Understanding Computer Forensics

Similar documents
PROVIDING INVESTIGATIVE SOLUTIONS

Federal Rules of Civil Procedure IT Obligations For

Subject: Kier Group plc Data Protection Policy

Acceptable Use Policy

Certified Digital Forensics Examiner

University Policies and Procedures ELECTRONIC MAIL POLICY

Unit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs

Communication and Usage of Internet and Policy

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

Matt Danner Flashback Data

THINGS YOU NEED TO KNOW BEFORE DELVING INTO THE WORLD OF DIGITAL EVIDENCE. Roland Bastin Partner Risk Advisory Deloitte

Checklist for Rule 16(c) Pretrial Conference for Computer-Based Discovery

Information Security Incident Response Plan

COMPUTER FORENSICS (CFRS)

Management: A Guide For Harvard Administrators

This Policy applies to all staff and other authorised users in St Therese School.

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

Certified Digital Forensics Examiner

Archive Legislation: archiving in the United Kingdom. The key laws that affect your business

Information Security Incident Response Plan

Access to personal accounts and lawful business monitoring

Common approaches to management. Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C.

PRIVACY POLICY OF.LT DOMAIN

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Privacy Notice. General Information Protection Regulation ( GDPR )

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Credit Card Data Compromise: Incident Response Plan

DuncanPowell RESTRUCTURING TURNAROUND FORENSIC

Privacy Notice - General Data Protection Regulation ( GDPR )

Exam Questions EC1-349

UCL Policy on Electronic Mail ( )

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

DIGITAL EVIDENCE TOOL BOX

This policy should be read in conjunction with LEAP s Conflict of Interest Policy.

NIST Standards. October 14, 2016 Steve Konecny

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Workplace Privacy: New Technology, New Challenges

TIA. Privacy Policy and Cookie Policy 5/25/18

RMU-IT-SEC-01 Acceptable Use Policy

Computer forensics Aiman Al-Refaei

Information Security Data Classification Procedure

Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003

SECURITY & PRIVACY DOCUMENTATION

19 Dec The forwarding and returning obligation does not concern messages containing malware or spam.

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

Motorola Mobility Binding Corporate Rules (BCRs)

A practical guide to IT security

ADVISORY. Forensic services. Protecting your business from fraud, misconduct and non-compliance. kpmg.com/in

UDRP Pilot Project. 1. Simplified way of sending signed hardcopies of Complaints and/or Responses to the Provider (Par. 3(b), Par. 5(b) of the Rules)

Hacking and Cyber Espionage

Reducing ediscovery Cost and Risk with Intelligent Information Governance Dean Gonsowski, Esq.

Product Questions: 486 Version: 12.0

COMPUTER USE POLICY Staff

Seven West Media Privacy Policy (Updated)

This policy also applies to personal information about you that the Federation collects from any other third party.

Professional Training Course - Cybercrime Investigation Body of Knowledge -

Computer Forensics US-CERT

KIN GROUP PTY LTD PRIVACY POLICY

Data Processor Agreement

Data Privacy Breach Policy and Procedure

PCA Staff guide: Information Security Code of Practice (ISCoP)

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Scientific Working Group on Digital Evidence

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

University of Liverpool

Justice or a Game of Gotcha? Emerging Standards Concerning Preservation (and Spoliation) of Electronically Stored Information

The University of British Columbia Board of Governors

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Identity Theft Prevention Policy

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

Data Breach Preparation and Response. April 21, 2017

PRIVACY POLICY BACKGROUND:

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Data Security and Privacy Principles IBM Cloud Services

Report For Algonquin Township Highway Department

Preservation, Retrieval & Production. Electronic Evidence: Tips, Tactics & Technology. Issues

VISTRA NETHERLANDS PRIVACY NOTICE

Privacy Policy Effective May 25 th 2018

Access Rights and Responsibilities. A guide for Individuals and Organisations

Trends in Electronic Evidence.

Regulation P & GLBA Training

Last updated 31 March 2016 This document is publically available at

AUDITING FOR PERSONALLY-OWNED DEVICES

Computer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice

COMPLAINT FORM. Complaints relating to Members of Engineers Ireland made under the Engineers Ireland Code of Ethics

Retention & Archiving Policy

UWTSD Group Data Protection Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

This version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems

Data Subject Access Request Form

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Record Keeping Best Practice. Distinguish between University and Non-University Records

Cleveland State University General Policy for University Information and Technology Resources

When facing legal disputes, can you quickly retrieve s as evidence?

KillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ

Data Subject Access Request Form (GDPR)

DATA PROTECTION & PRIVACY POLICY

Transcription:

Understanding Computer Forensics also known as: How to do a computer forensic investigation... and not get burned Nick Klein SANS Canberra Community Night 11 February 2013

The scenario... Your boss tells you a senior executive has just resigned and is going to work for an aggressive competitor He has a strong suspicion that the (former) employee has taken confidential information; a very serious allegation The boss asks you to investigate what the former employee was doing before he left What a great opportunity for you to do some really interesting work, help your company and impress your boss So... what do you do?

What is forensics? Forensic: 1. Relating to, connected with, or used in courts of law or public discussion and debate 2. Adapted or suited to argumentation; argumentative 3. Applied to the process of collecting evidence for a legal case: forensic accounting; forensic archaeology; forensic linguistics [Latin forens(is) of the forum] - Macquarie Dictionary Online (2010)

What is computer forensics? A digital forensic investigation is a process that uses science and technology to analyze digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. - Brian Carrier File System Forensic Analysis (2005)... there is no Forensicator Pro

How can computer forensics be used? Financial and other fraud Employee misconduct and corporate policy breach Incident response, computer hacking and system intrusion Theft of confidential information and intellectual property Issues surrounding termination of employment Internal organisational investigations Litigation and commercial disputes Electronic discovery Independent collection and analysis of electronic evidence Search and retrieval of responsive documents from computer systems and backup media Criminal investigations, both prosecution and defense Independent review of work performed by other experts Regulatory investigations Expert testimony for civil and criminal proceedings Search warrants and seizure orders

Phases of an investigation 1. Understand the case 2. Identify and collect evidence 3. Analyse the evidence 4. Present findings

Phase 1: Understand the case Initial instructions are often incomplete Ask specific questions - who, what, why, where, when, how? Assist with technical knowledge and practical experience Need to be specific in defining forensic objectives Start to identify relevant sources of evidence

Forensic or IT? Most companies naturally turn to their IT staff for help; this can be damaging to an investigation and risky for the staff involved Digital evidence is volatile in nature and can be altered or destroyed, accidentally or deliberately, by a user or automated process Simply copying or backing up a computer will not capture all potentially relevant data Most IT experts aren t conscious of the difference between fact and opinion The effectiveness of a computer forensic analysis is underpinned by the quality of the data acquired

Phase 2: Identify and collect evidence Evidence usually exists in multiple places Opt to collect more rather than less Preservation is key; should avoid analysing live data * Think outside immediate and obvious data sources Collection methods should use forensic processes Forensic collection doesn t necessitate forensic tools Aim to minimise changes to evidence during collection We can then do as much, or as little analysis as needed

Case study: Email evidence sources Remote User Sync of mailbox (plus text messages) Mobile Device Month 2 Backup 15 day retention of deleted emails Month 1 Backup 15 day retention of deleted emails 30 day month Message Log Email Server Current Mailboxes OST copy of mailbox PST archived email User Computers

Potential sources of evidence Local computers: live memory, active state information, file system, Internet cache, email archives, system logs, recycle bin, info2 records, link files, MRU lists, Internet cache, index.dat, browser artefacts, document metadata, unallocated disk space, system restore points, volume shadow copies, shellbags, jump lists, registry, registry, registry... Servers: network drives, application systems, databases, email servers, document management systems, email archiving, proxy logs, extended logging... Backups: of servers, executive computers, clean configurations... Removable devices: serial number, file system, unallocated space... Mobile devices: phones, PDAs, Blackberrys, iphones, ipads, sat nav... Facilities: electronic doors, CCTV, photocopiers, carpark systems, telephones, voicemail...

Phase 3: Analyse the evidence Follow an analysis plan Identify every potential source of artifacts Observe the facts of the evidence; know the tools! Identify typical provenance of factual findings; ask why is it so? Consider variables which influence the factual finding See what other findings corroborate observations Analyse any discrepancies - test scenarios if required Be specific in describing what the findings prove Understand what the finding does not prove If all you have is a hammer, everything looks like a nail

Case study: Email timestamps mail.kleinco.com.au 16 Aug 2012 00:05 UTC mail.company.com.au 16 Aug 2012 00:08 UTC To: Jason From: Nick (nick@kleinco.com.au) Date: 24 Feb 2012 10:09 AM AEDT Subject: Important Document!! Jason, here s that important document. Nick. Attachment: Important.doc Email headers contain timestamps added by mail servers and relays Emails contain multiple timestamps: Creation in sender s email program Submission to outgoing server Delivery by outgoing server Receipt by incoming server Delivery to recipient s mailbox Filing into an email folder Deletion Plus attachment timestamps

Case study: Super timeline analysis Date Time Time Source Timeline Entry 13 Nov 2011 09:47.19 Document Metadata Document Secret File.docx first created by user John 16 Nov 2011 15:39.44 Recycle Bin Document Secret File.docx last modified 17 Nov 2011 11:14.50 Internet History 17 Nov 2011 11:24.45 Recycle Bin Secret File.docx accessed by user Bob from network drive P://Projects/Secret Project/ Document Secret File.docx first created on this computer 17 Nov 2011 11:25.14 Registry Microsoft Word executed by user Bob 17 Nov 2011 11:25.14 Link Files 17 Nov 2011 11:47.00 Recycle Bin Secret File.docx accessed by user Bob from local path C:\...\Bob\Desktop Secret File.docx deleted in Recycle Bin of user Bob

Phase 4: Present findings Evidence can be provided in a variety of forms: informal findings formal reports statements / affidavits expert reports Always be conscious that your work may be used as evidence in court

Case study: Explaining network data traffic Internet! The recipient computer receives the data, sending replies The recipient as required! computer receives the data, sending replies as required! Computers on the Internet route the data Computers as required, on so the it Internet reaches route the intended the data as recipient! required, so it reaches the intended recipient! One computer sends data to another One computer across sends the data Internet! to another computer across the Internet!

Case study: The CSI effect Time C-IP URL Status Data 16:35 10.0.1.5 www.illegalsite.com.au 502 0 KB 16:35 10.0.1.5 www.illegalsite.com.au 502 0 KB 16:36 10.0.1.5 www.illegalsite.org 502 0 KB 16:36 10.0.1.5 www.illegalsite.com.au 502 0 KB 16:38 10.0.1.5 www.anotherillegalsite.com.au 502 0 KB 16:38 10.0.1.5 www.yetanotherillegalsite.com.au 502 0 KB 16:40 10.0.1.5 www.kinkysite.com.au 200 5 KB 16:40 10.0.1.5 www.kinkysite.com.au 200 6 KB 16:40 10.0.1.5 www.kinkysite.com.au 200 8 KB

Contracts and engagement Consider engagement through legal counsel for legal privilege Clearly define the scope, objectives and analysis phases Be clear on critical decisions during the investigation and ensure they re made by the appropriate person and documented Set realistic expectations and keep the client updated, manage the investigation professionally Involve the client s staff (especially IT) in the investigation process as required by your investigation plan Remain impartial, maintain independence between your process and your findings (and any fees) Define important assumptions and limitations

Other legal considerations Expert Witness Code of Conduct defines how experts should present their findings NSW Workplace Surveillance Act 2005 requires notification to employees before surveilling input or output to a computer system Telecommunications (Interception and Access Act) 1979 limits access to stored communications on a carrier network Criminal Code Act 1995 defines unauthorised access to computer system Some other countries have much stricter privacy laws

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback