All the gear! ! and no idea Scalable, fast & forensically sound incident response using “NOOBS” Andrew Sheldon MSc.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
All the gear! ! and no idea
Scalable, fast & forensically sound
incident response using “NOOBS”
Andrew Sheldon MSc.
There are 3 BIG issues
Annual computer sales since 1986 Source: www.guardian.co.uk
1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
75
150
225
300
Mill
ions
of u
nits
per
yea
r
The number of “POTENTIAL CRIME
SCENES” increase every year
Growth in hard disk capacity Source: www.guardian.co.uk
1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
500
1000
1500
2000
Cap
acity
in G
IGA
BYT
ES
Crime scenes keep getting BIGGER
Size of disks
There’re not enough FORENSIC ANALYSTS
The number of examinations will grow even faster
What does the future hold?
TIME
The number of analysts will continue
to grow over time
results in a high proportion of UNNECESSARY EXAMINATIONS
Ratio of front-line
“responders”
to back-room “experts”
THE SECONDARY CAUSE?
It also results in
MORE TRAVEL
HIGHER COSTS
WASTED TIME
WHAT DOES ALL THIS
MEAN
We’ll KEEP getting what we’ve always had
If we KEEP doing what we’ve always done!
Too much work & too little time
Say HELLO to the ”NOOBS”
Perhaps we should EMPOWER THE FRONT LINE To make informed decisions
THE BREATHALYSER ANALOGY
Effective at the FRONT LINE
Limited SKILLS required
Easy to DEPLOY
Supports SUSPICIONS
There are some very good precedents
THE A&E ANALOGY
Not all BRAIN SURGEONS
Few SIMPLE tools
Limited TRAINING
Prioritises CASELOAD
So, how do we do it?!
A formal & controlled process for...
• Assessing risk • Identifying targets • Collecting data • Filtering information • Classifying results • Prioritising actions • Allocating resources
High Call in the experts
Medium Seek advice from experts
Low Perform triage or imaging
WE KNOW HOW TO APPLY THE
RULES
Which help filter the RELEVENT
Prioritise RESOURCES
BUT !
We must control the NOOBS
with more than just a BOOT CD or thumb drive
we have to
PACKAGE THE
SCIENCE
Play time ;-)
Live demos
• Remote Forensics – Respond to an incident in the USA, using Encase, via a mobile
phone
• Digital Triage – Demonstrate how a NOOB can find the evidence forensically
(and avoid giving you unnecessary work)
Forensic Incident Management Server
(FIMS)
Case Manager In USA
Forensic Analyst In LONDON
Request forensic Assistance for job in New York
Reviews CASE request Authorises
Analyst Downloads Credentials
Accesses evidence Using credentials
Accepts CASE
Remote Forensics Process
NOOB Does the
“hands on” task
Forensic analyst Sends instructions
from FIMS to NOOB
Evidence In USA
POD
QUESTIONS?
Thank You
Andrew Sheldon MSc. Evidence Talks Ltd
[email protected] Tel: 0845 125 4400
54 68 61 6E 6B 20 59 6F 75
Related Documents
