This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• In the light of experience of :In the light of experience of : post-incident investigationspost-incident investigations work for insurers and loss adjusterswork for insurers and loss adjusters instructions as an expert in courtinstructions as an expert in court
• Surprise at the poor level of preparedness Surprise at the poor level of preparedness to produce evidence, or understand what to produce evidence, or understand what is involvedis involved
• To lift “digital forensics” from its “the To lift “digital forensics” from its “the techies will solve everything” mythtechies will solve everything” myth
Evidence in the Corporate Evidence in the Corporate AgendaAgenda
• Role in Information Assurance / Role in Information Assurance / Information SecurityInformation Security Low Frequency / High Impact EventsLow Frequency / High Impact Events
• Role in semi-routine operationsRole in semi-routine operations Higher Frequency / Lower Impact EventsHigher Frequency / Lower Impact Events
• Records to demonstrate ComplianceRecords to demonstrate Compliance• Forensic Readiness ProgramsForensic Readiness Programs
HMG Infosec Standard No 2HMG Infosec Standard No 2
Corporate interest: Corporate interest: • organisation continuanceorganisation continuance• rapid recovery to full operationrapid recovery to full operation• recovery of assetsrecovery of assets• successful insurance claimssuccessful insurance claims• successful 3rd party legal claimssuccessful 3rd party legal claims• largest possible number of options for largest possible number of options for
• Post Disaster RecoveryPost Disaster Recovery To mitigate and control lossesTo mitigate and control losses To make insurance claims – direct and To make insurance claims – direct and
consequential lossconsequential loss To sue third partiesTo sue third parties To resist claims from third partiesTo resist claims from third parties To assist law enforcementTo assist law enforcement
In a disaster:In a disaster:• How would you make the choice between How would you make the choice between
stopping a system in order to preserve stopping a system in order to preserve “reliable” evidence – and keeping your “reliable” evidence – and keeping your business going?business going?
• What managerial and technical structures What managerial and technical structures do you need to have indo you need to have in place?place?
• How does this fit in with existing DR/BC How does this fit in with existing DR/BC Plans?Plans?
There are many internal conflicts, eg :There are many internal conflicts, eg :• rapid return to normal working = rapid return to normal working = keep the keep the
computers goingcomputers going• evidence collection = evidence collection = stop the computers to stop the computers to
threats to employee trust, privacythreats to employee trust, privacy use of network resources / slow-down of system use of network resources / slow-down of system
response response possible compromise of integrity of transactions & possible compromise of integrity of transactions &
• Frauds by employees and 3Frauds by employees and 3rdrd parties parties• Contractual disputesContractual disputes• Allegations of failure of duty of careAllegations of failure of duty of care• E-mail and Internet abuseE-mail and Internet abuse• Breach of confidentialityBreach of confidentiality• Online defamationOnline defamation• Employee / HR disputesEmployee / HR disputes• Sexual harassmentSexual harassment• Acquisition and storage of child abuse imagesAcquisition and storage of child abuse images• Datatheft / Industrial EspionageDatatheft / Industrial Espionage• Software piracySoftware piracy• Theft of source codeTheft of source code
• Unauthorised access by employeesUnauthorised access by employees• Unauthorised access by 3Unauthorised access by 3rdrd parties – “hacking” parties – “hacking”• Unauthorised data modification – incl viruses and trojansUnauthorised data modification – incl viruses and trojans• Abuse of corporate IT resources for private gainAbuse of corporate IT resources for private gain• Use of corporate IT resources as one stage in a complex Use of corporate IT resources as one stage in a complex
criminal act and where a 3criminal act and where a 3rdrd party is victimised party is victimised• Use of corporate IT resources for illegal file-sharingUse of corporate IT resources for illegal file-sharing• DoS and DdoS attacksDoS and DdoS attacks• ““Phishing” and “Pharming” attemptsPhishing” and “Pharming” attempts• Etc etcEtc etc
• Requirements of disclosure in civil litigationRequirements of disclosure in civil litigation
• Prosecutions are impossible without Prosecutions are impossible without evidenceevidence
• There will never be enough cybercopsThere will never be enough cybercops• If you let in the cybercops to locate If you let in the cybercops to locate
evidence after the crime, they will evidence after the crime, they will inevitably be more disruptive and less inevitably be more disruptive and less successful than if you had planned ahead successful than if you had planned ahead and are able to produce evidence yourself and are able to produce evidence yourself
Reliable record keeping Reliable record keeping regulatory complianceregulatory compliance
• Sarbanes-OxleySarbanes-Oxley• Basel IIBasel II• International Standard on Records Management - International Standard on Records Management -
ISO 15489 ISO 15489 • UK Combined Code of Corporate GovernanceUK Combined Code of Corporate Governance • Freedom of Information legislationFreedom of Information legislation• Forensic Compliance ServicesForensic Compliance Services
• ““proving” documents, copiesproving” documents, copies• US: US: 4th amendment rights / Federal Rules of Evidence4th amendment rights / Federal Rules of Evidence
• UK: UK: PACE, 1984; “business records” (s 24 CJA, 1988) PACE, 1984; “business records” (s 24 CJA, 1988) etc etc; Human Rights, Data Protection, problems of etc etc; Human Rights, Data Protection, problems of “interception”“interception”
• can we explicitly link files, data to can we explicitly link files, data to specific individuals and events?specific individuals and events? access controlaccess control logging, audit logslogging, audit logs collateral evidencecollateral evidence crypto-based authenticationcrypto-based authentication
accurateaccurate• reliability of computer process reliability of computer process notnot data data
contentcontent• can we explain how an exhibit came into can we explain how an exhibit came into
being? being? what does the computer system do?what does the computer system do? what are its inputs?what are its inputs? what are the internal processes?what are the internal processes? what are the controls?what are the controls?
...is different from other evidence - ...is different from other evidence - computer data: computer data:
• can change from moment to moment can change from moment to moment within a computer and along a within a computer and along a transmission linetransmission line
• can be easily altered without tracecan be easily altered without trace• can be changed during evidence can be changed during evidence
...creates as many opportunities as it ...creates as many opportunities as it provides threats:provides threats:
• many more commercial transactions are recordedmany more commercial transactions are recorded• data, once recorded, is very persistent and many data, once recorded, is very persistent and many
copies may existcopies may exist• it is much easier to trace a person’s history and it is much easier to trace a person’s history and
How to plan for evidence collectionHow to plan for evidence collection• Identification of risk scenariosIdentification of risk scenarios• Analysis and identification of likely Analysis and identification of likely
evidence requirementsevidence requirements• Procedures and resources for collecting Procedures and resources for collecting
and preserving evidenceand preserving evidence• Integration with existing BCP, HR and Integration with existing BCP, HR and
• Forensic imaging for single hard-disksForensic imaging for single hard-disks Now well-establishedNow well-established
• Digital fingerprinting for log filesDigital fingerprinting for log files• How do you make a proper “selection” How do you make a proper “selection”
from larger, more complex systems?from larger, more complex systems?• How do you “prove” the reliability of data How do you “prove” the reliability of data
captured in transmission?captured in transmission?
In a large complex system – how much In a large complex system – how much is enough?is enough?
No simple one-size-fits-all answer… No simple one-size-fits-all answer… but if you have thought things but if you have thought things through, you have a better chance of through, you have a better chance of justifying your decision in courtjustifying your decision in court
AnticipatoryAnticipatory• Risk Analysis /Scenario IdentificationRisk Analysis /Scenario Identification• Desirable Evidence AnalysisDesirable Evidence Analysis• Available Evidence ReviewAvailable Evidence Review• Assembly of Key System DocumentationAssembly of Key System Documentation• Review of Back-up and Archiving FacilitiesReview of Back-up and Archiving Facilities• Produce Evidence Collection & Preservation Policy Produce Evidence Collection & Preservation Policy
& Specific Guide& Specific Guide• Incident Management TeamIncident Management Team• Review Employment ContractsReview Employment Contracts• Identify 3Identify 3rdrd party specialists party specialists
Incident ManagementIncident Management• Reporting Point / First ResponderReporting Point / First Responder• Incident Management TeamIncident Management Team• Role of Top ManagementRole of Top Management• Resourcing – internalResourcing – internal• Resourcing – externalResourcing – external• Asset recovery, loss mitigationAsset recovery, loss mitigation• Legal and law enforcement liaisonLegal and law enforcement liaison
Longer Term MeasuresLonger Term Measures• Program to address gaps in available evidenceProgram to address gaps in available evidence• Improvements in overall system specification to Improvements in overall system specification to
ensure more useful evidence is captured – or ensure more useful evidence is captured – or available for captureavailable for capture
• Forensic Readiness PlanForensic Readiness Plan: : • HMG Infosec Standard No 2HMG Infosec Standard No 2• Needs to be Needs to be
prepared as a consensual corporate exerciseprepared as a consensual corporate exercise documenteddocumented auditedaudited subject to revisionsubject to revision
• as the organisation changesas the organisation changes• as IT infrastructure changesas IT infrastructure changes• in the light of experiencein the light of experience
• A great deal of this activity sits A great deal of this activity sits naturally with existing Information naturally with existing Information Assurance /Emergency Response / Assurance /Emergency Response / Disaster Recovery activity.Disaster Recovery activity.
• Much of what can be achieved Much of what can be achieved requires pre-planning, not just an requires pre-planning, not just an emergency response.emergency response.