Presentation on theme: "Computer Forensics Host: Sharon Roth-DeFulvio Speaker: Dr. Rebecca T. Mercuri."— Presentation transcript:
Computer Forensics Host: Sharon Roth-DeFulvio Speaker: Dr. Rebecca T. Mercuri
What is Computer Forensics? Computer forensics is the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded, usually to provide digital evidence of a specific or general activity.
When is a computer forensic investigation initiated? A forensic investigation can be initiated usually with respect to criminal investigation, or civil litigation, but forensic techniques can be of value in a wide variety of situations, including simply re-tracking steps taken when data has been lost.
What are the common scenarios? Employee internet abuse Unauthorized disclosure of corporate information and data Industrial espionage Damage assessment Criminal fraud and deception cases General criminal cases and others.
Compliance and Computer Forensics Information security compliance requires the precise enforcement of policies and controls. Digital investigations utilizing computer forensics are an essential part of this enforcement.
Laws and Regulations There are four laws and regulations that clearly indicate the need for computer forensic investigations: Sarbanes Oxley California SB 1386 Gramm Leach Bliley HIPAA
Sarbanes Oxley The Sarbanes Oxley Act was enacted to fight corporate fraud. The SEC is responsible for enforcement of Sarbanes Oxley and all publicly traded companies must report yearly on the effectiveness of their financial controls. The legislation has serious consequences for non-compliance - civil and criminal penalties.
Sarbanes Oxley Section 301 provides for the handling of fraud complaints and investigations Section 302 specifies that CEOs and CFOs are directly responsible for the accuracy of their companys financial reports. Section 404 requires management to specify their responsibility for financial controls and report on the adequacy and shortcoming of the controls. Sections 806 and 1107 mandates that companies must support and protect whistleblowers.
Sarbanes Oxley Section 802 is another important element in Sarbanes Oxley that forbids the intentional destruction, altering or falsification of financial or related operational records. Section 301 and 802 compliance will require the use computer forensics as established by case law and by best practices. Organizations need to have computer forensics capability anywhere and anytime in their organizations to ensure compliance with Sarbanes Oxley.
California SB 1386 Enacted on July 1, 2003, California SB 1386 requires organizations doing business in California to report security breeches that result in the unauthorized disclosure of a residents private or financial information. Disclosure is required if an individuals name and either a driver license number, Social Security number or the combination of a financial account number and password is accessed.
NIST and ISACA The National Institute of Standards and Technology (NIST) has provided clear guidance for government and commercial organizations to investigate security incidents. NIST published the Computer Security Incident Handling Guide, which specifically outlines incident investigation and the role of computer forensics to properly acquire and analyze the incident. The Information Systems Audit and Control Association (ISACA) is an association of information technology auditors who utilize audit and control standards to improve their organizations information security, compliance and governance. ISACA has developed a checklist for incident response planning and implementation.
NIST and ISACA The NIST Guidelines provide practitioners with processes using computer forensics to investigate cyber crime. The ISACA checklist provides the planning and implementation criteria for creating an enterprise computer forensics infrastructure. With the potential liability of CA SB 1386 non-compliance, organizations must have immediate access to computer forensics capability.
Gramm-Leach Bliley (GLB) Gramm-Leach Bliley or The Financial Modernization Act of 1999 applies to financial organizations or any organization that collects or transfers private financial information for the purpose of doing business or providing a service to its customers.
Gramm-Leach Bliley (GLB) Financial Privacy Rule: Addresses the collection and dissemination of customers information while the Safeguard Rule governs the processes and controls in an organization to protect customers financial data. Safeguards Rule: The Safeguard Rule of GLB requires financial institutions to: 1.Ensure the security and confidentiality of customer information. 2.Protect against any anticipated threats or hazards to the security or integrity of such information; and 3.Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
HIPAA (Health Insurance Portability and Accountability Act of 1996) The goal of HIPAA is for healthcare providers to improve the privacy and security of their clients medical information. HIPAA defines a security incident as … the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. HIPAA specifies thorough analysis and reporting of security incidents, so organizations must consider their incident response policies carefully. NIST and ISACA specify computer forensic software as part of any reasonable incident response policy to clearly understand the scope of the incident. Determining, with forensic precision, what information has been compromised, when it took place, what systems were affected, and if malware or backdoors that are invisible to non-forensic tools are still present, are examples of the types of investigations that are essential to having an effective incident response program. In addition to security incidents, computer forensics plays a role in supporting overall information security by providing the investigation of any anomalies that could indicate policy or use violations that could jeopardize HIPAA privacy rules.
Landmark Cases Linnen v. A.H. Robins et. al., 1999 WL Mass. Sup. Court, Electronic media is discoverable; Wyeth MUST bear the costs of retrieving s, Failure to preserve and spoilation of evidence. Adams v. Dan River Mills, Inc., 54 F.R.D. 220, 222 (W.D. Va. 1972) Discovery of computer tapes is proper Armstrong v. Executive Office of the President, 1 F.3d 1274 (D.C. Cir. 1993) Government is covered as a record under the Federal Records Act; electronic version of must be maintained and produced Ball v. State of New York, 101 Misc. 2d 554, 421 N.Y.S. 2d 328 (Ct.Cl. 1979) State had to produce information contained on computer tape Easley, McCaleb & Associates, Inc. v. Perry, No. E-2663 (Ga. Super. Ct. July 13, 1994), Plaintiff's expert allowed to recover deleted files on defendant's hard drive National Association of Radiation Survivors v. Turnage, 115 F.R.D. 543 (N.D. Cal. 1987) Sanctions imposed for allowing alteration and destruction of electronic evidence National Union Electric Corp. v. Matsushita Electric industries Co., 494 F. Supp. 125, copying a computer disk is equivalent to photocopying a paper document Parsons v. Jefferson Pilot Corp., 141 F.R.D. 408 (M.D.N.C. 1992) privilege lost when shared via the Internet with a third party Bourke v. Nissan Motor Corp., No. B (Cal. Ct. App. July 26, 1993) Employees had no reasonable expectation of privacy in their company
How is a computer forensic investigation approached? secure the subject system take a copy of hard drive identify and recovery all files access/copy hidden, protected and temporary files study special areas on the drive investigate data/settings from installed applications/programs assess the system as a whole, including its structure consider general factors relating to the users activity; create detailed report Throughout the investigation, it is important to stress that a full audit log of your activities should be maintained.
Is there anything that should NOT be done during an investigation? Study don't change avoid changing date/time stamps (of files for example) or changing data itself this applies to the overwriting of unallocated space
Forensic Examiner's Tools of the Trade Operating system utilities; Data recovery software; File viewers and Hex editors; Commercial firewalls; There are also packages that provide turnkey assistance for forensic examinations, complete with case management tracking for procedures, reports, and billing; and Experts may build their own scripts and tools in order to provide specialized investigations, or to gain an edge over firms providing similar services.
Regional Computer Forensic Laboratories (RCFLs) In a response to the need to analyze, preserve, protect and defend forensic evidence, the FBI, local and state law enforcements agencies have constructed and staffed RCFLs. RCFLs is full service forensics laboratory and training center devoted entirely to the examination of digital evidence in support of criminal investigations.
RCFL Structure & Duties RCFLs consist of 15 people: 12 of the staff members are Examiners and 3 staff members support the RCFL. Duties include: Seizing and collecting digital evidence at a crime scene; Conducting an impartial examination of submitted computer evidence; and Testifying as required.
RCFLs Examine Digital Evidence in Terrorism Child Pornography Crimes of Violence Trade secret theft Theft or destruction to intellectual property Financial crime Property crime Internet crimes Fraud
Location of RCFLs
notablesoftware.com/Papers/ForensicComp.html RCFL Priority of Requests: 1.immediate threats to property or people; 2.potential threats to property or people; 3.general criminal investigations, such as fraud and child endangerment/pornography; 4.administrative inquiries; and 5.digital forensic research and development.
Computer Forensic Requirements The discipline requires a detailed technical knowledge of the relationship between a computer's operating system and the supporting hardware (e.g. hard disks), and between the operating system and system/application programs and the network. Knowledge of cryptographic and steganographic techniques is needed where data has been encrypted and/or obfuscated to make it inaccessible and/or hidden. Finally and critically, all evidence gathering must proceed in a manner that ensures that the evidence is admissible in a court of law, and can be documented and presented in an intelligible manner.
notablesoftware.com/Papers/ForensicComp.html Challenges in Forensic Computing If access to digital evidence is not forthcoming from an impounding agency, court orders may be necessary to obtain the data and use of extraction tools, to determine whether protocols have been applied. Computer Forensic examiners who are not law enforcement investigators and analysts are not aided by RCFL facilities. Examiners must ascertain and provide for their own training on an ongoing basis. Rapid changes in digital technology pose complex challenges for computer forensic examiners.
l The Many Colors of Multimedia Security Benefits and risks of various aspects of digital rights management. Media provider: protection of materials from unauthorized distribution or modification is primary concern; Delivery end: recipients want to ensure downloads are virus-free and legitimately obtained. Encryption and digital branding tools can be employed both for securing multimedia as well as for circumventing laws pertaining to content and use.
l The Many Colors of Multimedia Security Steganography (the art and science of embedding secret messages within text, sound, or imagery) and Watermarking (the addition of an unremovable identifier to tag the content, indicating ownership). feature location (identification of subcomponents within a data set); Captioning; time-stamping; and tamper-proofing (demonstration that original contents have not been altered).
l The Many Colors of Multimedia Security Characteristics involved with data embedding include: Visibility: embedded data may be intentionally detectable or imperceptible, but either way it should not detract from or degrade the primary media content. Robustness (or fragility): the ability of the data to withstand signal-processing attacks (such as compression, rescaling, and format conversions like digital-to- analog conversion). Error correction and detection: recovery is possible from small losses or an indication is provided that coded information damage has occurred. Header independence: data is encoded directly into the content of the file to allow survival between file format transfers. Self-clocking (or blind) coding: extraction does not require reference to the masking information or signal. (Adaptive coding algorithms use content from the masking data to perform hiding, usually through a transform-based method.) Asymmetrical coding: the process used to extract the information is not as time or resource consuming as the process used to insert it, to allow for quick access to the data.
Makes it a crime to circumvent anti-piracy measures built into most commercial software. Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software. Does permit the cracking of copyright protection devices, however, to conduct encryption research, assess product interoperability, and test computer security systems. Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances. In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet. Service providers, however, are expected to remove material from users' web sites that appears to constitute copyright infringement. Limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students. Requires that "webcasters" pay licensing fees to record companies. Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users." States explicitly that nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use..." 1998 Digital Millennium Copyright Act (DMCA)
l Even though there were over a billion downloads worldwide each week of music files alone, and despite the dip of recorded music CDs shipped in the U.S. by 15% between 2000 and 2002, causality was not able to be established. 5,000 downloads of a particular item were necessary in order to displace a single sale. High-selling albums actually benefit from file sharing. Therefore, other factors, such as changes in recording format and listening equipment, are probably contributing at a higher rate to the decline in sales. Study by Oberholzer and Strumpf