Presentation on theme: "Host: Sharon Roth-DeFulvio Speaker: Dr. Rebecca T. Mercuri"— Presentation transcript:
1Host: Sharon Roth-DeFulvio Speaker: Dr. Rebecca T. Mercuri Computer ForensicsHost: Sharon Roth-DeFulvioSpeaker: Dr. Rebecca T. Mercuri
2What is Computer Forensics? Computer forensics is the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded, usually to provide digital evidence of a specific or general activity.
3When is a computer forensic investigation initiated? A forensic investigation can be initiated usually with respect to criminal investigation, or civil litigation, but forensic techniques can be of value in a wide variety of situations, including simply re-tracking steps taken when data has been lost.
4What are the common scenarios? Employee internet abuseUnauthorized disclosure of corporate information and dataIndustrial espionageDamage assessmentCriminal fraud and deception casesGeneral criminal casesand others.
5Compliance and Computer Forensics Information security compliance requires the precise enforcement of policies and controls.Digital investigations utilizing computer forensics are an essential part of this enforcement.
6Laws and RegulationsThere are four laws and regulations that clearly indicate the need for computer forensic investigations:Sarbanes OxleyCalifornia SB 1386Gramm Leach BlileyHIPAA
7Sarbanes OxleyThe Sarbanes Oxley Act was enacted to fight corporate fraud.The SEC is responsible for enforcement of Sarbanes Oxley and all publicly traded companies must report yearly on the effectiveness of their financial controls.The legislation has serious consequences for non-compliance - civil and criminal penalties.
8Sarbanes OxleySection 301 provides for the handling of fraud complaints and investigationsSection 302 specifies that CEOs and CFOs are directly responsible for the accuracy of their company’s financial reports.Section 404 requires management to specify their responsibility for financial controls and report on the adequacy and shortcoming of the controls.Sections 806 and 1107 mandates that companies must support and protect whistleblowers.
9Sarbanes OxleySection 802 is another important element in Sarbanes Oxley that forbids the intentional destruction, altering or falsification of financial or related operational records.Section 301 and 802 compliance will require the use computer forensics as established by case law and by best practices. Organizations need to have computer forensics capability anywhere and anytime in their organizations to ensure compliance with Sarbanes Oxley.
10California SB 1386Enacted on July 1, 2003, California SB 1386 requires organizations doing business in California to report security breeches that result in the unauthorized disclosure of a resident’s private or financial information.Disclosure is required if an individual’s name and either a driver license number, Social Security number or the combination of a financial account number and password is accessed.
11NIST and ISACAThe National Institute of Standards and Technology (NIST) has provided clear guidance for government and commercial organizations to investigate security incidents.NIST published the “Computer Security Incident Handling Guide”, which specifically outlines incident investigation and the role of computer forensics to properly acquire and analyze the incident.The Information Systems Audit and Control Association (ISACA) is an association of information technology auditors who utilize audit and control standards to improve their organizations’ information security, compliance and governance.ISACA has developed a checklist for incident response planning and implementation.
12NIST and ISACAThe NIST Guidelines provide practitioners with processes using computer forensics to investigate cyber crime.The ISACA checklist provides the planning and implementation criteria for creating an enterprise computer forensics infrastructure.With the potential liability of CA SB 1386 non-compliance, organizations must have immediate access to computer forensics capability.
13Gramm-Leach Bliley (GLB) Gramm-Leach Bliley or The Financial Modernization Act of 1999 applies to financial organizations or any organization that collects or transfers private financial information for the purpose of doing business or providing a service to its customers.
14Gramm-Leach Bliley (GLB) Financial Privacy Rule:Addresses the collection and dissemination of customers’ information while the Safeguard Rule governs the processes and controls in an organization to protect customers’ financial data.Safeguards Rule:The Safeguard Rule of GLB requires financial institutions to:Ensure the security and confidentiality of customer information.Protect against any anticipated threats or hazards to the security or integrity of such information; andProtect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
15HIPAA (Health Insurance Portability and Accountability Act of 1996) The goal of HIPAA is for healthcare providers to improve the privacy and security of their clients medical information.HIPAA defines a security incident as “… the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”HIPAA specifies thorough analysis and reporting of security incidents, so organizations must consider their incident response policies carefully.NIST and ISACA specify computer forensic software as part of any reasonable incident response policy to clearly understand the scope of the incident. Determining, with forensic precision, what information has been compromised, when it took place, what systems were affected, and if malware or backdoors that are invisible to non-forensic tools are still present, are examples of the types of investigations that are essential to having an effective incident response program.In addition to security incidents, computer forensics plays a role in supporting overall information security by providing the investigation of any anomalies that could indicate policy or use violations that could jeopardize HIPAA privacy rules.
16Landmark CasesLinnen v. A.H. Robins et. al., 1999 WL Mass. Sup. Court, Electronic media is discoverable; Wyeth MUST bear the costs of retrieving s, Failure to preserve and spoilation of evidence.Adams v. Dan River Mills, Inc., 54 F.R.D. 220, 222 (W.D. Va. 1972) Discovery of computer tapes is properArmstrong v. Executive Office of the President, 1 F.3d 1274 (D.C. Cir. 1993) Government is covered as a record under the Federal Records Act; electronic version of must be maintained and producedBall v. State of New York, 101 Misc. 2d 554, 421 N.Y.S. 2d 328 (Ct.Cl. 1979) State had to produce information contained on computer tapeEasley, McCaleb & Associates, Inc. v. Perry, No. E-2663 (Ga. Super. Ct. July 13, 1994), Plaintiff's expert allowed to recover deleted files on defendant's hard driveNational Association of Radiation Survivors v. Turnage, 115 F.R.D. 543 (N.D. Cal. 1987) Sanctions imposed for allowing alteration and destruction of electronic evidenceNational Union Electric Corp. v. Matsushita Electric industries Co., 494 F. Supp. 125, copying a computer disk is equivalent to photocopying a paper documentParsons v. Jefferson Pilot Corp., 141 F.R.D. 408 (M.D.N.C. 1992) privilege lost when shared via the Internet with a third partyBourke v. Nissan Motor Corp., No. B (Cal. Ct. App. July 26, 1993) Employees had no reasonable expectation of privacy in their company
17How is a computer forensic investigation approached? secure the subject systemtake a copy of hard driveidentify and recovery all filesaccess/copy hidden, protected and temporary filesstudy “special” areas on the driveinvestigate data/settings from installed applications/programsassess the system as a whole, including its structureconsider general factors relating to the users activity; create detailed reportThroughout the investigation, it is important to stress that a full audit log of your activities should be maintained.
18Is there anything that should NOT be done during an investigation? Study don't changeavoid changing date/time stamps (of files for example)or changing data itselfthis applies to the overwriting of unallocated space
19Forensic Examiner's Tools of the Trade Operating system utilities;Data recovery software;File viewers and Hex editors;Commercial firewalls;There are also packages that provide turnkey assistance for forensic examinations, complete with case management tracking for procedures, reports, and billing; andExperts may build their own scripts and tools in order to provide specialized investigations, or to gain an edge over firms providing similar services.
20Regional Computer Forensic Laboratories (RCFLs) In a response to the need to analyze, preserve, protect and defend forensic evidence, the FBI, local and state law enforcements agencies have constructed and staffed RCFLs.RCFLs is full service forensics laboratory and training center devoted entirely to the examination of digital evidence in support of criminal investigations.
21RCFL Structure & Duties RCFLs consist of 15 people: 12 of the staff members are Examiners and 3 staff members support the RCFL.Duties include:Seizing and collecting digital evidence at a crime scene;Conducting an impartial examination of submitted computer evidence; andTestifying as required.
22RCFLs Examine Digital Evidence in TerrorismChild PornographyCrimes of ViolenceTrade secret theftTheft or destruction to intellectual propertyFinancial crimeProperty crimeInternet crimesFraud
24RCFL Priority of Requests: immediate threats to property or people;potential threats to property or people;general criminal investigations, such as fraud and child endangerment/pornography;administrative inquiries; anddigital forensic research and development.notablesoftware.com/Papers/ForensicComp.html
25Computer Forensic Requirements The discipline requires a detailed technical knowledge of the relationship between a computer's operating system and the supporting hardware (e.g. hard disks), and between the operating system and system/application programs and the network.Knowledge of cryptographic and steganographic techniques is needed where data has been encrypted and/or obfuscated to make it inaccessible and/or hidden.Finally and critically, all evidence gathering must proceed in a manner that ensures that the evidence is admissible in a court of law, and can be documented and presented in an intelligible manner.
27Challenges in Forensic Computing If access to digital evidence is not forthcoming from an impounding agency, court orders may be necessary to obtain the data and use of extraction tools, to determine whether protocols have been applied.Computer Forensic examiners who are not law enforcement investigators and analysts are not aided by RCFL facilities.Examiners must ascertain and provide for their own training on an ongoing basis.Rapid changes in digital technology pose complex challenges for computer forensic examiners.notablesoftware.com/Papers/ForensicComp.html
28The Many Colors of Multimedia Security Benefits and risks of various aspects of digital rights management.Media provider: protection of materials from unauthorized distribution or modification is primary concern;Delivery end: recipients want to ensure downloads are virus-free and legitimately obtained.Encryption and digital branding tools can be employed both for securing multimedia as well as for circumventing laws pertaining to content and use.
29The Many Colors of Multimedia Security Steganography (the art and science of embedding secret messages within text, sound, or imagery) andWatermarking (the addition of an unremovable identifier to tag the content, indicating ownership).feature location (identification of subcomponents within a data set);Captioning;time-stamping; andtamper-proofing (demonstration that original contents have not been altered).
30The Many Colors of Multimedia Security Characteristics involved with data embedding include:Visibility: embedded data may be intentionally detectable or imperceptible, but either way it should not detract from or degrade the primary media content.Robustness (or fragility): the ability of the data to withstand signal-processing attacks (such as compression, rescaling, and format conversions like digital-to-analog conversion).Error correction and detection: recovery is possible from small losses or an indication is provided that coded information damage has occurred.Header independence: data is encoded directly into the content of the file to allow survival between file format transfers.Self-clocking (or blind) coding: extraction does not require reference to the masking information or signal. (Adaptive coding algorithms use content from the masking data to perform hiding, usually through a transform-based method.)Asymmetrical coding: the process used to extract the information is not as time or resource consuming as the process used to insert it, to allow for quick access to the data.
311998 Digital Millennium Copyright Act (DMCA) Makes it a crime to circumvent anti-piracy measures built into most commercial software.Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software.Does permit the cracking of copyright protection devices, however, to conduct encryption research, assess product interoperability, and test computer security systems.Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances.In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.Service providers, however, are expected to remove material from users' web sites that appears to constitute copyright infringement.Limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students.Requires that "webcasters" pay licensing fees to record companies.Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users."States explicitly that “nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use..."
32Study by Oberholzer and Strumpf Even though there were over a billion downloads worldwide each week of music files alone, and despite the dip of recorded music CDs shipped in the U.S. by 15% between 2000 and 2002, causality was not able to be established.5,000 downloads of a particular item were necessary in order to displace a single sale.High-selling albums actually benefit from file sharing.Therefore, other factors, such as changes in recording format and listening equipment, are probably contributing at a higher rate to the decline in sales.