Notes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.

Transcription

1 EF-1. All protocols used between the different components in the distributed architecture (management server, agents, database, forensic analyst system, etc) shall be encrypted and signed. EF-2. The Enterprise Forensics (EF) architecture shall be modular, distributed in functional layers/components. Ideally there should be at least four distinctive components. One component to manage the Enterprise EF framework and responsible for the AAA (Authentication, Authorization, Accounting), an agent installed on the remote systems, an on-site analysis component that allows the forensic analyst to perform some analysis remotely in the same domain as the agent, reducing the bandwidth requirements of some scans and finally a central forensic analysis system. Notes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management. EF-3. The agent shall have a small footprint with a limited consumption of the system s resources in order to limit the impact on operational systems. The Agent should be able to investigate both non-volatile data (hard disk,...) and volatile data. Notes: Clarify where (within the distributed architecture) processing of different tasks is happening (i.e. when looking into compound files, registry files )

2 EF-4. The EF framework shall support resilient central management of the forensic agents. Meaning that the central management component shall support on demand requests (heart beat/keep alive/call home) of the agents status, version, last update, up time, etc. EF-5. The agent shall be supported on multiple 32 bits and 64 bits Microsoft Operating Systems (Windows XP, Windows Vista, Windows 7, Windows 2000 family, Windows 2003 family and Windows 2008). Notes: What other Operating Systems does the agent support? EF-6. The solution shall be scalable, supporting large scale infrastructures. In this context it is important the vendor explains following: 1. Are remote processing and/or central processing possible? 2. Is it possible to assign certain amount of system resources and/or a certain amount of bandwidth to certain forensic jobs? 3. Is there a limitation of the amount of agents that can be managed by the central enterprise components? 4. Is there a limitation in the size of memory or disk that can be remotely investigated? Notes: How scalable is the solution? What is the biggest architecture example that the solution supports?

3 EF-7. The solution shall support performing scans on Storage Area Networks (SAN) (i.e. Netapp, iscsi, Fiber Channel, etc) EF-8. The EF framework shall support virtualization. The management server, remote processing and forensic analysis systems shall be installed on a virtual server and the agents shall support Virtual Machines (VMs). EF-9. The EF framework shall support integration with ArcSight. The EF framework can act as source for asset info for ArcSight. Both technologies should be integrated into the most automatic manner. Notes. Forensic snapshots include (among others) the following information: OS version, patch level, running processes, remote connections, logged on users, routing/mac table, loaded DLLs, network interfaces and corresponding MAC addresses, McAfee DAT/engine version, etc.

4 EF-10. The EF framework shall support integration with ArcSight. It shall provide an API that will support requesting forensic queries on demand, based on certain conditions (events triggered in ArcSight). EF-11. The EF framework shall provide comprehensive accounting and auditing. Notes: History of keyword searches should be included in the history. EF-12. The forensic management component shall be role based. EF-13. The EF Framework shall provide detailed activity logs including the activity history of the different forensic analysts. The EF framework shall generate automatic comprehensive evidence reports (including keyword searches, list of evidence analysed, steps followed by the forensic analyst, etc) EF-14. The EF framework shall support limited bandwidth (<512Kbps). Ideally, it should support configurable bandwidth profiles (low, medium, no limit). EF-15. The EF framework shall support in depth memory analysis with visual indicators of presence of potentially malicious malware in RAM.

5 EF-16. The EF framework shall support transfer of areas of RAM (by process and/or by address range), in addition to transfer full RAM dumps. EF-17. The EF framework shall support forensic deletion of files. Notes: What are the algorithms supported? EF-18. The O&M of the EF framework shall be cost effective. Please provide example for 8 central forensic analysis machines, 2 management servers, 6 remote forensic analysis systems and agents. Notes: What are the specific costs? EF-19. The EF framework shall support chain of custody. Notes: How does your solution support the chain of custody?

6 EF-20. The EF framework shall support a flexible licensing model for all the components in the framework. EF-21. The EF framework shall easily integrate with standalone third party and open source tools (i.e. file viewers, ticketing systems, etc). The EF framework should provide a script language or API to interact with third party and open source software. Notes: List the tools that the solution supports and explain the integration/interaction possibilities. EF-22. The EF framework shall provide a hash analysis tool which shall support bulk analysis and a proper update mechanism. EF-23. The EF framework shall support the addition of new hashes, both known bad and known good.

7 EF-24. The EF framework shall provide automatic mechanisms and processes that allow white listing of the NATO NCSA s baseline, using the hash database. Preferably the same database is used for the customized NCSA baseline and the external hash sources. From a workflow perspective this should be handled by one action. Notes: NATO NCSA s baseline consists of a set of images of the standard operating systems of the corporate applications. EF-25. The EF framework should be able to see compound files (PST, zip, registry, mdf, etc). Notes: Please, list file types supported. EF-26. The EF framework should support the use of internal or external fileviewers Notes: Please, list fileviewers supported

8 EF-27. The EF framework should support code viewing using different codepages. (different Date types, ROT13, ) Notes: Please, list codepages supported. EF-28. The EF framework should provide a flexible and granular filtering and sorting mechanism. EF-29. The EF framework should provide a keyword search mechanism. EF-30. The EF framework should provide file signature analysis mechanism. EF-31. The EF framework should support gathering of general OS information. EF-32. The EF framework should include prebuilt tools that automate certain workflows in the forensic job (analyze browser cache, analyze recycle bin, etc).

9 EF-33. The EF framework shall support persistent storage for evidence and cases. An enterprise backup solution should support redundant evidence and cases data. EF-34. The solution should have a common criteria certification. Notes: Please describe the common criteria certification (ToE, EAL, etc.) of the different components of your EF solution.