1 / 0

DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL

DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL. Digital Forensics: The Ever Evolving Science ASAC Mark Tasky, DHS OIG WFO. Goals and Objectives. Define Digital Forensics. Explore the forensic process and methodology. Talk about technical limitations/difficulties.

chiku
Télécharger la présentation

DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL Digital Forensics: The Ever Evolving Science ASAC Mark Tasky, DHS OIG WFO DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  2. Goals and Objectives Define Digital Forensics. Explore the forensic process and methodology. Talk about technical limitations/difficulties. Review legal issues and pitfalls. Discuss the impact of our “digital life”. DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  3. What is the definition of Computer or Digital Forensics? Digital forensics is the application of proven scientific methods and techniques in order to recover data from electronic / digital media. Digital Forensic specialists work in the field as well as in the lab (Wikipedia). Digital forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis. “The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.” (R. McKemmish, What is Forensic Computing?, 1999). DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  4. Defining Digital Forensics: A supervisor… long, long ago told me: “That computer stuff is all a fad and won’t be around long.” Another said… “It’s a magic box!!” DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  5. The Technical Reality? We’re chasing a bunch of 1s and 0s! 00011001110000 0001100111100110001011001011 DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  6. Process and Methodology How we do, what we do… It’s simple… REALLY! DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  7. Process and Methodology First, memorize this: DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  8. DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  9. Process and Methodology Then, this… DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  10. Process and Methodology DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  11. Process and Methodology The field of Digital Forensics is a science. Evidence is preserved, identified, documented and presented similar to the “other” forensic sciences. DNA, Entomology (bugs), Serology (body fluids), etc. Best conducted in a controlled environment. The expansion of network/cloud storage is forcing the evolution of digital evidence collection (dead-box vs. live acquisition). Mobile computing is everywhere now! DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  12. Technical Difficulties The growth of technology… Moore’s Law: the observation that over the history of computing hardware, the number of transistors (computing power and storage) on integrated circuits doubles approximately every two years. The rapid expansion of mobile technology: iPhones, iPads, Android phones, tablets, high speed data connections (4G/LTE) and connected “everything”. DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  13. Technical Difficulties The good ‘ole days… (from an old presentation circa 2003) 1994 a 540 MB hard drive = 385 floppy disks 1996 a 2 GB hard drive = 1,463 floppy disks 1998 a 4 GB hard drive = 2,926 floppy disks 2001 a 40 GB hard drive = 29,269 floppy disks 2002 a 80 GB hard drive = 58,538 floppy disks 2003 a 160 GB hard drive = 117,077 floppy disks A Terabyte (TB) of hard drive space = 731,734 floppy disks. DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  14. Technical Difficulties The NIST definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The growth of “cloud” computing/storage: iCloud, Box (50GB free), Carbonite, etc.
  15. Technical Difficulties The bad guys fight back… The RASKAT—Russian for “thunderclap”—consists of a black box housing the suspect’s hard drive. The device is activated using either a button on the computer case or the remote control. The remote control resembles a key fob for the automatic door locking mechanism of an automobile, with two buttons on it. According to the instruction manual, the RASKAT’s battery back-up will last for 24 hours following the loss of main power. The range of the remote control device is listed as 50 meters. DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  16. Technical Difficulties DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  17. Technical Difficulties USB thumb drive wired into a phone jack Hidden in plain sight How-to manual (with USB pinout) circulated on the Internet DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  18. Technical Difficulties
  19. Legal Issues In the law enforcement world, forensic examiners will be called to testify in court. At a minimum, you must know: The law (case law and statute) “Best Practices” Your policies and procedure Evolving technology The days of unchallenged experts are over. DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  20. Legal Issues
  21. Legal Issues 18 USC § 2703 - Required disclosure of customer communications or records [established by the Stored Communications Act (SCA)– October 21, 1986… enacted as Title II of the Electronic Communications Privacy Act (ECPA)] (a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section. b) Contents of Wire or Electronic Communications in a Remote Computing Service.— (A) without required notice to the subscriber… WARRANT (B) with prior notice from the governmental entity to the subscriber or customer… (i) uses an administrative subpoena authorized by a Federal or State statute… (ii) obtains a court order DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  22. Legal Issues Requirement for a Second Search Warrant Suppose you have a search warrant to look for tax documents in a residence. You find a bag of marijuana in the file cabinet. Can you seize the marijuana? Can you continue to search for more marijuana?
  23. Legal Issues Requirement for a Second Search Warrant Suppose you have a search warrant to look for tax documents in a computer. You find a child porn picture imbedded in a Word document. Can you “seize” the child porn? Can you continue to search for more child porn?
  24. Know your resources…
  25. Because the bad guys have them too
  26. A brave new World…
  27. References DOJ Computer Crime and Intellectual Property Section: http://www.justice.gov/criminal/cybercrime Digital Evidence in the Courtroom: https://www.ncjrs.gov/pdffiles1/nij/211314.pdf Best Practices for Seizing Electronic Evidence v.3: http://www.forwardedge2.com/pdf/bestpractices.pdf US-CERT Cyber Security Awareness: http://www.us-cert.gov/home-and-business DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL
  28. Department of Homeland SecurityOffice of Inspector GeneralOffice of Investigations Washington Field office Mark TaskyAssistant Special Agent in Charge TEL: (703) 235-0847FAX: (703) 235-0854Mark.Tasky@dhs.gov
More Related