.
CIS 3500 1
Digital Forensics
Chapter #24:
Risk Management
Chapter Objectives
n Understand concepts of business impact analysis
n Understand concepts of risk management
n Explore risk management processes
n Compare and contrast various types of controls
n Learn the categories of security controls
Digital Forensics2
Digital Forensics
n Computer forensics involves the preservation, identification,
documentation, and interpretation of computer data
n It is the technical side of developing proof as to what
happened or didn’t happen
n Digital forensics specifically uses scientific principles to
provide assurance in explaining what digital evidence tells
Digital Forensics3
Order of Volatility
n The order of volatility of digital information in a system:
n CPU, cache, and register contents (collect first)
n Routing tables, ARP cache, process tables, kernel statistics
n Live network connections and data flows
n Memory (RAM)
n Temporary file system/swap space
n Data on hard disk
n Remotely logged data
n Data stored on archival media/backups (collect last)
Digital Forensics4
.
CIS 3500 2
Chain of Custody
n The chain of custody accounts for all persons who handled or had access to the
evidence
n Record each item collected as evidence
n Record who collected the evidence along with the date and time
n Write a description of the evidence
n Put the evidence in containers and tag the containers with the case number, the
name of the person who collected it, and the date and time it was collected
n Record all message digest (hash) values in the documentation.
n Securely transport the evidence to a protected storage facility
n Obtain a signature from the person who accepts the evidence
n Provide controls to prevent access to and compromise of the evidence in storage
n Securely transport the evidence to court for proceedings
Digital Forensics5
Legal Hold
n In the U.S. legal system, legal precedent requires that
potentially relevant information must be preserved
n Legal hold, or litigation hold – process by which you
properly preserve any and all relevant digital evidence
n This means that ordinary data retention policies no longer
are sufficient
n E-mail, office documents (electronic and paper), network
shares, mobile phones, tablets, databases — everything
Digital Forensics6
Data Acquisition
n Who collected the evidence?
n How was it collected?
n Where was it collected?
n Who has had possession of the evidence?
n How was it protected and stored?
n When was it removed from storage? Why? Who took possession?
n Computer evidence presents yet more challenges, because the
data itself cannot be sensed with the physical senses
n Data must always be evaluated through some kind of “filter”
rather than sensed directly by human senses
Digital Forensics7
Standards for Evidence
n For evidence to be credible,, it must meet three standards:
n Sufficient evidence – evidence must be convincing or
measure up without question
n Competent evidence – evidence must be legally qualified
and reliable
n Relevant evidence – evidence must be material to the case
or have a bearing on the matter at hand
Digital Forensics8
.
CIS 3500 3
Types of Evidence
n Direct evidence – oral testimony that proves a specific fact (such as an
eyewitness’s statement). The knowledge of the facts is obtained through the
five senses of the witness, with no inferences or presumptions.
n Real evidence – also known as associative or physical evidence, this includes
tangible objects that prove or disprove a fact. Physical evidence links the
suspect to the scene of a crime.
n Documentary evidence – evidence in the form of business records, printouts,
manuals, and the like. Much of the evidence relating to computer crimes is
documentary evidence.
n Demonstrative evidence – used to aid the jury and can be in the form of a
model, experiment, chart, and so on, offered to prove that an event occurred.
Digital Forensics9
Three Rules Regarding Evidence (1)
n Best evidence rule – courts prefer original evidence rather than a copy
n Ensure that no alteration of the evidence (whether intentional or
unintentional) has occurred
n In some instances, an evidence duplicate can be accepted, such as when
the original is lost or destroyed by a natural disaster or in the normal
course of business
n Duplicate is also acceptable when a third party beyond the court’s
subpoena power possesses the original
n Copies of digital records, where proof of integrity is provided, can in many
cases be used in court
Digital Forensics10
Three Rules Regarding Evidence (2)
n Exclusionary rule – the Fourth Amendment to the U.S. Constitution
precludes unreasonable search and seizure
n Any evidence collected in violation of the Fourth Amendment is not
admissible as evidence
n If evidence is collected in violation of the Electronic Communications
Privacy Act (ECPA) or other related violations of the U.S. Code, or other
statutes, it may not be admissible to a court
n If no policy exists regarding the company’s intent to monitor network
traffic or systems electronically, or if such a policy exists but employees
have not been asked to acknowledge it by signing an agreement, sniffing
employees’ network traffic could be a violation of the ECPA
Digital Forensics11
Three Rules Regarding Evidence (3)
n Hearsay rule – second-hand evidence — evidence offered by the witness
that is not based on the personal knowledge
n Hearsay is inadmissible unless it falls under one of the many recognized
exceptions (such as those delineated in FRE 803)
n Typically, computer-generated evidence is considered hearsay evidence,
as the maker of the evidence (the computer) cannot be interrogated
n Exceptions are being made where items such as logs and headers
(computer-generated materials) are being accepted in court
n Computer evidence is typically brought into a case by an expert witness
who can speak for the data and what it means
Digital Forensics12
.
CIS 3500 4
Capture System Image
n Imaging or dumping the physical memory of a computer
can help identify evidence not available on a hard drive
n Especially appropriate for rootkits, where evidence on the
hard drive is hard to find
n Memory-dumping tools and hex editors are available on the
Internet
n More applicable for investigative work where court
proceedings will not be pursued – can be disputed
Digital Forensics13
Storage Device
n Making forensic duplicates of all partitions is a key step in
preserving evidence
n A forensic copy is a bit-by-bit copy and has supporting
integrity checks in the form of hashes
n The proper practice is to use a write blocker when making a
forensic copy of a drive
n The use of hash values provides a means of demonstrating
that all of the copies are true to each other and the original
Digital Forensics14
Network Traffic and Logs
n An important source of information can be the network
activity associated with a device
n The level and breadth of this information is determined by
the scope of the investigation
n There are many other sources of network forensic data,
including firewall and IDS logs, network flow data, and
event logs on key servers and services
Digital Forensics15
Capture Video
n Videos allow high-bandwidth data collection that can show
what was connected to what, how things were laid out,
desktops etc.
n Pictures of serial numbers and network and USB connections
can prove invaluable in the forensics process
n Complete documentation is a must and photographs can assist
greatly in capturing details
n Another source of video data is the CCTVs that are used for
security – needs to be preserved
Digital Forensics16
.
CIS 3500 5
Record Time Offset
n Record time offset is the difference in time between the system clock and
the actual time
n To minimize record time offset, most computers sync their time over the
Internet with an official time source
n Files and events logged on a computer will have timestamp markings that
are based on the clock time on the machine
n To allow the correlation of timestamp data from records inside the
computer with any external event, it is necessary to know any time offset
between the machine clock and the actual time
n For forensic data it is important to collect the record time offset so that
local variations in time can be correctedDigital Forensics17
Take Hashes
n With files, logs, and other digital information you need to
ensure that the data isn’t modified
n A hashing algorithm performs mathematical operations to a
data stream (or file) to calculate some number that is unique
based on the information contained in the data
n If a subsequent hash created on the same data stream results
in a different hash value, it usually means that the data
stream was changed.
n This is an area of cryptography
Digital Forensics18
Screenshots
n Screenshots to provide documentation as to what was on
the screen at the time of collection
n Because you cannot trust the system internals themselves
to be free of tampering, do not use internal screenshot
capture methods
Digital Forensics19
Witness Interviews
n Witness credibility is extremely important
n Witness preparation can be critical in a case, even for
technical experts
n As human memory is not as long lasting as computer files,
it is important to get witness testimony and collect that
data as early as possible
n Having them write down what they remember immediately
is very helpful in preserving memory
Digital Forensics20
.
CIS 3500 6
Preservation
n One of the key elements in preservation is to ensure nothing
changes as a result of data collection
n If a machine is off, do not turn it on — the disk drives can be
imaged with the machine off
n Turning on the machine causes a lot of processes to run and
data elements to be changed
n When making a forensic copy of a disk, always use a write
blocker
n Normal copying leaves traces and changes behind
Digital Forensics21
Preservation
n There is no recovery from data that has been changed
n When data is collected, a solid chain of custody must be
maintained until the case is completed
n When a forensic copy of the data is obtained, a hash is
collected as well, to allow for the verification of integrity
n All analysis is done on forensic copies of the original data
collection, not the master copy itself
n Each copy is verified before and after testing by comparing
hash values to the original set to demonstrate integrity
Digital Forensics22
Recovery
n Recovery is associated with determining the relevant
information for the issue at hand
n Question: how can you find it? What is significant or relevant?
n Establishing timelines within which the suspected activity
occurred
n Identifying keywords to find strings of information
n Pinpointing specific activities that have associated logs of their
occurrence
Digital Forensics23
Strategic Intelligence Gathering
n Strategic intelligence gathering is the use of all resources to
make determinations
n This can make a large difference in whether a firm is prepared
for threats or not
n Strategic intelligence can provide information that limits the
scope of an investigation to a manageable level
n Where is it, what is it, and what is allowed/not allowed are all
pieces of information that, when arranged and analyzed, can
lead to a data-logging plan
Digital Forensics24
.
CIS 3500 7
Counterintelligence Gathering
n Counterintelligence gathering is the gathering of information
specifically targeting the strategic intelligence effort of another
entity
n Knowing what people are looking at and what information they
are obtaining can provide information into their motives and
potential future actions
n Making and using a tool so that it does not leave specific
traces of where, when, or on what it was used is a form of
counterintelligence gathering in action
Digital Forensics25
Active Logging
n Minimize the scope of logging so the event you are interested in
stands out
n In the preparation phase the organization limits logging to specific
events, such as copying sensitive files
n You can make an active logging plan that assures the information
is logged when it occurs in a location that prevents alteration
n Active logging is determined during preparation
n Strategic intelligence gathering provides the information
necessary to build an effective active logging plan
Digital Forensics26
Track Man-Hours
n Demonstrating the efforts and tasks performed in the forensics
process may become an issue in court and other proceedings
n Having the ability to demonstrate who did what, when they did
it, and how long it took can provide information to establish
that the steps were taken per the processes employed
n Having solid accounting data on man-hours and other
expenses can provide corroborating evidence as to the actions
performed
Digital Forensics27
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!