of custody

DFRWS

2006


2006

08

14

Investigator in Chief/Office in ChargeInvestigator in Chief/Office in Charge(Contextual Investigation Layer)(Contextual Investigation Layer)

Investigation Timeline

- When event isreported?- Any other similarevent reported?- When to call foraction?

Initial Participants

- Who reported thecase?- Who is/are thesuspects and victims?- Who is the owner ofthe system?- Who should be inthe operation teamfor this case?- What otherresources required?

InvestigationGeograhy

- The geographicallocation of thereported event?

Requested InitialInvestigation

- What needs to beperformed in thisinvestigation

- What preliminaryinvestigation shouldbe performed andwhat informationshould be collected

Event Nature

- What is the nature ofthe reported event?- IT system as: (DonnParker's proposedcategories) - Object of crime - Subject of crime - Tools for conductingor planning a crime - Symbol of computerused to intimidate ordeceive- IT system as majorsource/minor sourceof evidence?- What functions hasbeen disrupted?

InvestigationObjectives

- what is thepurpose of thisinvestigation- what is thepotential incident- what are the needsof the requester



DFRWS

2006


2006

08

14

System Owner (if any)System Owner (if any)(Contextual Layer)(Contextual Layer)



Business & IncidentTimeline

- When thesystem startedoperating?- When is theevent firstreported?

Organization &Participants relationship

- Who should be theresponsible people(System admin,support, owner)?- Any IT SecurityArchitect/SolutionArchitect or Internal ITAuditor in theorganization?- Any OrganizationChart- What is therelationship betweenthe organization withthe reporting person,suspected participants?

Business Geography

- The location/officeof the source ofidentified issues- Any other location ofoffice, server room?

Business & SystemProcess Model

- What is the businessprocess that requiredthe affected system?- What is the role ofthe affectedinformation system inthe business process?- What function hasbeen affected?- What is therelationship betweenthe informationsystem with thereported event?

Business & EventNature

- What is thebusiness of thecompany- What is thepurpose of thedata/asset- What are theaffected data andsystems?- What data andsystems should beprotected?- How is the events(Security incidents)happened?

Business Objectives

- What is the natureof the business- What is purpose ofsystem

DFRWS

2006


2006

08

14

Legal Advisor/ComplianceLegal Advisor/ComplianceManager/Disciplinary Board (ComplianceManager/Disciplinary Board (ComplianceAdvisory Layer)Advisory Layer)



Legal Timeframe

- When was theoffence firstdiscovered / whenwas the matter ofthe informationarose?- When was thecause of actionaccrued?- What is the timelimit of the case?- Is that within thetime bar limit?- What is the timespan of the case?- What are tehcrucial dates forinterlocutoryproceedings?

Legal Entities &Participants

- Who are theclaimant/respondent?- Who are the LegalCouncil,Prosecutor, LegalStaff?- Who are likely tobe the witnesses forthe claimant andrespondent?- Who are likely tobe experts and whatare theircredentials?

Legal Geography

- Is that withinjurisdiction of thecountry?- What are the lawgoverning thecase?- Does local courthave thejurisdiction?

Legal Procedures forfurther investigation

- What sections of theordinance should bereferred to?- What are the keyelements in theordinance?- Is there anyinjunction required?- Is any warrant,search warrantrequired?- Requestpreservation ofevidence by client orby third party- Formulate therequired facts intosearch criteria.- How can theevidence beadmissible at trial?

Legal Background andpreliminary issues

- What are therelevantlaw/ordinance- What is the requiredand relatedinformation- What data isrequired to becollected- What is the issues oflaw and issues of fact- Identify the facts anddetermine any gaps inthe facts- Identify which factsare probably agreed- Identify which actsare probably indispute- Identify which factsyou need evidence for- Identify which factsyou have evidence of- Identify what is thecase against theclaimant/respondent?

Legal Objectives

- What is thepurpose of thedispute?- What is the law ofdispute?- Is the casecriminal or civilcase?- Determine shouldclient/third-partybe asked to preservedigital evidence?- Suggest whetherclient should reportto law enforcementagencies or instituteprivate prosecution

DFRWS

2006


2006

08

14

Security/System Architect/AuditorSecurity/System Architect/Auditor(Conceptual Security Layer)(Conceptual Security Layer)



Security Timing andSequencing

- When is thesecurity protectionimplemented?- Any time-dependency of thesecurity protectionmechanism?- Is timesynchronizedimplemented in theinfrastructure?- Any time-patternof the identifiedincident?

Users and SecurityEntity Model

- What is the entitiesand their inter-relationshipmodels?- What is the rolesand privilege of theentities?- User Identity,Privileges and ACLof users- Any peopleviolating the rulesor introducing theevents to thesystem?

Security Domain andNetwork Infrastructure

- Is there anysecurity domain andprotection zone?- Is the networkinfrastructuredefined? (Networkdiagram, Firewall,IDS, and othersecurity solution)- Where is thelocation within theinfrastructure?

Security Mechanisms

- How and what kindof securityfunctions/policybeing implemented?- Which securityfunctions detectedthe events? (e.g.Profile Detection,Anomalousdetection,complaints, systemmonitoring or auditanalysis?)

System Informationand Security ControlModel

- What is theSecurity Controland SystemInformation Model?- What data/systemhas been involved?- What is the dataclassificationscheme and riskassessment schemeimplemented?- What protectionscheme has beenimplemented?- What OperatingSystems are used?- Is data encryptionimplemented?

- What kind of datalost?- What event loggingmechanism hasbeen enabled?

System/SecurityControl Objectives

- What kind ofsecurity controlshave beenimplemented toprotect theinformationsystem/data?- What is thesecurity designmodel, riskmanagementmodel?- What is themissing securitycontrol that wouldlead to the issues?

DFRWS

2006


2006

08

14

IT Forensics SpecialistsIT Forensics Specialists(Technical Preparation Layer)(Technical Preparation Layer)



Hypothetical ForensicsEvent Timeline

- when the eventhappen- when the eventstart- when the eventcompleted- Define thesequence of thecollection activities

Forensics EntityModel

- Who should bethe involved people- Who should beinterviewed- Is 3rd partyexpert or vendorrequired to help inconducting thedata collection oranalysis?

Forensics DataGeography

- Where can thedata be collected?(from ISP, media,volatile memory?)- Where is thesuspected sourceand target IPaddress of theevent?- is the networkservice provider,DNS located in thesame location?- Any suspectedproxy server?

Forensics Strategy Design

- What extractionprocedures should beused for extracting theinformation?- How to capturelive/productioninformation beforeturning off the machine- How to capture datafrom the machine?- Any specificinvestigationprocedures need to beperformed on thedevice?- Reconstruct thehypothesis- What tools could beused for extracting datafrom the media?- Should ISPadministrators becontact to preserve logsfor collection?- Should warrant wouldbe required to ask ISPto expose IP address

Forensics Data Model

- What is thehypothesis of theissue?- What is the datathat needs to becollected?- What is the possiblehidden data? Anyhidden informationneeds to be collected- What files (such asdata files, log files)need to be collected?- Any other eventsneed to be collected- What media needsto be captured?- Is the data or mediacommonly used andpreviously capturedtype?- What is theapprovedhardware/softwarethat can besupported

ForensicsInvestigation StrategyObjectives

- With the specificrequirement, whatinformationshould becollected?- Whatmechanism,procedures shouldbe adopted in thisinvestigationprocess?

DFRWS

2006


2006

08

14

Forensics Investigators/SystemForensics Investigators/SystemAdministrator /Operator (CollectionAdministrator /Operator (CollectionLayer)Layer)



ForensicsAcquisition Timeline

- What is thechain of custody- What is thetimeline created?

Participants Interviewingand Hearing

- Who should beinterviewed?- Rebuild the storyboard and events basedon interviews

Site Network Forensics DataAcquisition

- Is any other systemswithin the network beingaffected?- Any other networkdevices affected?- What is the actualnetwork infrastructure?- Any network devicesforensics data to becollected?- Is sniffing permitted tobe implemented?- Where is the backdoorconnected (if any)

Forensics Acquisition/SeizureProcedures

Preparation- Sterize the storage media- Copy the image usingforensically sound system. (i.e.using commercial or open-sourceimaging technologies). Determinewhether cloning of deletedinformation required?- Perform on-site live dataforensics investigation (Live dataif necessary)- Perform network monitoring (ifnecessary)- Is Forensics Best Practicesfollowed?

Documentation- Document the scene- Photo the scene- Document the time/date stamp- Document the Investigationprocedures- Create the inventory list

Preservation and Duplication- Generate digital image- Store the capture information- Perform the cryptographicchecksum for integritypreservation

Transportation- Protect the evidence duringtransportation

On-site Forensics DataObservation

- What datareduction techniquesbeing implemented?- Any specific volatileinformation needs tobe collected?- Is the data to becaptured live data?- Is the event stillongoing?- Is data beingdeleted?- Any trojan orbackdoor identified

Forensics AcquisitionObjectives

- How should theforensicsinvestigation beperformed?- With whatprocedures andmechanism, shouldthe investigation beprocessed?- With what toolsshould be used inthe investigation

DFRWS

2006


2006

08

14

Forensics Investigators/ForensicsForensics Investigators/ForensicsAnalysts (Analysis Layer)Analysts (Analysis Layer)



Event TimelineReconstruction

- Compare thehypothesis with thecollected digitalevidence time line- Reconstruct thetimeline- Determine thetime the suspectfirst appear and thestart time of theevent

Entity and EvidenceRelationship Analysis

- Any user accountsidentified?- Any user specificinformationidentified?- Any phone numberidentified?- Any Email address?- Who is the personrelated?- User accounts anduser entityrelationship

Network AddressExtraction andAnalysis

- Any identified IPaddress collected?- Reconstruct thenetwork path ofthe events

Forensics AnalysisProcedures

- Extract and examinethe cloned image- Analyze the case basedon the hypothesis?- Review the Internetactivity history and logfiles- Review data andcompile an analysisreport- Prepare ExpertTestimony- Outline the Searchspace- Search for keywordsor search for specificfiles/image/video/audiofile- Correlate theidentified activitiesbetween device logs- Perform reverse-engineering of theidentified code- Perform any PatternMatching

Event DataReconstruction

- What data,information to beextracted foranalysis?- Any damageddigital evidence?- Any encrypteddata relevant toinvestigation?- What data needsto be searched?- Extract useraccountsinformation- What is thestatisticalinformation- What is theprotocolinformation

ForensicsExaminationObjectives

- Based on thecollectedinformation, whatare the criticalinformation thatshould beidentified to provethe case?- What needs to besearch andextracted from thecollectedinformation?

DFRWS

2006


2006

08

14

Legal Prosecutor/ComplianceLegal Prosecutor/ComplianceManager/Disciplinary BoardManager/Disciplinary Board(Presentation layer)(Presentation layer)



Timeline of the entireevent for Presentation

- Is the entire storyboard re-created?- When should thecase be presented?- Any timeline missingin the evidence?

Entities in LitigationProcedures

- Which witnessesshould be called?- Any expertwitnesses should becalled?- Which Judge,Council, Arbitratorinvolved?

Legal JurisdictionLocation

- Where should bethe place oflitigation?- Where should bethe place ofenforcement?- Where should bethe place ofhearing?

Legal PresentationProcedures

- What litigationscheme should beused?(InternationalArbitration, locallitigation?)- What tactic shouldbe used in thelitigationprocedure?- Determine thecivil and criminalinterlocutoryremedies needed?

Legal PresentationAttributes

- What chargeshould be issued?- Whatinformationshould beincluded/excluded?- What evidenceshould bepresented?- How strong is theevidence?

Legal PresentationObjectives

- Should the case beproceed or close?- Is sufficientevidence collected?- Which litigationmechanism shouldbe used?- Determine thechances of success?- Determine if it isworth proceeding inthis matter?

DFRWS

2006


2006

08

14

Feature of FORZA modelFeature of FORZA model

! Divide the digital forensics investigationaspects into different roles

! Incorporate various digital forensicsinvestigation procedures together

! Formulate information needed to becollected under 6 easy to remembercategory

DFRWS

2006


2006

08

14

Flow in FORZAFlow in FORZA

Case Leader

(Contextual

Investigation Layer)

System Owner (if any) (Contextual Layer)

Legal Advisor (Legal Advisory Layer)

Security/System Architect/Auditor (Conceptual Security Layer)

Digital Forensics Specialists (Technical Preparation Layer)

Forensics Investigators/System Administrator/Operator (Data Acquisition Layer)

Forensics Investigators/Forensics Analysts (Data Analysis Layer)

Legal Prosecutor (Legal Presentation layer)

DFRWS

2006


2006

08

14

Benefit of the frameworkBenefit of the framework

! Cover various aspects of Digital Forensics aspects

! Include IT, investigator and legal aspects into the digitalforensics investigation

! Provide a framework with scope of investigation

! Unified various procedures and produce a frameworkthat enables systematic approach of digital forensicsinvestigation.

! Enable less experience user to carry out investigation

! Assist digital forensics procedures to be developed fornew cases

DFRWS

2006


2006

08

14

Weakness of the frameworkWeakness of the framework

! Spectrum in the model is wide

! Difficult to be adopted if digital forensics cookbook hasbeen developed

! Too new to be adopted. More comments and feedbacksfrom different law enforcement team to enhance thisdynamic framework is required

! No specific technology dependent methodology andsolution is included

! No ready to use digital forensics cookbook could be used


Revisit of BT caseRevisit of BT case

DFRWS

2006


2006

08

14

The Flow of BT case inThe Flow of BT case inFORZAFORZA

Officer in Charge

(Contextual

Investigation Layer)

Copyright Owner (if any) (Contextual Layer)

DOJ (Legal Advisory Layer)

Internet Service Provider (Conceptual Security Layer)

DFL (Technical Preparation Layer)

CART member (Data Acquisition Layer)

DFL (Data Analysis Layer)

DOJ Prosecutor (Legal Presentation layer)

DFRWS

2006


2006

08

14

Case 2: BT caseCase 2: BT case

! Officer-in-Charge (OC) received information from intelligence team. Thatcomplaint was initiated by Copyright Owner that some new torrent of newmovies were found in HK newsgroup

! OC discussed with Copyright Owner what’s nature of their complaint? Andwhat did the Copyright Owner wish to perform?

! Then OC discussed with IT folks and search for some background about BitTorrent

! OC then discussed with Prosecutors which law would be applicable for thisnew case and what is the necessary information should be collected asevidence. (in HK, only the uploader/illegal publishing would be charged forcriminal offense)

! OC then discussed with Forensics specialists about the methods to collectthose evidence and the constrains in the methods used for collectinginformation.

! OC then planned and coordinate resources for conducting the actions.

DFRWS

2006


2006

08

14

Case 2: BT caseCase 2: BT case

! OC setup a monitoring team for monitoring the new torrent uploadin newsgroup

! OC found a frequent uploader of movies posted a new torrent of thefilm he prepared into one of the newsgroup OC monitored

! OC then initiated the action by" Immediately collected the IP address owner information from the

newsgroup forum and ISP" Immediately started downloading the movie" Immediately sent the troop to the location of the uploader home.

! During the uploading time, the troop entered to the uploader homeand found the computer for uploading the movie together with theVCD related to this case.

DFRWS

2006


2006

08

14

Next Step in the modelNext Step in the model

! Develop a dynamic FORZA flow model toforensics investigation tools

! Apply the FORZA framework intoforensics investigation tools


Questions?Questions?


Backup SlidesBackup Slides

DFRWS

2006


2006

08

14

DFRWSDFRWS’’ Framework Framework

DFRWS

2006


2006

08

14

From Incident ResponseFrom Incident Response

! In the book Incident Response, an "incident response methodology" isgiven with the following phases:

" Pre-incident Preparation: Prepare for an incident with proper training andinfrastructure.

" Detection of the Incident: Identify a suspected incident." Initial Response: Verify that the incident has occurred and collect volatile evidence." Response Strategy Formulation: Determine a response based on the known facts." Duplication: Create a backup of the system." Investigation: Investigate the system to identify who, what, and how." Secure Measure Implementation: Isolate and contain the suspect system before it is

rebuilt." Network Monitoring: Observe the network to monitor attacks and identify additional

attacks." Recovery: Restore the system to its original state with additional security measures added." Reporting: Document the response steps and remedies taken." Follow-up: Review the response and adjust accordingly.

DFRWS

2006


2006

08

14

DOJDOJ’’s Electronic Crime Scenes Electronic Crime SceneInvestigation GuideInvestigation Guide

! The U.S. Department of Justice (DOJ) published a processmodel in the Electronic Crime Scene Investigation Guide" Preparation: Prepare equipment and tools to perform needed tasks

during an investigation." Collection: Search for and collect electronic evidence.

• Secure and Evaluate the Scene: Secure the scene to ensure the safetyof people and the integrity of evidence. Potential evidence should beidentified in this phase.

• Document the Scene: Document the physical attributes of the sceneincluding photos of the computer.

• Evidence Collection: Collect the physical system or make a copy of thedata on the system.

" Examination: A technical review of the system for evidence." Analysis: The Investigation team reviews the examination results for

their value in the case." Reporting: Examination notes are created after each case.

DFRWS

2006


2006

08

14

SéamusSéamus’’ ““An Extended Model ofAn Extended Model ofCybercrimeCybercrime Investigations Investigations””

! Based on Séamus Ó Ciardhuáin, “An ExtendedModel of Cybercrime Investigations”,International Journal of Digital EvidenceSummer 2004, Volume 3, Issue 1" Lee’s Model" Casey’s Model" DFRWS Model" Reith, Carr and Gunsch Model

! Séamus also proposed an extended model

DFRWS

2006


2006

08

14

SéamusSéamus’’ ““An Extended Model ofAn Extended Model ofCybercrimeCybercrime Investigations Investigations””

DFRWS

2006


2006

08

14

Nicole Lang Beebe and JanNicole Lang Beebe and JanGuynesGuynes Clark Clark’’s Models Model

! Nicole Lang Beebe and Jan Guynes Clark,“A Hierarchical, Objectives-BasedFramework for the Digital InvestigationsProcess, Digital Forensics ResearchWorkshop (DFRWS), Baltimore,Maryland, August 2004

DFRWS

2006


2006

08

14

FORZA Ð Digital Forensics Investigation Framework that...

Documents

Transcript of FORZA Ð Digital Forensics Investigation Framework that...