1 / 38

Digital Evidence Incident Response and Computer Forensics

Digital Evidence Incident Response and Computer Forensics. The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts

tasanee
Télécharger la présentation

Digital Evidence Incident Response and Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital EvidenceIncident Response and Computer Forensics The search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the facts assembled arises a certain grandeur. Aristotle

  2. What do you see?

  3. Forensic • Adj. - “of, relating to, or used in courts of law or public debate or argument" • From the Latin term forensis (forum) • Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective forensic as a noun • “Forensic Analysis of Digital Evidence”

  4. Digital Evidence • “Information of probative value stored or transmitted in digital form” • Federal Crime Laboratory Directors - Scientific Working Group on Digital Evidence (SWGDE)

  5. Sources of Digital Evidence • Open Computer Systems • PC’s, Servers, Etc • Communication Systems • Telecommunications Systems • Transient Network (content) Data • Non-transient (log) Data • Embedded Computer Systems • PDAs, Cell Phones, iPods, Etc

  6. Problems with Digital Evidence • Digital data are trivial to falsify • Digital data are fundamentally arbitrary • Digital data are fundamentally abstract • Multiple Layers of Abstraction • Most analysis is performed on a digital copy • The form of digital data subjected to analysis is nearly always transformed in some way

  7. Problems with Digital Evidence • Storage capacity is growing rapidly - 500 byte email = needle in a 750 GB “hay stack” • Low technical literacy of the public & judiciary means that explanations of analytic methods can be misunderstood and cause confusion • Reasonable doubt is easy to establish

  8. Reasonable Doubt - Examples • The Trojan Defense - Karl Schofield of Reading UK - Charged with possessing 14 depraved images • Defense Expert Witness – Pictures could possibly be downloaded by a self-deleting trojan • Prosecutor - "The Crown would not be able to say he is the only person who knew of these images on his computer."

  9. Reasonable Doubt - Examples • Aaron Caffrey - when his PC took part in a DDoS attack on the Port of Houston said a Trojan did it • Julian Green – Similar to Schofield case - 172 indecent pictures – 11 Trojan applications found on PC - "I had never been in trouble before. In cases like this it is not innocent until proved guilty, but the other way around."

  10. CSI/FBI Survey 2005 • 80% of Incidents are never reported • “The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity” • Trends show this percentage increasing

  11. Incident Response • The practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference • 80% of organizations may not report incidents but they all must respond • Organizations need internal investigators to triage events using established practices

  12. Theft of Trade Secrets Rights Infringement Harassment Intrusion Events Tortious Interference Malicious Code Embezzlement Child Pornography Denial of Service Extortion Inappropriate Use Evidence of other crimes Incident Types

  13. Incident Response Lifecycle • Preparation • Detection and Analysis • Containment, Eradication and Recovery • Post Incident Activity

  14. Forensic Science • Belonging to courts of judicature or to public discussion and debate; used in legal proceedings or public discussions; argumentative; rhetorical; as, forensic eloquence or disputes • Relating to or dealing with the application of scientific knowledge to legal problems

  15. Digital Forensic Science • “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” - Digital Forensic Research Workshop (2001)

  16. Digital Forensic Science • Analysis of Computer Generated Evidence • Identification of Sources of Evidence • Preservation of Evidence • Analysis of Evidence • Presentation of Findings • Methodology must be secure, controlled, repeatable and auditable • More on methodology later

  17. Is it time for a break yet?

  18. Origins of Forensic Science • 700 AD Chinese Use Fingerprints for ID • 1248 AD First recorded application of medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulation

  19. Eugène François Vidocq • Outlaw son of a Baker • In return for a suspension of arrest and a jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811) • Introduced record keeping, ballistics, plaster casts for footprint analysis, etc • Founded the first modern detective agency and credit bureau

  20. Bertillon • French Law Officer • Anthropometry/Bertillonage - Early system of biometrics using measurements of body parts to ID perpetrators / victims • Introduced use of crime scene photography and mug shots

  21. Edmond Locard • Student of Bertillon • Professor of forensic medicine at the University of Lyons • Established the First Crime Laboratory • Developed Edgeoscopy and Poreoscopy • Standard 12 Points to ID a fingerprint • Developed Forensic Microscopy • Locard's Exchange Principle

  22. Locard’s Exchange Principle • Whenever two objects come into contact, a transfer of material will occur

  23. Locard’s Exchange Principle • Provide examples of how this might apply to digital evidence in a computer intrusion event.

  24. Attributes affecting data fidelity • Lack of standards & methodology • Correctness of translation and transformation mechanisms • Dependence on subjective reasoning • Excessive reliance on Tools* • Sound methodology is critical

  25. Basic Methodology - APIEP • Acquisition • Preservation • Identification • Evaluation • Presentation

  26. Methodology - Saferstein • NJ Crime Lab Director (1971-1990) • Secure and Isolate the Scene • Record the Scene • Systematic Search for Evidence • Collect and Document Evidence • Maintain Chain of Custody

  27. Investigative Process Model - Casey • Incident Alert • Assessment of worth • Incident Protocol • Preservation • Recovery Harvesting • Reduction • Organization and Search • Analysis • Reporting • Persuasion and Testimony

  28. IR Methodology - Mandia & Prosise • Pre-Incident Preparation • Detection • Initial Response / Investigation • Formulate Response Strategy • Investigate the Incident • Data Collection • Data Analysis • Reporting • Resolution, Recovery, Security Measures

  29. Pre-Incident Preparation • Establish Incident Response Goals • Designate Incident Response Team • Create Incident Response Policy • Acquire Hardware / Software • Establish Reporting Guidelines • Implement User Awareness Training

  30. Incident Detection • Document Observation Clearly • Suspicious System Behavior • Netflow Statistics • IDS / Firewall Logs • System Logs • Routine Audits / Assessments • Information Leaks

  31. Initial Response • Document Everything Clearly • Interview Administrators / Witnesses • Review Logs / IDS Reports • Review Established Security Systems • Classify the Event • Denial of Service / Vandalism / Malicious Code • Unauthorized / Inappropriate Use • System Compromise / Multiple Component

  32. Formulate Response Strategy • Has there been an event? (Is it a pipe?) • Does the law require a report? • What is the potential loss? • What is the cost of responding? • Critical systems, issues or data? • What is known of the perpetrator?

  33. Taking Action • Has the cause been established? • Does it merit criminal prosecution? • Is legal action likely to be successful? • Is documentation /evidence sufficient for an effective investigation? • Will going public hurt the organization? • What other business impacts might exist?

  34. Handling Internal Employees • Dismissal – Policy is critical • Remediation – Security Controls • Letter of Reprimand • Reassignment / Revoke Access • Lessons Learned Document

  35. Data Collection • Capture Network-Based Evidence • Live Versus Dead Response • Capture Transient Evidence - RAM • Acquire Image or Seize System • Amount of stored data can be huge • Maintain Chain of Custody

  36. Analysis and Reporting • Forensic Analysis of Evidence • Reporting • Write Clearly and Plainly • Avoid acronyms and jargon • Resolution • Remediating Controls • Changes in process

  37. Incident Timeline

  38. Summary – Incident Response • Pre-Incident Preparation • Detection / Initial Report • Initial Response / Investigation • Formulate Response Strategy • Investigate the Incident • Data Collection • Data Analysis • Reporting • Resolution, Recovery, Security Measures

More Related