1 / 28

Computer Misuse in the Workplace You only get one chance..... David Horn

You only get one chance. Computer Misuse in the Workplace You only get one chance..... David Horn. Or do you.......?. chance n. The unknown and unpredictable element in happenings that seems to have no assignable cause. of circumstances.

benita
Télécharger la présentation

Computer Misuse in the Workplace You only get one chance..... David Horn

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. You only get one chance... Computer Misuse in the Workplace You only get one chance..... David Horn

  2. Or do you.......? chance n. The unknown and unpredictable element in happenings that seems to have no assignable cause. of circumstances. opportunity n. , pl. , -ties . A favourable or advantageous circumstance or combination of circumstances. Test

  3. You only get one opportunity! Opportunity A brief guide to: What, when, why and how.

  4. Digital forensics – first steps Digital Forensics • The process of deriving evidence from digital media • Requires that the data is shown to be reliably obtained • Is not changed in any way • Is complete • Can be repeated • And very importantly, that it can be understood.

  5. Evidence Types SOURCES OF COMPUTER EVIDENCE • Personal Computers • Server Computers • Removable media • Automatically-produced log files

  6. Never forget............. BASIC PRINCIPLES OF COMPUTER FORENSICS The forensic examination of the contents of a computer is a skilled job and special procedures, techniques and tools are required to ensure that any information that is retrieved can be presented as evidence in a Court of Law. Evidential Integrity Requires that the material being examined is not changed in any way. What is examined must be an exact copy of the original. Continuity of Evidence Refers to the means used to vouch for the actions that have taken place regarding the item under examination. This covers the seizure, handling and storage of equipment and copies of the data.

  7. First steps Incident Response Teams

  8. Management • Key roles and responsibilities • What technical skills are required • What training is required

  9. Roles & Responsibiities Key roles and responsibilities • Officer In charge • Forensic Investigators and Auditors • Independence • Working within the law and your policies

  10. Training What training will be needed? • Product Training • Incident Response Techniques • Health and Safety • Computer Misuse Act and relevant law • Internal Policies • ...more…more…more…

  11. ACPO Guidelines Current Practice

  12. ACPO Guidelines THE PRINCIPLES OF COMPUTER-BASED EVIDENCE (ACPO)‏ Principle 1 No action taken should change data held on a computer or other media which may subsequently be relied upon in Court. Principle 2 In exceptional circumstances where a person finds it necessary to access original data held on a target computer, that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.

  13. ACPO Guidelines THE PRINCIPLES OF COMPUTER-BASED EVIDENCE (ACPO)‏ Principle 3 An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and obtain the same result. Principle 4 The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.

  14. Secure the evidence Search and Seizure

  15. Incident response • Pre-seizure planning • What you will need • Who should be on your response team • Step by step computer incident response procedure

  16. Pre search preparation PRE-SEARCH PREPARATION The forensic unit – i.e. the imaging / investigation hw and sw An adequate toolkit – screwdrivers, pliers Plenty of Stationery Digital camera Disk boxes Mobile telephone Blank floppy disks / CDs A torch Data Cables of every variety Network Card Power extensions

  17. Evidence process EVIDENCE PROCESS • Identify What sources are available? • Seize ‘Bag and Tag’ Best Evidence • Transport Safely and responsibly take the best evidence to a secure location • Receive Accept responsibility for the evidence • Store Ensure securely held free from risk of contamination

  18. Evidence process EVIDENCE PROCESS • Preserve Take a reliable copy of the evidence • Reserve Put the original Best Evidence source in a secure place • Analyse Investigate the evidence on the preserved copy • Produce Identify the exhibits that establish facts • Testify Create a statement and go to court

  19. Server room challenges On Site

  20. On-site Seizure ON SITE Machines switched on and operating Clearly transferring data receiving incriminating data receiving exonerating data receiving routine data may be overwriting evidence on the disk may be overwriting evidence in memory

  21. On-site Seizure • MACHINES WHICH ARE SWITCHED ON • Secure the area and log your actions

  22. On-site Seizure MACHINES WHICH ARE SWITCHED OFF Be satisfied that the computer is actually switched off - not in hibernate mode - not running a blank screensaver.

  23. Forensic Tools • ESSENTIAL KIT • Integrated (imaging) Solution: • EnCase – now up to version 6.8 • FTK – Access Data • Third Party Plug-ins: • QuickView • ACDSee • WinRar • IrfanView • KaZAlyser • NetAnalysis • PDA Seizure • Email Examiner

  24. Points to consider Legal Issues

  25. Your policies & the law THE LAW AND COMPUTERS • Computer Misuse Act 1990 • Data Protection Act 1998 • Laws of Pornography • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Sexual Offences Act 2003 • Laws of ‘Harm’ • Theft Act 1968 / 1978 • Offences Against the Person Act 1861

  26. Summary Advice to Beginners There are some very powerful tools available. But with great power comes great responsibility, and as a potential forensics investigator, it is your responsibility to learn how to use the tools properly. Simple mistakes and good intentions can completely destroy digital evidence. It is strongly recommended that aspiring investigators learn about digital forensics, and practice on controlled systems before attempting to collect evidence from a real system.

  27. Questions Questions?

  28. Contact Details David Horn david.horn@sapphire.net 0845 58 27001 Offices in the: North, Scotland & London,

More Related