1 INFORMATION SECURITY AND FORENSICS SOCIETY INFORMATION SECURITY AND FORENSICS SOCIETY Digital Forensics on Future Digital Forensics on Future HK Infrastructure HK Infrastructure Ricci IEONG, CISSP, CISA, CEH, F.ISFS, ISSAP, ISSMP, Secretary of Information Security and Forensics Society Principal Consultant of eWalker Consulting Limited I C T E x p o 0 7 INFORMATION SECURITY AND FORENSICS SOCIETY INFORMATION SECURITY AND FORENSICS SOCIETY 2 0 0 7 0 4 1 6 HK IT infrastructure HK IT infrastructure HK IT infrastructure Internet Service Provider Telcom network Service Content provider Email Services Web Content Services (e.g. Government Services, Public utilities, eBanking Services
19
Embed
Digital Forensics on Future HK Infrastructure INFORMATION SECURITY AND FORENSICS SOCIETY Digital Forensics on Future HK Infrastructure Ricci IEONG, CISSP, CISA, CEH, F.ISFS, ISSAP,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
Digital Forensics on Future Digital Forensics on Future HK Infrastructure HK Infrastructure
Forensic computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceeding
5
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
What a Computer Forensics Investigator do?What a Computer Forensics What a Computer Forensics Investigator do?Investigator do?
To dig out the evidence related to computer crime
Preserve the chain of custody of the entire case
To build the case from the fragmented information
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
General procedures in Forensics InvestigationGeneral procedures in General procedures in Forensics InvestigationForensics Investigation
Determine level of volatilityPreserve volatile informationDuplicate the original hard disk to at least 2 copies of hard diskSearch for the obvious evidenceChange the parameters on the system
Restore the deleted filesRecover information from the swap driveRemove the back door or trojan horse filesChange of some system parameters
Document all the steps and response of the system during the Investigation procedure
6
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Goals of Forensics InvestigationGoals of Forensics Goals of Forensics InvestigationInvestigation
Identify the attackers
Identify the method/motivation of the attacks
Modus Operandi
Identify the gain of the attacksDamage assessment
Preserve the evidence
Present the evidence in a law case
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Who Wants Digital Evidence?Who Wants Digital Who Wants Digital Evidence?Evidence?
Criminal Prosecutor
Civil Litigation
Insurance Companies
Corporations
Law Enforcement Officials
Individuals
7
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
Traditional Network Traditional Network Forensics investigationForensics investigation
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Types of attackTypes of attackTypes of attack
Scanning/Probing
Denial of Service
Unauthorized Access
Leakage of information
Virus/Worm Attack
Web attack – defacement, login attempt
Intrusion
8
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Potential source of evidencePotential source of evidencePotential source of evidence
System logs
Network devices logs
IDS logs
Web Server logs
Browser history, cookie, index
Network information
Process information
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Log AnalysisLog AnalysisLog Analysis
Significant Events RecognitionIntrusion detection systems
Log correlation
Target SpecificWeb Defacement Through Known Exploits
Web Defacement Through Application Bugs
Virii
Establish Series of Events
9
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Damage AnalysisDamage AnalysisDamage Analysis
Identify the attacks
Identify the motivations
Identify the gains
Identify the attack paths
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
HK Future Infrastructure ChangeHK Future Infrastructure HK Future Infrastructure ChangeChange
Infrastructure changeGo mobile
Go for free network
Content changeMore content driven
10
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
New Challenges & New Challenges & SolutionsSolutions
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Mapping Requirements to 3R principleMapping Requirements to 3R Mapping Requirements to 3R principleprinciple
Completeness
Accuracy
Verifiability
Repeatability
IntegrityCase dependencies
Reasonableness
Order of volatility
Importance
Time required
Digital Forensics
Relevancy
Reconnaissance
Reliability
11
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Forensics ToolsForensics ToolsForensics Tools
ExpensiveTo purchase
To maintain research and development labs
To catch up technology advanced
Not Yet a Formal CertificationHard to verify
Still Room For ImprovementIntelligent Analysis and Event Correlation
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
LegislationLegislationLegislation
Conflicting law
Ambiguous law
Lack of precedent
Not enough technical knowledge and tools
16
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
AwarenessAwarenessAwareness
Insufficient Preparation
Ignorance
Insufficient Security Knowledge/Skills
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Future Direction in Computer ForensicsFuture Direction in Future Direction in Computer ForensicsComputer Forensics
Fast Network based Log correlation and analysis solution
Combination of Forensics Investigation tools with Intrusion Monitoring systems
Live Forensics Investigations Toolkits
More Technical and Legal Training
17
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
Questions?Questions?
Ricci IEONG
Ricci_ieong (at) isfs (dot) org (dot) hk
Ricci (at) ewalker (dot) com (dot) hk
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
About ISFSAbout ISFS
18
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
About ISFSAbout ISFSAbout ISFS
Information Security and Forensics Society (ISFS) founded in May 2000 by a group of digital forensics specialists and practitioners
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
GoalsGoalsGoals
to regulate and standardize the practice of information security and forensics professionals;to conduct examinations and act in such other manner as may be necessary to ascertain whether persons are qualified to be admitted to register as an information security and forensics professional;to encourage the study of information security and forensics by holding regular training courses and seminars;to promote public awareness of information security and forensics.
19
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Council Members (2006 and 2007)Council Members (2006 and Council Members (2006 and 2007)2007)