Rothke computer forensics show 2010

The Computer Forensics

��

��

��

��

��

��

This information is provided for your review only and is not for any distribution. Any reproduction, modification, distribution, transmission, display or republication of the content is strictly prohibited

��

��

�!"��# ��

��$%�&'$'

��

��

��

�� !""��#��$��%�� !!&

'��(��)��#��*��

�� + ��

,��)+-��.

2

/��)

0��*��%*��1�%�� %��#�

��%��

2��$��*��*��3��%��(��

��#4�� 5��

0$$��*��(��#��3��#�#��3��

��%��#�)�� 3��#�*��6��%��3�%��#�#��%��

2��*��3��%��$��

� � ��%��3�� (�� %%��%�7

3

��8��9: :�� ; ��8�� 0��*��<

��+�� 3�%�� *+3�*��

�� $��*��#��%��3�%��

#��%��*��7��

��3��=��(��#��1*��

� ��#�%��%��*��$��%��3�

��(��

�##��*��3��$��#�$��*��#�*��%��

��3��

4

0��*��3��>��*�

7 5�$��(��%��

97 ?��)�) ��#��#��

>7 ��#��#��%*��%��*��

; ��%*��%��3��*��3��%�%��

��$��%��

5

��*��*��3 �%��

��#��!�� #��*��#��0/

� @�%��$��3��%��$��3��*��

��#�� 0/��%��/

��#��@�� /��%��/

��#��9�� /��%��$$

��#�� ;�� /��$��%��3��#��*��(��*%��

� ��#��+ ��%��*��#��)��#��#��3 ��34��$�3��3��*�� #)��#��$�)��

��1�%�� %*��#��)�� 3��#��*��%��3�%��7��0/��%��/��) ��$�� /7

@�1��#�� %��/��%��3��*��)��3�� )��#

6

0��*��

��

5��**��3

��#��3

��*�

�%*��%��

��3�%��

��#��

��

5�$��5��

5��$��

��5�$��

��

�� • ��• �� • ��3��

��

��

7

0��*�� 3��

/*��3��%��#��**��#�� 8��%�#��

��#��%��%*��%��*��

� A��$��3��**��

A�)�43��#��$��$��$��*��#��$$��

3��#��

'��$�)��%*�� *��*��#4��

$��%��*��3�

��4��$��%��

� B*+$��#��+3��3�%��

� ��$��%��

� �##�#�� $$

8

(��

��(��

)"��

� ��

�� *�� *

(��

�� *��

��

� �� *

�� * ��

0��*�� #��+�#3�#��)��#

9

��%%��*��#�*��%��%��

7 � ��3��*��

� -��#)��

� ��3��*��)��

97 ��3��#��

� C��#�� #)��4��$�)��

� 2��#��(��%��

>7 @��3��*��#��

� �$��8��*�� )��3��43��#��7

&7 @��3��3��3 ��%��#��3�4��

� 0$$��*��+��%�

� ��(��3��$��#��

� +� � �,� ��-

10

5��3�)�� #��

; ��#�� *��6��

� 2��#�$�� (��%��

� ��

� C��#��*��#��*��4��

� C��#��*��

� ��6��#�

� ��3 �� 1*��

� � ��1*��#��*��$��

� �� *��*��#��

� 2��#��8�� 1*��)��3�)�� %

� ��6��$��

11

0��*��#�� #��#��*��*��#�1

�� %�� $��)�� *��*��

��3�$�� *�� #��$�� *��

)�� $��

'��$��#�� )�� *��*��3�$�� *��) ��$��

� �%�� #��#��*��#��8��#��$��

��*�� 3�� #��+*��*��#�*��%�3 ��

��(��**�#�� #��

0��*��1��

+� �� #�� * �*�� *.

12

0��*��3�

�� %��$��*��3��* ��

� ��%��*��$��$��%��%*��#��#��D

��#��%*��%*��#��#�3��#�

#��3��%��#�)�� $$��*��6��%��3�%��

0��*��3��%��$��

5�$��) ��#��##��#�� *��*��

��3�

� @��)��#��*�� #

� ��#��#��%��#�$��) ��(��*��

� ��$��%��3��3�� #�

13

A�*��*��*��

5��*��

@��)��*��

�%��#�

��*��

;��*��

�%��* ��

��#4��#4��

� �**��*��

� ��3��*��

� �5��

� B�

� '��**��4�5+�/�45C5

� 0%��3��3�� 3��

; �� #�� 3��#�<

14

��3��*��=��

��=��#��*��$��(��%��#��%*��3�

��

� ��)�� %*�� #�$��#��#��*��#��

� ��*��$��(��%��*�� #��

� �#��$�� 3 +��) ��*��3�#��)��#��

B��*��*��=�#��*��#�*��%��%��

#��%�� %�� 3��#

� $��$��

� ��#3��)��$��%�%��*��3��*��(��%��

� ��#%��#��

� ��#��$��)��#��

15

��

0��*��3��#�*��

� ��)�� #��*��<

0��*��$��%�)��*��<

��*��<

5�$��) ��3��%��%*��#�)��

5��%��*�� #)��4�

��$�)��%��

Define Drivers

Data Classification

Policy Definition

Policy

16

��=��*��#�

��#��$��%��#��1*��

�� %��$<

5��$�)��#�� $��$��*��<

5��*��#��<��) ��%��<

-�)�%�� #��*��<

-�)��3�#�� *��#��<

5��#��%�� #)��<

��3��3��=��*��

�� / �� -

17

; ��*��$��%<

C�@��

��A4�A�

�?�4�#�

B��+3��#��

'��%��*��

� ��#�*��

��#��$��%��#��,��.

� ��)��#��*��#��*��*�

18

��

� ��%��

� ��*��*��

��

� �0��A��7

� ��%��#��

��3��

� ��4��E�4�0B��#��4��/+ FF!!

� ��#�� )�

@��G�?��*��)�#��*��%��#�) ��%*��3�

)�� *��$��%��#��

Define Drivers

Data Classification

Policy Definition

Policy

5��

19

5��%��#�*��

0��*�� **��#��*��

#��%��#��$��%��%��#��

%��3�%��*��3��%�

� � �)��)��#�(��*��#��#��*��#

� 5�%��#��#��#��#

��%��G

� 0�#��#��%��3�%��

� ��%%��#��#+��#��*��4�>�#+*��

� �� #��#��7��$��8��%��%*��8��*��

#��8��3��#��

0��*��*�� #��$�1�#�)��

��(��$��%*��

Define Drivers

Data Classification

Policy Definition

Policy

20

0��*��*��

0��*��*��

��)��+#�$��#��#�#��%��#

�$��%*��%��#��#��$�3��#�*��*��

��%�*��$��%��#�3��#��

�*�� #��

�%*��*��$�3��#��*��*��

3��$��$��

� ��*�� $�#��$��$��%��

*��#�) ��8��

Define Drivers

Data Classification

Policy Definition

Policy

21

5��$��

��#��)�� $��%��3��#��+

��#��$��%�� #��3

��%��3��)�� *��

��$��#��%��

� � ��3��#��6��%��$��%��

� � ��3��3��#��1��$�� 3�

� B�#��#�*��$�� 3�

� 0%��#��**��*��*��%��3��

��G�!��"��##��

��#�� #��

��$��7

Define Drivers

Data Classification

Policy Definition

Policy

22

5��$��#��

Define Drivers

Data Classification

Policy Definition

Policy

0� ��

��

��$�#��

��

B��$��#

0��

� ��*��

� -�3 ��$�#��

� ��*��

� ��B��/��

� ��

� ��%*��#�� 3�� *��*��$��%��7

23

0��*��3�

�#��$��%�� #��$�#��*��4��*��

��3��%�#��

��*��#�� #�*��

�**��3��#��)�

-�3 +��

� A�*��*�

� ;��

� 5��*�

� /� ��

Strategy

Data Mapping

Risk Modeling

Control Gaps

24

5��#��

�#��$��*��) ��#��#��#��#��$��)�

��%�)�#��#��$��#��*��

� ��3��$��#��3�$��3��*��

� ��%��

��(��#��%*��)�� <�

� ��$��%��3��+*�� #�#��

� ��)�#��$��)��)�� /��**��$��#�$��) ��

��$��#��)�*��)��

� ��%*��$$�� #��)��#��$��#��$��

��3�$��#��

� ��$�� $��,��+*��#.��)��) ��

��#�#��8��3%��#�$��%��$��)��

25

5��+$��)�#�$��

26

��(��%��

5�$�� #��*��

��(��%��#��6��$��*��

5�$��*�� #��*��$��*��

��(��%��

��#��)��)�*��#��%��=��

��#�*��*��#��*��3��#��$��

*��3�*�

5��%��

��(��%��#�$��#��

��$��*��*��3��%

Strategy

Data Mapping

Risk Modeling

Control Gaps

27

A�3��%�

��3��%��#��3��#�$��*��

A�3��*��*��

� ��$��3��**�� *��+��**��$��

� B��3��*��**�� )��**��#�#��

� /$$+��#��3��*��3��%�� %��#��

-��#��*��$��%�� 4&::

28

5��*��#��

� '��*��$�#��

A�� $��*��#�#��3��*��#��

��#��%��

� �$��*��#��*��#��#��

��3��$��*��3�� #

��(��##��*��3�*�)��4�1*��

-�3 ��#�)��+��#��#��$��

A��3�+��#��*��)��#��#��%*��

*��$��%��

C��#��G��$�� *�

Implementation

Management

Audit

Deploym

ent

'��+#��4� ��+��#��*��,��.

29

5�� *��#�� 3��#�#��#�

�**��$��*��

�$��*��#��)��3��

#��

��%*��%��

��*��

��

@��

��#�(��$�1

� $��1��#��3��*��#�%��3�%��

��%*��1��$��*��3��+��#��3��$��

C��#��G�@��**�� 4��* ��

Implementation

Management

Audit

Deploym

ent

�**��+��#��*��

30

��3��#��*��

5��%��#��*��#��3��#��

0��3��1��3��*��%��

��**��+#��%��3�%��

0��1*��*��#�#��*�

0��%*��%��#��+�$$��

��#��#�� #�#��*��3�

��3��(��$�#��$��*��

A��3��%��$�#��%��3�#�$��%��3��

��%��3�%��*��$��%

C��#��G�0��-��

Implementation

Management

Audit

Deploym

ent

31

��*�+��#��*��

5��*��#��*��#��

��

@��*��$��%��*��

0��%*��%��

��%��3��#��$��(��#�

��$��%�� =�#�*��

��#��*��$��%�� $$��#��+*��%��

��$��%��

0�� *%��$�#��

��)��$��*��

C��#��G�� -��#��@��**

Implementation

Management

Audit

Deploym

ent

32

5��*��

5��+��#��*��) ��*��

��#��*��#��#��5��#��

5��*��#��5��

B��) �� 3 ��*��#�#��$��

��3 ��*��

� ��*��#��1��*��#�$��%�%��#��*��

��#��8��*��#��#�(��3��%��3�

�$��*��

Implementation

Management

Audit

Deploym

ent

33

5��*��

��*��

A��%*��**

��+

��*��#��

#��

��$��%��#�3��#��

��*��##��

��#)��(��#��737��-��

1 ��*��

��%��%*��

�� #�$��%�5��#�

�**��

��*��*��#�#��$��%�

��*��#��

��%%�� #

��#%��%��

34

?��3�%��,?�.

��#��3��#�#��$�

��*��

0��*��!:H�%��3�%��I�*�� :H�� 3�

��*��$��#��$$��?��*��

":H��$�99��3�*��#��#��*��

��?�

0$$��?��*��#�#��3��(��3��$��%��#�

�$$��

35

;�� %%��*��3��* ��%��$��%��$��(��#��*�#��

'��3��*��$�� #�� 49�,�9 + �.��$��%%��

��%��$�*��,�.��%��$��%%��%��3��$��*��

� � � ��

� � ��

� � ��

��

��

��

��

��

� ��9��%

36

?��%��3�%��(��

-�)�%��#��#<

; ��#<

; �� <

-�)�)��%��3��<

-�)�)��*��*��<

-�)��$�� #�� 3�<

; ��$��#�%�3�#<

-�)�%�� %��3�%��3�)��)��#<

-�)��#��<

37

��(��%��>7J

� ��$��3��

� ��#��

� ��#�� 3��

� 5��$��#��

� 5��$��

� ��*��%��$��%*��%��#��

� ?��

0��3�� (��%��%��$��%��*��

�**��) ��%��37

��5��%��3�%��(��%��

38

?��3�%��

?��%��$�� #��

� �$�� 3 ��$��%*��%��

��

� /��3�� %�)��*��$��%�$��3

��=�#��%��3�%��

� �� *��%*��$��%��3�%��$��%��*��**��

39

?��3��#�#��

��

� '�� &:+9��#��#�

��*��3��* ��%�#��

� 5��

��

0��

� ��*4��

� �*��)��#3�

� 5��

� 5��

� ��3��#��$��6��#��#��

��3�� %

� ��%��#��)�� #��G

� -��#�#��

� B�

� 0��/�

� � ��#�*��

� '��%��1��#�� #+

��*��$�� *�*��#��

��#)��

40

'��#��#��#�=��3�%��3�%��$��%%��

��*��*��3��* �� *��)��

��%%��?��%

;��3��$G

� ��%%��?��*�A��3��3��,�?��A.�*��

� �%*��%��#��*��3��#��$��?��

� ��#��3��#��$��#��3��?��

� ��*��+��$��?��A��%*��%��

� )))7��+�*��7��34��%%��4��%�4

/��0��*��?��3�%��$��,0?��.

41

'��%��$��%��

��#��$��%*��%��3��*��3��* �� '�#��

��%�� *G44��7��73��4*��4��*��4"::+9 + 4�*"::+9 + K5��9::L7*#$

��*��3��* �� *G44��7��73��43��*�4��4��4��#�17 �%�

��%%��#��$��?��3�%�� *G44��7��73��4*��4��*��4"::+LF4��"::+LF+�� 7*#$

� ��*G44��7��73��4*��4��*��4"::+LF4��"::+LF+��97*#$

0��*��3��G�� ?��3�5�� )))7��7��%4��*��4)*4��*��K��3��K)*7*#$

42

��

43

��

/�3��=�� #� �� $$�� #��

��$��*��3��% �� #��*��

*��6��

��3 �� *��

#�$$�� )��3��*��#��#�� $��

0��*�� *� �� **�� #

��2��

44

The Computer Forensics

!�� 0��3��

'��#�� )��AA��!&�'��#��)�� :J">:�M��7G�,9:>.�JJ +&> 9�M�'�1G�,9:>.�"J!+:9">�

��$�N��%*��$�� )7��%

@�)�2��$��#��9&!+ 9�O�� *�� 9L9��'��@2� :: �M��7G�,L J.�9 J+ "J!�M�'�1G�

,L J.�9 J+ "F:�M��$�N)))7��%+��$��3��#7��

��

��

�!"��# ��

#��.��4#.��

)))7��#��7��%4��4��

)))7�)��7��%4��

Rothke computer forensics show 2010

Technology

distribution