Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Evidence Dean R. Beal CISA, CFE, ACE. Allegation Anonymous Tip Anonymous Tip Ethics Line Ethics Line Risk Assessment Risk Assessment Audit Audit.

Similar presentations


Presentation on theme: "Digital Evidence Dean R. Beal CISA, CFE, ACE. Allegation Anonymous Tip Anonymous Tip Ethics Line Ethics Line Risk Assessment Risk Assessment Audit Audit."— Presentation transcript:

1 Digital Evidence Dean R. Beal CISA, CFE, ACE

2 Allegation Anonymous Tip Anonymous Tip Ethics Line Ethics Line Risk Assessment Risk Assessment Audit Audit Continuous Auditing/Monitoring Continuous Auditing/Monitoring

3 Allegation Fraud and/or Abuse: Breaches of Confidentiality Breaches of Confidentiality Running a Personal Business Running a Personal Business Pornography Pornography Sharing Copyrighted Material Sharing Copyrighted Material Travel and Business Expenses Travel and Business Expenses Unlicensed Software Use Unlicensed Software Use Time and Attendance Time and Attendance Harassment Harassment Bribery Bribery Theft Theft Discrimination Discrimination

4 Assessing the Allegation Management: ReceivesReceives ReviewsReviews AssignsAssignsGuidelines: Should exist for outlining the steps taken for obtaining digital evidence to support an investigationShould exist for outlining the steps taken for obtaining digital evidence to support an investigation

5 Assessing the Allegation Support a Non IT Investigation Complete an IT Investigation

6 Obtaining Digital Evidence Identification of: Person(s)Person(s) Desktops/laptops Desktops/laptops Mobile devices Mobile devices External drives External drives Network shares Network shares Location(s)Location(s) Network Segment Network Segment PingPing Doors accessedDoors accessed ConnectivityConnectivity BandwidthBandwidth

7 Obtaining Digital Evidence Keep it Confidential Keep it Confidential Only those with a Need to KnowOnly those with a Need to Know Physical Confiscation Physical Confiscation Unplug, remove batteriesUnplug, remove batteries External storage devicesExternal storage devices Digital cameraDigital camera Chain of custody formsChain of custody forms Check in and under everythingCheck in and under everything Evidence bagsEvidence bags Document everythingDocument everything

8 Unstructured Data No Schemas No Schemas No Organization No Organization Unpredictable Unpredictable Make Note of: Make Note of: ObviousObvious Not so obviousNot so obvious Piece the puzzle from the outside-in Piece the puzzle from the outside-in Start in the Forest Start in the Forest Dont get lost in the trees… yetDont get lost in the trees… yet

9 Searching Unstructured Data Internet Internet Instant Messenger Instant Messenger Digital Forensics Digital Forensics ServersServers DesktopsDesktops LaptopsLaptops Mobile DevicesMobile Devices

10 Searching the Internet Open Connection Open Connection No affiliationNo affiliation Use Alias: address address ProfilesProfiles User IDsUser IDs

11 Searching the Internet Web Reporting Web Reporting Google Hacking Google Hacking intext:intext: filetype:filetype: Blogs Blogs Deep Web Deep Web Public Records Public Records Social Media Social Media

12 Searching & IM Right to Privacy? Right to Privacy? Warning bannersWarning banners Real-time Journaling Real-time Journaling Back-ups Back-ups.pst.pst.nsf.nsf Fly Over Fly Over Items of potential importance Items of potential importance Key words Key words

13 Searching & IM Can See It All Can See It All Interesting differences between professional and personal personasInteresting differences between professional and personal personas Everything is Fair Game Everything is Fair Game Whats Happening? Whats Happening? Substantiated?Substantiated? More information needed?More information needed? Take notesTake notes

14 Digital Forensics NetworkSnapshotPhysicalStatic

15 ProDiscover Can connect to any computer on the network Can connect to any computer on the network By IP addressBy IP address By computer nameBy computer name Installs remote agent executable Installs remote agent executable Runs in the background as a Service Runs in the background as a Service Captures image of hard drive over the network Captures image of hard drive over the network Deleted filesDeleted files EverythingEverything

16 ProDiscover User does not know they are being imaged User does not know they are being imaged Connected external drives can be accessed Connected external drives can be accessed Timing Timing All or nothing All or nothing Unix dd image format Unix dd image format Slower processing time Slower processing time Network locationNetwork location

17 FTK Imager Physical drive Physical drive dd Image dd Image E01 Image Format E01 Image Format Segments Segments Faster Processing Faster Processing Physical devicePhysical device

18 Physical Write Blockers

19 Physical Write Blockers Suspect Hard Drive Suspect Hard Drive Reads Hardware Write Blocker Hardware Write Blocker Forensics PC Forensics Hard Drive Forensics Hard Drive Writes

20 Hash Values Original MD5 Hash Value: 6f8e3290e1d4c2043b26552a40e5e038 Imaged MD5 Hash Value: 6f8e3290e1d4c2043b26552a40e5e038:Verified MD5 Hashes MD5 Hashes Image LevelImage Level File LevelFile Level

21 FTK Image Basics Data Carving Data Carving File Types of Interest File Types of Interest KFF KFF Graphics Graphics Deleted Files Deleted Files Recycle Bin Recycle Bin Personal Personal Videos Videos Key Word Searches Key Word Searches

22 DTSearch Indexed Indexed Faster searchingFaster searching And – both required And – both required Or – either required Or – either required Not Not w/# - within number of words w/# - within number of words ? – any character ? – any character * - any number of characters * - any number of characters ~ - stems (good for tenses) ~ - stems (good for tenses) % - fuzzy (good for misspellings) % - fuzzy (good for misspellings) & - synonyms & - synonyms

23 Regular Expressions Not Indexed Not Indexed Slower SearchingSlower Searching Social Security numbers Social Security numbers Credit card numbers Credit card numbers Phone numbers Phone numbers IP addresses IP addresses Literal vs. operational Literal vs. operational x vs.\xx vs.\x d vs.\dd vs.\d \ \

24 FTK Image Advanced Password Protected Files Password Protected Files Encrypted Drives Encrypted Drives Data Wiping Data Wiping Missing File Headers Missing File Headers index.dat index.dat Metadata Metadata Prefetch Prefetch Link Files (LNK) Link Files (LNK) Other Registry Artifacts Other Registry Artifacts

25 Registry Viewer NTUSER.dat NTUSER.dat PasswordsPasswords MRUMRU Recent docsRecent docs Drives connectedDrives connected USB devicesUSB devices CountsCounts Typed URLsTyped URLs

26 Passwords/Encryption Password Recovery Toolkit (PRTK) Password Recovery Toolkit (PRTK) DictionaryDictionary DecryptionDecryption Brute forceBrute force Export NTUSER.datExport NTUSER.dat Distributed Network Attack (DNA) Distributed Network Attack (DNA) Full Disk Encryption Full Disk Encryption Decryption key neededDecryption key needed

27 Accountability Filter on: Username Username Relative Identifier (RID) Relative Identifier (RID) Security Identifier (SID)Security Identifier (SID) Security Accounts Manager (SAM)Security Accounts Manager (SAM)

28 Oxygen Forensic Suite Tool Capabilities are Device Specific Tool Capabilities are Device Specific Device Drivers Needed Device Drivers Needed Chargers/Connectors Chargers/Connectors Media Cards Media Cards Passwords/PIN#s Passwords/PIN#s Remote Wiping Remote Wiping

29 Oxygen Forensic Suite Text Messages Text Messages Phonebook/Contact List Phonebook/Contact List Calendar Calendar Call History Call History Pictures/Videos Pictures/Videos Social Network Messages Social Network Messages Internet Sites Internet Sites

30 Oxygen Forensic Suite Logical Analysis Logical Analysis Physical Analysis Physical Analysis Logical/Physical Analysis Logical/Physical Analysis SQLite, Plist, IPD file viewersSQLite, Plist, IPD file viewers Backup File Creation Backup File Creation

31 Mobile Device Storage

32 Write Blockers

33 Unstructured Data as Digital Evidence Actions Actions Accountability Accountability Dates and Times Dates and Times Tie to Source Information Tie to Source Information & IM to image & IM to image Internet to imageInternet to image Mobile device to imageMobile device to image

34 Structured Data Schemas Schemas Organized Organized But rarely cleanBut rarely clean Predictable Predictable Silos Silos Complexity Complexity Data Dictionary Data Dictionary Knowledge Base Knowledge Base Training Resources Training Resources

35 Obtaining Structured Data Is it: Complete? Complete? Verifiable? Verifiable? Source data? Source data? Transactional?Transactional? Aggregated?Aggregated? Report?Report? Does it have integrity? Does it have integrity? Has anyone else touched it?Has anyone else touched it? Will it need cleansed, reformatted? Will it need cleansed, reformatted?

36 Obtaining Structured Data Is it: Hierarchal?Hierarchal? Relational?Relational? Fixed length?Fixed length? Variable length?Variable length? Delimited?Delimited? Mainframe?Mainframe? HL7?HL7? EDI?EDI?

37 Obtaining Structured Data Learn Application and System Process and Data Flows Learn Application and System Process and Data Flows Obtain Access to the Application Obtain Access to the Application Obtain Direct Access to the Source Data Obtain Direct Access to the Source Data Learn the Query Language Learn the Query Language Admit Youre in Over Your Head Admit Youre in Over Your Head Make Friends with IT Make Friends with IT Ask for helpAsk for help Without loss of confidentialityWithout loss of confidentiality Involve IT Involve IT LegacyLegacy Require confidentialityRequire confidentiality

38 Obtaining Structured Data Source Systems: DB2DB2 OracleOracle SQL ServerSQL Server MainframeMainframe Querying Tools: TOADTOAD QMFQMF Proprietary reporting toolsProprietary reporting tools No direct access available No direct access available

39 Obtaining Structured Data Structured Query Language (SQL) Structured Query Language (SQL) Fairly standard across most platformsFairly standard across most platforms Some variations Some variations PLSQLPLSQL TSQLTSQL Databases Databases SchemasSchemas Tables Tables Normalization Normalization Fields/columns Fields/columns Primary keys Primary keys Foreign keys Foreign keys

40 Obtaining Structured Data Individual tables wont always give you meaningful information Relating those tables by primary and foreign keys, provides meaningful information

41 Obtaining Structured Data Tweak and Utilize Existing SQL Tweak and Utilize Existing SQL Write Your Own Write Your Own Can be time consumingCan be time consuming Trial and Error Trial and Error Reconcile Back to Application Reconcile Back to Application Have Others Validate the Results Have Others Validate the Results Back to source documentation if availableBack to source documentation if available

42 Obtaining Structured Data Some Enterprise Databases contain 30,000+ Tables Some Enterprise Databases contain 30,000+ Tables Data dictionaries should existData dictionaries should exist Determine the individual tables containing needed dataDetermine the individual tables containing needed data Determine the primary and foreign key(s) to create the join(s)Determine the primary and foreign key(s) to create the join(s) Write the SQL statement(s) Write the SQL statement(s)

43 Obtaining Structured Data Joins are the Drivers Joins are the Drivers Inner JoinInner Join All records in Table B that have a match in Table A All records in Table B that have a match in Table A Outer Join (Left or Right)Outer Join (Left or Right) All records in Table A with or without a Match in Table B, and only those records in Table B that have a match in Table A All records in Table A with or without a Match in Table B, and only those records in Table B that have a match in Table A Cartesian JoinCartesian Join Something is wrong Something is wrong

44 When Querying Enterprise Databases: When Querying Enterprise Databases: Only what is necessaryOnly what is necessary Not all columns/recordsNot all columns/records No aggregatingNo aggregating Apply date parametersApply date parameters Watch the processing timeWatch the processing time Something may be wrong with the SQL Something may be wrong with the SQL Edit and repeatEdit and repeat Tie to source informationTie to source information Obtaining Structured Data

45 Information to Evidence Microsoft Access & Excel Microsoft Access & Excel ACL ACL ReformattingReformatting AppendingAppending Computed fieldsComputed fields AggregatingAggregating QueryingQuerying ReportingReporting

46 Structured Data as Digital Evidence Append the Output Append the Output Like data from differing sources rarely matchesLike data from differing sources rarely matches Cleansing Cleansing Re-formatting Re-formatting Reconcile to Source Data Reconcile to Source Data Control totalsControl totals Record countsRecord counts Create New Functionality Create New Functionality Computed fieldsComputed fields Get to the answerGet to the answer

47 Standardize the Output Social Security Numbers Social Security Numbers Birthdates Birthdates Addresses Addresses Names Names Phone Numbers Phone Numbers Zip Codes Zip Codes

48 Standardize the Output ACL creates its own view of the source data file with the.fil extension ACL creates its own view of the source data file with the.fil extension.fil is read only.fil is read only Source Data Remains Untouched Source Data Remains Untouched

49 Standardize the Output STRING() STRING(Invoice_Nbr) VALUE()VALUE(Invoice_Pmt)DATE()DATE(Birthdate)

50 Standardize the Output Birthdate = SUBSTRING(Birthdate, 5, 2) = 04 SUBSTRING(Birthdate, 7, 2) = 15 SUBSTRING(Birthdate, 1, 4) = 2005

51 Standardize the Output If you arent going to add, subtract, multiply, divide, or calculate the field, format it as Text If you are going to add, subtract, multiply, divide, or calculate the field, format it as Numeric or Date

52 Structured Data as Digital Evidence Actions Actions Accountability Accountability Dates and Times Dates and Times Tie to Source Information Tie to Source Information Control Weaknesses Control Weaknesses Segregation of dutiesSegregation of duties Approval limitsApproval limits Lack of oversightLack of oversight

53 Presenting the Digital Evidence Report Preparation Report Preparation Unstructured informationUnstructured information Structured informationStructured information Support the Allegation(s) Support the Allegation(s) Refute the Allegation(s) Refute the Allegation(s) Consult with Law Consult with Law Consult with Management Consult with Management Consult with Senior Executives Consult with Senior Executives

54 CAATs Direct Access and the Right Tools Direct Access and the Right Tools Reactive Reactive Ad-hocAd-hoc Proactive Proactive AutomateAutomate Take whats been learned and apply to the entire populationTake whats been learned and apply to the entire population 100% Testing100% Testing Exception basedException based

55 ACL Scripting Series of commands stored as a unit in an ACL project Series of commands stored as a unit in an ACL project Executed repeatedly and automatically Executed repeatedly and automatically Any ACL command can be stored as a script Any ACL command can be stored as a script 302|Advanced ACL Concepts & Techniques, SCRIPTS (CANADA: ACL Services Ltd, 2006), 2.

56 ACL Scripting Standardizing Data: OPEN HR_Active DEFINE FIELD SSN_A COMPUTED REPLACE (SSN, -, ) DEFINE FIELD SSN_B COMPUTED ALLTRIM(SUBSTR(SSN_A, 1, 9)) DEFINE COLUMN DEFAULT VIEW SSN_B

57 ACLs Audit Analytic Capability Model LEVEL 1 – BASIC Audit specificAudit specific ClassificationsClassifications SummarizationsSummarizations DuplicatesDuplicates Ad hocAd hoc The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 3.

58 ACLs Audit Analytic Capability Model LEVEL 2 – APPLIED Specific and repeatable testsSpecific and repeatable tests Start with low hanging fruitStart with low hanging fruit Add additional and broader testsAdd additional and broader tests Focus on data accessFocus on data access Efficient script design for repeatabilityEfficient script design for repeatability The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 5.

59 ACLs Audit Analytic Capability Model LEVEL 3 – MANAGED Centralized, secure, controlled, efficient data analysisCentralized, secure, controlled, efficient data analysis Many people involvedMany people involved Processes and technology in placeProcesses and technology in place Server environmentServer environment Multiple locationsMultiple locations The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 7.

60 ACLs Audit Analytic Capability Model LEVEL 4 – AUTOMATED Comprehensive suites of tests developedComprehensive suites of tests developed Tests scheduled regularlyTests scheduled regularly Concurrent, ongoing auditing of multiple areasConcurrent, ongoing auditing of multiple areas More efficient and effective audit processMore efficient and effective audit process The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 10.

61 ACLs Audit Analytic Capability Model LEVEL 5 – MONITORING Progress from continuous auditing to continuous monitoringProgress from continuous auditing to continuous monitoring Expanded to other business areasExpanded to other business areas Process owners notified immediately of exceptionsProcess owners notified immediately of exceptions The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 12.

62 Forensics Lab Physical Security Physical Security Logical Security Logical Security SSNsSSNs Credit card numbersCredit card numbers Software Licensing Software Licensing Updates, upgradesUpdates, upgrades Hardware and Other Peripherals Hardware and Other Peripherals Storage Storage Short term, long termShort term, long term Enough?Enough?

63 Forensics Lab Forensic Workstation Forensic Workstation Processing workhorseProcessing workhorse SSD SSD Memory Memory JBOD JBOD Forensic Desktop Forensic Desktop Secondary processingSecondary processing Image reviewingImage reviewing Forensics Laptops Forensics Laptops Open Internet Laptop Open Internet Laptop Dont do this on the company networkDont do this on the company network

64 Forensics Lab Retention Retention Inventory Inventory Back-ups and Recovery Back-ups and Recovery On-site, off-siteOn-site, off-site Chain of Custody Chain of Custody PhysicalPhysical ImageImage Data Wiping and Verification Data Wiping and Verification CIA CIA COBIT COBIT

65 Challenges Time Consuming Time Consuming Satellite Locations Satellite Locations Emerging Technologies Emerging Technologies System Processing/Data Flows System Processing/Data Flows Lack of documentationLack of documentation Cloud Computing Cloud Computing Hard Drive Capacities Hard Drive Capacities Anti Forensics Anti Forensics

66 Challenges External Storage Devices External Storage Devices Personal vs. Corporate Personal vs. Corporate BYODBYOD False Positives False Positives Data Silos Data Silos Data Integrity Data Integrity Passwords Passwords Encryption Encryption

67 Summary Mixture of Art and Science Mixture of Art and Science IntuitionIntuition Common senseCommon sense Knowledge and use of toolsKnowledge and use of tools PersistencePersistence Testing TheoriesTesting Theories ResearchResearch LearningLearning

68 Conclusion No One Solution No One Solution Expect the Unexpected Expect the Unexpected Remain Fair and Objective Remain Fair and Objective Report Just the Facts Report Just the Facts

69 Questions?


Download ppt "Digital Evidence Dean R. Beal CISA, CFE, ACE. Allegation Anonymous Tip Anonymous Tip Ethics Line Ethics Line Risk Assessment Risk Assessment Audit Audit."

Similar presentations


Ads by Google