Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Evidence Dean R. Beal CISA, CFE, ACE.

Similar presentations

Presentation on theme: "Digital Evidence Dean R. Beal CISA, CFE, ACE."— Presentation transcript:

1 Digital Evidence Dean R. Beal CISA, CFE, ACE

2 Allegation Anonymous Tip Ethics Line Risk Assessment Audit
Continuous Auditing/Monitoring

3 Allegation Fraud and/or Abuse: Breaches of Confidentiality
Running a Personal Business Pornography Sharing Copyrighted Material Travel and Business Expenses Unlicensed Software Use Time and Attendance Harassment Bribery Theft Discrimination

4 Assessing the Allegation
Management: Receives Reviews Assigns Guidelines: Should exist for outlining the steps taken for obtaining digital evidence to support an investigation

5 Assessing the Allegation
Support a Non IT Investigation Complete an IT Investigation

6 Obtaining Digital Evidence
Identification of: Person(s) Desktops/laptops Mobile devices External drives Network shares Location(s) Network Segment Ping Doors accessed Connectivity Bandwidth

7 Obtaining Digital Evidence
Keep it Confidential Only those with a “Need to Know” Physical Confiscation Unplug, remove batteries External storage devices Digital camera Chain of custody forms Check in and under everything Evidence bags Document everything

8 Unstructured Data No Schemas No Organization Unpredictable
Make Note of: Obvious Not so obvious Piece the puzzle from the outside-in Start in the Forest Don’t get lost in the trees… yet

9 Searching Unstructured Data
Internet Instant Messenger Digital Forensics Servers Desktops Laptops Mobile Devices

10 Searching the Internet
Open Connection No affiliation Use Alias: address Profiles User IDs

11 Searching the Internet
Web Reporting Google Hacking “intext:” “filetype:” Blogs Deep Web Public Records Social Media

12 Searching eMail & IM Right to Privacy? Warning banners
Real-time Journaling Back-ups .pst .nsf “Fly Over” Items of potential importance Key words

13 Searching eMail & IM Can See It All Everything is Fair Game
Interesting differences between professional and personal personas Everything is Fair Game What’s Happening? Substantiated? More information needed? Take notes

14 Digital Forensics Network “Snapshot” Physical “Static”

15 ProDiscover Can connect to any computer on the network
By IP address By computer name Installs remote agent executable Runs in the background as a Service Captures image of hard drive over the network Deleted files Everything

16 ProDiscover User does not know they are being imaged
Connected external drives can be accessed Timing All or nothing Unix dd image format Slower processing time Network location

17 FTK Imager Physical drive dd Image E01 Image Format Segments
Faster Processing Physical device

18 Physical Write Blockers

19 Physical Write Blockers
Suspect Hard Drive Hardware Write Blocker Forensics PC Forensics Hard Drive Reads Writes

20 Hash Values MD5 Hashes Original MD5 Hash Value:
6f8e3290e1d4c2043b26552a40e5e038 Imaged MD5 Hash Value: :Verified MD5 Hashes Image Level File Level

21 FTK Image Basics Data Carving File Types of Interest KFF Graphics
Deleted Files Recycle Bin Personal Videos Key Word Searches

22 DTSearch Indexed Faster searching And – both required
Or – either required Not w/# - within number of words ? – any character * - any number of characters ~ - stems (good for tenses) % - fuzzy (good for misspellings) & - synonyms

23 \<\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d\>
Regular Expressions Not Indexed Slower Searching Social Security numbers Credit card numbers Phone numbers IP addresses Literal vs. operational x vs.\x d vs.\d \<\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d\>

24 FTK Image Advanced Password Protected Files Encrypted Drives
Data Wiping Missing File Headers index.dat Metadata Prefetch Link Files (LNK) Other Registry Artifacts

25 Registry Viewer NTUSER.dat Passwords MRU Recent docs Drives connected
USB devices Counts Typed URLs

26 Passwords/Encryption
Password Recovery Toolkit (PRTK) Dictionary Decryption Brute force Export NTUSER.dat Distributed Network Attack (DNA) Full Disk Encryption Decryption key needed

27 Accountability Filter on: Username Relative Identifier (RID)
Security Identifier (SID) Security Accounts Manager (SAM)

28 Oxygen Forensic Suite Tool Capabilities are Device Specific
Device Drivers Needed Chargers/Connectors Media Cards Passwords/PIN#s Remote Wiping

29 Oxygen Forensic Suite eMail Text Messages Phonebook/Contact List
Calendar Call History Pictures/Videos Social Network Messages Internet Sites

30 Oxygen Forensic Suite Logical Analysis Physical Analysis
Logical/Physical Analysis SQLite, Plist, IPD file viewers Backup File Creation

31 Mobile Device Storage

32 Write Blockers

33 Unstructured Data as Digital Evidence
Actions Accountability Dates and Times Tie to Source Information & IM to image Internet to image Mobile device to image

34 Structured Data Schemas Organized Predictable Silos Complexity
But rarely clean Predictable Silos Complexity Data Dictionary Knowledge Base Training Resources

35 Obtaining Structured Data
Is it: Complete? Verifiable? Source data? Transactional? Aggregated? Report? Does it have integrity? Has anyone else touched it? Will it need cleansed, reformatted?

36 Obtaining Structured Data
Is it: Hierarchal? Relational? Fixed length? Variable length? Delimited? Mainframe? HL7? EDI?

37 Obtaining Structured Data
Learn Application and System Process and Data Flows Obtain Access to the Application Obtain Direct Access to the Source Data Learn the Query Language Admit You’re in Over Your Head Make Friends with IT Ask for help Without loss of confidentiality Involve IT Legacy Require confidentiality

38 Obtaining Structured Data
Source Systems: DB2 Oracle SQL Server Mainframe Querying Tools: TOAD QMF Proprietary reporting tools No direct access available

39 Obtaining Structured Data
Structured Query Language (SQL) Fairly standard across most platforms Some variations PLSQL TSQL Databases Schemas Tables Normalization Fields/columns Primary keys Foreign keys

40 Obtaining Structured Data
Individual tables won’t always give you meaningful information Relating those tables by primary and foreign keys, provides meaningful information

41 Obtaining Structured Data
Tweak and Utilize Existing SQL Write Your Own Can be time consuming Trial and Error Reconcile Back to Application Have Others Validate the Results Back to source documentation if available

42 Obtaining Structured Data
Some Enterprise Databases contain 30,000+ Tables Data dictionaries should exist Determine the individual tables containing needed data Determine the primary and foreign key(s) to create the join(s) Write the SQL statement(s)

43 Obtaining Structured Data
Joins are the Drivers Inner Join All records in Table B that have a match in Table A Outer Join (Left or Right) All records in Table A with or without a Match in Table B, and only those records in Table B that have a match in Table A Cartesian Join Something is wrong

44 Obtaining Structured Data
When Querying Enterprise Databases: Only what is necessary Not all columns/records No aggregating Apply date parameters Watch the processing time Something may be wrong with the SQL Edit and repeat Tie to source information

45 Information to Evidence
Microsoft Access & Excel ACL Reformatting Appending Computed fields Aggregating Querying Reporting

46 Structured Data as Digital Evidence
Append the Output Like data from differing sources rarely matches Cleansing Re-formatting Reconcile to Source Data Control totals Record counts Create New Functionality Computed fields Get to the answer

47 Standardize the Output
Social Security Numbers Birthdates Addresses Names Phone Numbers Zip Codes

48 Standardize the Output
ACL creates its own “view” of the source data file with the .fil extension .fil is “read only” Source Data Remains Untouched

49 Standardize the Output
STRING() STRING(Invoice_Nbr) VALUE() VALUE(Invoice_Pmt) DATE() DATE(Birthdate)

50 Standardize the Output
Birthdate = ‘ ’ SUBSTRING(Birthdate, 5, 2) = ‘04’ SUBSTRING(Birthdate, 7, 2) = ‘15’ SUBSTRING(Birthdate, 1, 4) = ‘2005’

51 Standardize the Output
If you aren’t going to add, subtract, multiply, divide, or calculate the field, format it as Text If you are going to add, subtract, multiply, divide, or calculate the field, format it as Numeric or Date

52 Structured Data as Digital Evidence
Actions Accountability Dates and Times Tie to Source Information Control Weaknesses Segregation of duties Approval limits Lack of oversight

53 Presenting the Digital Evidence
Report Preparation Unstructured information Structured information Support the Allegation(s) Refute the Allegation(s) Consult with Law Consult with Management Consult with Senior Executives

54 CAATs Direct Access and the Right Tools Reactive Ad-hoc Proactive
Automate Take what’s been learned and apply to the entire population 100% Testing Exception based

55 ACL Scripting Series of commands stored as a unit in an ACL project
Executed repeatedly and automatically Any ACL command can be stored as a script 302|Advanced ACL Concepts & Techniques, SCRIPTS (CANADA: ACL Services Ltd, 2006), 2.

56 ACL Scripting Standardizing Data: OPEN HR_Active

57 ACL’s Audit Analytic Capability Model
LEVEL 1 – BASIC Audit specific Classifications Summarizations Duplicates Ad hoc The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 3.

58 ACL’s Audit Analytic Capability Model
LEVEL 2 – APPLIED Specific and repeatable tests Start with “low hanging fruit” Add additional and broader tests Focus on data access Efficient script design for repeatability The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 5.

59 ACL’s Audit Analytic Capability Model
LEVEL 3 – MANAGED Centralized, secure, controlled, efficient data analysis Many people involved Processes and technology in place Server environment Multiple locations The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 7.

60 ACL’s Audit Analytic Capability Model
LEVEL 4 – AUTOMATED Comprehensive suites of tests developed Tests scheduled regularly Concurrent, ongoing auditing of multiple areas More efficient and effective audit process The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 10.

61 ACL’s Audit Analytic Capability Model
LEVEL 5 – MONITORING Progress from continuous auditing to continuous monitoring Expanded to other business areas Process owners notified immediately of exceptions The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 12.

62 Forensics Lab Physical Security Logical Security Software Licensing
SSNs Credit card numbers Software Licensing Updates, upgrades Hardware and Other Peripherals Storage Short term, long term Enough?

63 Forensics Lab Forensic Workstation Processing workhorse SSD Memory
JBOD Forensic Desktop Secondary processing Image reviewing Forensics Laptops Open Internet Laptop Don’t do this on the company network

64 Forensics Lab Retention Inventory Back-ups and Recovery
On-site, off-site Chain of Custody Physical Image Data Wiping and Verification CIA COBIT

65 Challenges Time Consuming Satellite Locations Emerging Technologies
System Processing/Data Flows Lack of documentation Cloud Computing Hard Drive Capacities Anti Forensics

66 Challenges External Storage Devices Personal vs. Corporate BYOD
False Positives Data Silos Data Integrity Passwords Encryption

67 Summary Mixture of Art and Science Intuition Common sense
Knowledge and use of tools Persistence Testing Theories Research Learning

68 Conclusion No One Solution Expect the Unexpected
Remain Fair and Objective Report Just the Facts

69 Questions?

Download ppt "Digital Evidence Dean R. Beal CISA, CFE, ACE."

Similar presentations

Ads by Google