-Ravaged by Time-- The Effects of the Past and Future on the Pres.pdf
FORZA Ð Digital Forensics Investigation Framework that...
Transcript of FORZA Ð Digital Forensics Investigation Framework that...
eWalker Consulting Ltd.eWalker Consulting Ltd.
FORZA FORZA –– Digital Forensics Digital ForensicsInvestigation Framework thatInvestigation Framework thatincorporate legal issuesincorporate legal issues(DFRWS 2006)(DFRWS 2006)
Ricci IEONG,
Founder and Principal Consultant,
eWalker Consulting Ltd. (HK)
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
AgendaAgenda
! Revisit of two digital forensics cases
! Missing Link between these cases and existingforensics model and framework
! What is the feature of FORZA framework?
! Application of the FORZA framework?
! Benefit of using FORZA?
! Next steps
eWalker Consulting Ltd.eWalker Consulting Ltd.
Cases revisitCases revisit
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 1: US Case 1: US vsvs GorshkovGorshkov
! Oct 1999:" Seattle FBI received a complaint from a local Internet Services
Provider, Speakeasy
" Online commerce system intrusion including server hosting andcredit card transaction
" Solicitation for computer security consulting via email from“subbsta”
" Threat escalation
! Dec 1999" Speakeasy knocked offline
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 1: US Case 1: US vsvs GorshkovGorshkov
! Similar timeframe in 1999" FBI received complaint from Online Information
Bureau, Vernon, CT" The online commerce servers were compromised and
credit card information were stolen" Solicitation for computer security consulting via
email from “subbsta”" Origin of attack were found to be generated from CTS
in San Diego
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 1: US Case 1: US vsvs GorshkovGorshkov
! What did the FBI do?" Identify the common and difference between the case
" Collect evidence and information from CTS
" Confirm that the incident is from tech.net.ru which isfrom Chelyabinsk Russia
" Identifies Alexey Ivanov (aka subbsta)
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 1: US Case 1: US vsvs GorshkovGorshkov
! Then what did the FBI do next?" Call Ivanov for security job opportunity" Setup Undercover operation" Setup Honeypot
! Using collected user name and passwords, FBI login to suspects’machine (tech.net.ru) and dump out 4 CD-ROM of data.
! Afterwards hire experts to perform analysis" Identification of OS" Reconstruct system directory overview" Determine system control" Analyze hacking utilities" Analyze of Perl scripts functions" Reconstruct the story of tech.net.ru hacking
! Presentation of the case in court
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 2: Case 2: HKSAR vs CHAN NAI MINGHKSAR vs CHAN NAI MING
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 2: Case 2: HKSAR vs CHAN NAI MINGHKSAR vs CHAN NAI MING
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 2: Case 2: HKSAR vs CHAN NAI MINGHKSAR vs CHAN NAI MING
! Officer-in-Charge (OC) received information from intelligence team. Thatcomplaint was initiated by Copyright Owner that some new torrent ofnew movies were found in HK newsgroup
! 10 Jan 2005" A customs officer browsed a HK movie newsgroup and saw a reference to Big Crook having
uploaded a file to the BitTorrent newsgroup, which related to a film called "Daredevil“." There were images of inlay cards from the film, which had a picture of a statuette
superimposed onto them and a .torrent file." The .torrent file was downloaded and activated by the officer and showed the seeder's IP
address, where the source seed was located." The officer downloaded the film, as did two of the other downloaders, before the connection
was broken! 11 January 2005
" the same procedure was followed with two other films called "Red Planet" and "MissCongeniality".
! 10 – 11 Jan 2005" Communicated with ISP and Forum for the IP address and account owner of the IP address.
! 12 Jan 2005, 7:00am" Laid ambush outside the defendant's home
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 2: Case 2: HKSAR vs CHAN NAI MINGHKSAR vs CHAN NAI MING
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 2: Case 2: HKSAR vs CHAN NAI MINGHKSAR vs CHAN NAI MING
! Defendant is before this court facingthree charges" Section 118(1)(f) of the Copyright Ordinance, Cap
528. of attempting to distribute an infringing copy ofa copyright work, other than for the purpose of or inthe course of any trade or business, to such an extentas to affect prejudicially the rights of the copyrightowner;
" Three alternative charges of obtaining access to acomputer with dishonest intent, contrary to section161(1) (c) of the Crimes Ordinance, Cap 200.
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Questions from the twoQuestions from the twocasescases
! Did the investigators followed any digital forensicsframework?
! Is information collected over network from suspect’slocation considered to be sufficient evidence?
! What evidence be collected in order to put forward thecase?
! When legal aspects should be incorporated?
! If you encountered similar case, what should you do?
! What procedures we should advise a beginnerinvestigator to follow?
eWalker Consulting Ltd.eWalker Consulting Ltd.
Digital Forensics ModelsDigital Forensics Models
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Casey’s
Model
Comparison of variousComparison of variousForensics ModelForensics Model
DOJ ModelDFRWS ModelLee’s
Model
Reith, Carr, Gunsch’sModel (2002)Séamus Ó Ciardhuáin’s Model (2004)
Beebe & Clark's Model (Aug 2004)
X
X X
X
Legal aspects
Different OS platformNew IT technology
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Forensics ModelForensics Model
! There are a number of ForensicsInvestigation Procedures established" Each organization developed their own procedures
" Due to change of technology, different procedureshave been derived
! Most of them concentrate in the forensicsinvestigation procedures
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
PollittPollitt’’ss ZachmanZachman Forensics ForensicsModelModel
! As Politt mentioned, forensics modelconcentrate on forensics procedures
! Mark Pollitt explained the Zachman’s model forforensics.
! But Pollitt also mentioned that Zachman is notgood for forensics model.
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Revisit Revisit ZachmanZachman Forensics ForensicsModelModel
! But different roles, framework title could beselected
! In fact, there are other ways to select entities inZachman Framework
eWalker Consulting Ltd.eWalker Consulting Ltd.
From From ZachmanZachman, SABSA, SABSAto FORZAto FORZA
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Issues of current forensicsIssues of current forensicsmodelmodel
! But those procedures are a bit different from each other becauseof their focus in the part of the procedure.
! Business owner, system owner, technical staff and legalstaff involvement has not been included.
! Also there is no unified forensics investigation framework! According to security documentation such as ISO13569 and ITIL
standard, security documentation should be better organized into:" Framework" Standard" Policy" Technical Procedures
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
ZachmanZachman Model Model
! Zachman model outlines the requirement indeveloping Enterprise Architecture model.
! Requirements are listed as" What" Why" How" When" Where" Who
! Roles can be selected based on user
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
ZachmanZachman Model (Cont.) Model (Cont.)
! Explanation of Zachman model roles,requirement" The Planner View (Scope/Contextual Model)
" The Owner View (Business/Conceptual Model)
" The Designer View (System/Logical Model)
" The Builder View (Technology/Physical Model)
" The Subcontractor View (DetailedRepresentations/out-of-context)
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
ZachmanZachman Framework Framework
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
SABSA ModelSABSA Model
! Systems and Business Security Architecture (SABSA)! The Framework has evolved since 1995 as a holistic business-driven
approach for delivering cohesive security solutions to business andgovernment.
! SABSA is a model and a methodology for developing risk-drivenenterprise information security architectures and for deliveringsecurity infrastructure solutions that support critical businessinitiatives.
! SABSA is a Zachman based Security Model! the SABSA Matrix also uses the same six questions that are used in
the Zachman Framework and which were so eloquently articulatedby Rudyard Kipling in his poem ‘I Keep Six Honest Serving Men’:What, Why and When, How, Where and Who?
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
SABSA Model (Cont.)SABSA Model (Cont.)
! Explanation of SABSA model roles, requirement" The Business View (Contextual Security Architecture)
" The Architect’s View (Conceptual Security Architecture)
" The Designer’s View (Logical Security Architecture)
" The Builder’s View (Physical Security Architecture)
" The Tradesman’s View (Component Security Architecture)
" The Facilities Manager’s View (Operational SecurityArchitecture)
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
SABSA MatrixSABSA Matrix
eWalker Consulting Ltd.eWalker Consulting Ltd.
FORZA FrameworkFORZA Framework
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Attributes in DigitalAttributes in DigitalForensicsForensics
IT Security
Confidentiality Availability
Integrity
Digital
Forensics
Relevancy
Reconnaissance
Reliability
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
FORensics-ZAchmanFORensics-ZAchman Model Model
! FORZA framework is derived based onZachman
! It is an extended model that coversvarious forensics model using Zachmanmodel.
! Focus more on the static attributes of theforensics aspects
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
FORZA FrameworkFORZA Framework
! Roles in Digital Forensics" Investigator in Chief/Officer in Charge (Contextual Investigation Layer)" System Owner (Contextual Layer)" Legal Advisor (Compliance Advisory Layer)" Security/System Architect/Auditor (Conceptual Security Layer)" IT Forensics Specialists (Technical Preparation Layer)" Forensics Investigators/System Administrator/Operator (Collection
Layer)" Forensics Investigators/Forensics Analysts (Analysis Layer)" Legal Prosecutor (Presentation layer)
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
FORZA FrameworkFORZA Framework
Timeline of theentire event forPresentation
Entities inLitigationProcedures
Legal JurisdictionLocation
Legal PresentationProcedures
LegalPresentationAttributes
LegalPresentationObjectives
Legal Prosecutor(Presentation layer)
Event TimelineReconstruction
Entity andEvidenceRelationshipAnalysis
Network AddressExtraction andAnalysis
Forensics AnalysisProcedures
Event DataReconstruction
ForensicsExaminationObjectives
ForensicsInvestigators/ForensicsAnalysts(Analysis Layer)
ForensicsAcquisitionTimeline
ParticipantsInterviewingand Hearing
Site NetworkForensics DataAcquisition
ForensicsAcquisition/SeizureProcedures
On-site ForensicsData Observation
ForensicsAcquisitionObjectives
ForensicsInvestigators/SystemAdministrator/Operator(Collection Layer)
HypotheticalForensics EventTimeline
Forensics EntityModel
Forensics DataGeography
Forensics StrategyDesign
Forensics DataModel
ForensicsInvestigationStrategyObjectives
IT Forensics Specialists(Technical PreparationLayer)
Security Timingand Sequencing
Users andSecurity EntityModel
Security Domainand NetworkInfrastructure
SecurityMechanisms
SystemInformation andSecurity ControlModel
System/SecurityControlObjectives
Security/SystemArchitect/Auditor(Conceptual SecurityLayer)
LegalTimeframe
Legal Entities &Participants
Legal GeographyLegal Procedures forfurther investigation
Legal Backgroundand preliminaryissues
Legal ObjectivesLegal Advisor(Compliance AdvisoryLayer)
Business &IncidentTimeline
Organization &Participantsrelationship
BusinessGeography
Business & SystemProcess Model
Business & EventNature
BusinessObjectivesSystem Owner (if any)
(Contextual Layer)
InvestigationTimeline
InitialParticipants
InvestigationGeograhy
Requested InitialInvestigation
Event NatureInvestigationObjectives
ChiefInvestigator/Officer inCharge (ContextualInvestigation Layer)
TimePeopleNetworkFunctionDataMotivation
WhenWhoWhereHowWhatWhy
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
How to integrate currentHow to integrate currentmodelmodel
! Incorporate various forensics investigationprocedures
! Focus on forensics investigation aspects. Moretowards forensics investigation process
! Basic concept derived on the core aspects offorensics investigation" Collection of digital evidence related to the case and suitable to
legal consideration
" Preservation of digital evidence
" Reconstruct timeline and preserve chain of custody
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Investigator in Chief/Office in ChargeInvestigator in Chief/Office in Charge(Contextual Investigation Layer)(Contextual Investigation Layer)
Investigation Timeline
- When event isreported?- Any other similarevent reported?- When to call foraction?
Initial Participants
- Who reported thecase?- Who is/are thesuspects and victims?- Who is the owner ofthe system?- Who should be inthe operation teamfor this case?- What otherresources required?
InvestigationGeograhy
- The geographicallocation of thereported event?
Requested InitialInvestigation
- What needs to beperformed in thisinvestigation
- What preliminaryinvestigation shouldbe performed andwhat informationshould be collected
Event Nature
- What is the nature ofthe reported event?- IT system as: (DonnParker's proposedcategories) - Object of crime - Subject of crime - Tools for conductingor planning a crime - Symbol of computerused to intimidate ordeceive- IT system as majorsource/minor sourceof evidence?- What functions hasbeen disrupted?
InvestigationObjectives
- what is thepurpose of thisinvestigation- what is thepotential incident- what are the needsof the requester
TimePeopleNetworkFunctionDataMotivation
WhenWhoWhereHowWhatWhy
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
System Owner (if any)System Owner (if any)(Contextual Layer)(Contextual Layer)
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
Business & IncidentTimeline
- When thesystem startedoperating?- When is theevent firstreported?
Organization &Participants relationship
- Who should be theresponsible people(System admin,support, owner)?- Any IT SecurityArchitect/SolutionArchitect or Internal ITAuditor in theorganization?- Any OrganizationChart- What is therelationship betweenthe organization withthe reporting person,suspected participants?
Business Geography
- The location/officeof the source ofidentified issues- Any other location ofoffice, server room?
Business & SystemProcess Model
- What is the businessprocess that requiredthe affected system?- What is the role ofthe affectedinformation system inthe business process?- What function hasbeen affected?- What is therelationship betweenthe informationsystem with thereported event?
Business & EventNature
- What is thebusiness of thecompany- What is thepurpose of thedata/asset- What are theaffected data andsystems?- What data andsystems should beprotected?- How is the events(Security incidents)happened?
Business Objectives
- What is the natureof the business- What is purpose ofsystem
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Legal Advisor/ComplianceLegal Advisor/ComplianceManager/Disciplinary Board (ComplianceManager/Disciplinary Board (ComplianceAdvisory Layer)Advisory Layer)
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
Legal Timeframe
- When was theoffence firstdiscovered / whenwas the matter ofthe informationarose?- When was thecause of actionaccrued?- What is the timelimit of the case?- Is that within thetime bar limit?- What is the timespan of the case?- What are tehcrucial dates forinterlocutoryproceedings?
Legal Entities &Participants
- Who are theclaimant/respondent?- Who are the LegalCouncil,Prosecutor, LegalStaff?- Who are likely tobe the witnesses forthe claimant andrespondent?- Who are likely tobe experts and whatare theircredentials?
Legal Geography
- Is that withinjurisdiction of thecountry?- What are the lawgoverning thecase?- Does local courthave thejurisdiction?
Legal Procedures forfurther investigation
- What sections of theordinance should bereferred to?- What are the keyelements in theordinance?- Is there anyinjunction required?- Is any warrant,search warrantrequired?- Requestpreservation ofevidence by client orby third party- Formulate therequired facts intosearch criteria.- How can theevidence beadmissible at trial?
Legal Background andpreliminary issues
- What are therelevantlaw/ordinance- What is the requiredand relatedinformation- What data isrequired to becollected- What is the issues oflaw and issues of fact- Identify the facts anddetermine any gaps inthe facts- Identify which factsare probably agreed- Identify which actsare probably indispute- Identify which factsyou need evidence for- Identify which factsyou have evidence of- Identify what is thecase against theclaimant/respondent?
Legal Objectives
- What is thepurpose of thedispute?- What is the law ofdispute?- Is the casecriminal or civilcase?- Determine shouldclient/third-partybe asked to preservedigital evidence?- Suggest whetherclient should reportto law enforcementagencies or instituteprivate prosecution
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Security/System Architect/AuditorSecurity/System Architect/Auditor(Conceptual Security Layer)(Conceptual Security Layer)
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
Security Timing andSequencing
- When is thesecurity protectionimplemented?- Any time-dependency of thesecurity protectionmechanism?- Is timesynchronizedimplemented in theinfrastructure?- Any time-patternof the identifiedincident?
Users and SecurityEntity Model
- What is the entitiesand their inter-relationshipmodels?- What is the rolesand privilege of theentities?- User Identity,Privileges and ACLof users- Any peopleviolating the rulesor introducing theevents to thesystem?
Security Domain andNetwork Infrastructure
- Is there anysecurity domain andprotection zone?- Is the networkinfrastructuredefined? (Networkdiagram, Firewall,IDS, and othersecurity solution)- Where is thelocation within theinfrastructure?
Security Mechanisms
- How and what kindof securityfunctions/policybeing implemented?- Which securityfunctions detectedthe events? (e.g.Profile Detection,Anomalousdetection,complaints, systemmonitoring or auditanalysis?)
System Informationand Security ControlModel
- What is theSecurity Controland SystemInformation Model?- What data/systemhas been involved?- What is the dataclassificationscheme and riskassessment schemeimplemented?- What protectionscheme has beenimplemented?- What OperatingSystems are used?- Is data encryptionimplemented?
- What kind of datalost?- What event loggingmechanism hasbeen enabled?
System/SecurityControl Objectives
- What kind ofsecurity controlshave beenimplemented toprotect theinformationsystem/data?- What is thesecurity designmodel, riskmanagementmodel?- What is themissing securitycontrol that wouldlead to the issues?
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
IT Forensics SpecialistsIT Forensics Specialists(Technical Preparation Layer)(Technical Preparation Layer)
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
Hypothetical ForensicsEvent Timeline
- when the eventhappen- when the eventstart- when the eventcompleted- Define thesequence of thecollection activities
Forensics EntityModel
- Who should bethe involved people- Who should beinterviewed- Is 3rd partyexpert or vendorrequired to help inconducting thedata collection oranalysis?
Forensics DataGeography
- Where can thedata be collected?(from ISP, media,volatile memory?)- Where is thesuspected sourceand target IPaddress of theevent?- is the networkservice provider,DNS located in thesame location?- Any suspectedproxy server?
Forensics Strategy Design
- What extractionprocedures should beused for extracting theinformation?- How to capturelive/productioninformation beforeturning off the machine- How to capture datafrom the machine?- Any specificinvestigationprocedures need to beperformed on thedevice?- Reconstruct thehypothesis- What tools could beused for extracting datafrom the media?- Should ISPadministrators becontact to preserve logsfor collection?- Should warrant wouldbe required to ask ISPto expose IP address
Forensics Data Model
- What is thehypothesis of theissue?- What is the datathat needs to becollected?- What is the possiblehidden data? Anyhidden informationneeds to be collected- What files (such asdata files, log files)need to be collected?- Any other eventsneed to be collected- What media needsto be captured?- Is the data or mediacommonly used andpreviously capturedtype?- What is theapprovedhardware/softwarethat can besupported
ForensicsInvestigation StrategyObjectives
- With the specificrequirement, whatinformationshould becollected?- Whatmechanism,procedures shouldbe adopted in thisinvestigationprocess?
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Forensics Investigators/SystemForensics Investigators/SystemAdministrator /Operator (CollectionAdministrator /Operator (CollectionLayer)Layer)
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
ForensicsAcquisition Timeline
- What is thechain of custody- What is thetimeline created?
Participants Interviewingand Hearing
- Who should beinterviewed?- Rebuild the storyboard and events basedon interviews
Site Network Forensics DataAcquisition
- Is any other systemswithin the network beingaffected?- Any other networkdevices affected?- What is the actualnetwork infrastructure?- Any network devicesforensics data to becollected?- Is sniffing permitted tobe implemented?- Where is the backdoorconnected (if any)
Forensics Acquisition/SeizureProcedures
Preparation- Sterize the storage media- Copy the image usingforensically sound system. (i.e.using commercial or open-sourceimaging technologies). Determinewhether cloning of deletedinformation required?- Perform on-site live dataforensics investigation (Live dataif necessary)- Perform network monitoring (ifnecessary)- Is Forensics Best Practicesfollowed?
Documentation- Document the scene- Photo the scene- Document the time/date stamp- Document the Investigationprocedures- Create the inventory list
Preservation and Duplication- Generate digital image- Store the capture information- Perform the cryptographicchecksum for integritypreservation
Transportation- Protect the evidence duringtransportation
On-site Forensics DataObservation
- What datareduction techniquesbeing implemented?- Any specific volatileinformation needs tobe collected?- Is the data to becaptured live data?- Is the event stillongoing?- Is data beingdeleted?- Any trojan orbackdoor identified
Forensics AcquisitionObjectives
- How should theforensicsinvestigation beperformed?- With whatprocedures andmechanism, shouldthe investigation beprocessed?- With what toolsshould be used inthe investigation
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Forensics Investigators/ForensicsForensics Investigators/ForensicsAnalysts (Analysis Layer)Analysts (Analysis Layer)
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
Event TimelineReconstruction
- Compare thehypothesis with thecollected digitalevidence time line- Reconstruct thetimeline- Determine thetime the suspectfirst appear and thestart time of theevent
Entity and EvidenceRelationship Analysis
- Any user accountsidentified?- Any user specificinformationidentified?- Any phone numberidentified?- Any Email address?- Who is the personrelated?- User accounts anduser entityrelationship
Network AddressExtraction andAnalysis
- Any identified IPaddress collected?- Reconstruct thenetwork path ofthe events
Forensics AnalysisProcedures
- Extract and examinethe cloned image- Analyze the case basedon the hypothesis?- Review the Internetactivity history and logfiles- Review data andcompile an analysisreport- Prepare ExpertTestimony- Outline the Searchspace- Search for keywordsor search for specificfiles/image/video/audiofile- Correlate theidentified activitiesbetween device logs- Perform reverse-engineering of theidentified code- Perform any PatternMatching
Event DataReconstruction
- What data,information to beextracted foranalysis?- Any damageddigital evidence?- Any encrypteddata relevant toinvestigation?- What data needsto be searched?- Extract useraccountsinformation- What is thestatisticalinformation- What is theprotocolinformation
ForensicsExaminationObjectives
- Based on thecollectedinformation, whatare the criticalinformation thatshould beidentified to provethe case?- What needs to besearch andextracted from thecollectedinformation?
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Legal Prosecutor/ComplianceLegal Prosecutor/ComplianceManager/Disciplinary BoardManager/Disciplinary Board(Presentation layer)(Presentation layer)
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
Timeline of the entireevent for Presentation
- Is the entire storyboard re-created?- When should thecase be presented?- Any timeline missingin the evidence?
Entities in LitigationProcedures
- Which witnessesshould be called?- Any expertwitnesses should becalled?- Which Judge,Council, Arbitratorinvolved?
Legal JurisdictionLocation
- Where should bethe place oflitigation?- Where should bethe place ofenforcement?- Where should bethe place ofhearing?
Legal PresentationProcedures
- What litigationscheme should beused?(InternationalArbitration, locallitigation?)- What tactic shouldbe used in thelitigationprocedure?- Determine thecivil and criminalinterlocutoryremedies needed?
Legal PresentationAttributes
- What chargeshould be issued?- Whatinformationshould beincluded/excluded?- What evidenceshould bepresented?- How strong is theevidence?
Legal PresentationObjectives
- Should the case beproceed or close?- Is sufficientevidence collected?- Which litigationmechanism shouldbe used?- Determine thechances of success?- Determine if it isworth proceeding inthis matter?
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Feature of FORZA modelFeature of FORZA model
! Divide the digital forensics investigationaspects into different roles
! Incorporate various digital forensicsinvestigation procedures together
! Formulate information needed to becollected under 6 easy to remembercategory
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Flow in FORZAFlow in FORZA
Case Leader
(Contextual
Investigation Layer)
System Owner (if any) (Contextual Layer)
Legal Advisor (Legal Advisory Layer)
Security/System Architect/Auditor (Conceptual Security Layer)
Digital Forensics Specialists (Technical Preparation Layer)
Forensics Investigators/System Administrator/Operator (Data Acquisition Layer)
Forensics Investigators/Forensics Analysts (Data Analysis Layer)
Legal Prosecutor (Legal Presentation layer)
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Benefit of the frameworkBenefit of the framework
! Cover various aspects of Digital Forensics aspects
! Include IT, investigator and legal aspects into the digitalforensics investigation
! Provide a framework with scope of investigation
! Unified various procedures and produce a frameworkthat enables systematic approach of digital forensicsinvestigation.
! Enable less experience user to carry out investigation
! Assist digital forensics procedures to be developed fornew cases
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Weakness of the frameworkWeakness of the framework
! Spectrum in the model is wide
! Difficult to be adopted if digital forensics cookbook hasbeen developed
! Too new to be adopted. More comments and feedbacksfrom different law enforcement team to enhance thisdynamic framework is required
! No specific technology dependent methodology andsolution is included
! No ready to use digital forensics cookbook could be used
eWalker Consulting Ltd.eWalker Consulting Ltd.
Revisit of BT caseRevisit of BT case
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
The Flow of BT case inThe Flow of BT case inFORZAFORZA
Officer in Charge
(Contextual
Investigation Layer)
Copyright Owner (if any) (Contextual Layer)
DOJ (Legal Advisory Layer)
Internet Service Provider (Conceptual Security Layer)
DFL (Technical Preparation Layer)
CART member (Data Acquisition Layer)
DFL (Data Analysis Layer)
DOJ Prosecutor (Legal Presentation layer)
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 2: BT caseCase 2: BT case
! Officer-in-Charge (OC) received information from intelligence team. Thatcomplaint was initiated by Copyright Owner that some new torrent of newmovies were found in HK newsgroup
! OC discussed with Copyright Owner what’s nature of their complaint? Andwhat did the Copyright Owner wish to perform?
! Then OC discussed with IT folks and search for some background about BitTorrent
! OC then discussed with Prosecutors which law would be applicable for thisnew case and what is the necessary information should be collected asevidence. (in HK, only the uploader/illegal publishing would be charged forcriminal offense)
! OC then discussed with Forensics specialists about the methods to collectthose evidence and the constrains in the methods used for collectinginformation.
! OC then planned and coordinate resources for conducting the actions.
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Case 2: BT caseCase 2: BT case
! OC setup a monitoring team for monitoring the new torrent uploadin newsgroup
! OC found a frequent uploader of movies posted a new torrent of thefilm he prepared into one of the newsgroup OC monitored
! OC then initiated the action by" Immediately collected the IP address owner information from the
newsgroup forum and ISP" Immediately started downloading the movie" Immediately sent the troop to the location of the uploader home.
! During the uploading time, the troop entered to the uploader homeand found the computer for uploading the movie together with theVCD related to this case.
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Next Step in the modelNext Step in the model
! Develop a dynamic FORZA flow model toforensics investigation tools
! Apply the FORZA framework intoforensics investigation tools
eWalker Consulting Ltd.eWalker Consulting Ltd.
Questions?Questions?
eWalker Consulting Ltd.eWalker Consulting Ltd.
Backup SlidesBackup Slides
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
DFRWSDFRWS’’ Framework Framework
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
From Incident ResponseFrom Incident Response
! In the book Incident Response, an "incident response methodology" isgiven with the following phases:
" Pre-incident Preparation: Prepare for an incident with proper training andinfrastructure.
" Detection of the Incident: Identify a suspected incident." Initial Response: Verify that the incident has occurred and collect volatile evidence." Response Strategy Formulation: Determine a response based on the known facts." Duplication: Create a backup of the system." Investigation: Investigate the system to identify who, what, and how." Secure Measure Implementation: Isolate and contain the suspect system before it is
rebuilt." Network Monitoring: Observe the network to monitor attacks and identify additional
attacks." Recovery: Restore the system to its original state with additional security measures added." Reporting: Document the response steps and remedies taken." Follow-up: Review the response and adjust accordingly.
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
DOJDOJ’’s Electronic Crime Scenes Electronic Crime SceneInvestigation GuideInvestigation Guide
! The U.S. Department of Justice (DOJ) published a processmodel in the Electronic Crime Scene Investigation Guide" Preparation: Prepare equipment and tools to perform needed tasks
during an investigation." Collection: Search for and collect electronic evidence.
• Secure and Evaluate the Scene: Secure the scene to ensure the safetyof people and the integrity of evidence. Potential evidence should beidentified in this phase.
• Document the Scene: Document the physical attributes of the sceneincluding photos of the computer.
• Evidence Collection: Collect the physical system or make a copy of thedata on the system.
" Examination: A technical review of the system for evidence." Analysis: The Investigation team reviews the examination results for
their value in the case." Reporting: Examination notes are created after each case.
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
SéamusSéamus’’ ““An Extended Model ofAn Extended Model ofCybercrimeCybercrime Investigations Investigations””
! Based on Séamus Ó Ciardhuáin, “An ExtendedModel of Cybercrime Investigations”,International Journal of Digital EvidenceSummer 2004, Volume 3, Issue 1" Lee’s Model" Casey’s Model" DFRWS Model" Reith, Carr and Gunsch Model
! Séamus also proposed an extended model
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
SéamusSéamus’’ ““An Extended Model ofAn Extended Model ofCybercrimeCybercrime Investigations Investigations””
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14
Nicole Lang Beebe and JanNicole Lang Beebe and JanGuynesGuynes Clark Clark’’s Models Model
! Nicole Lang Beebe and Jan Guynes Clark,“A Hierarchical, Objectives-BasedFramework for the Digital InvestigationsProcess, Digital Forensics ResearchWorkshop (DFRWS), Baltimore,Maryland, August 2004
DFRWS
2006
eWalker Consulting Ltd.eWalker Consulting Ltd.
2006
08
14