Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Forensics: Find Out What You Are Missing Calvin Weeks, CISSP, CISM, EnCE University of Oklahoma Director, Cyber Forensics Lab Sean Ensz, CISSP, GSEC.

Similar presentations


Presentation on theme: "Cyber Forensics: Find Out What You Are Missing Calvin Weeks, CISSP, CISM, EnCE University of Oklahoma Director, Cyber Forensics Lab Sean Ensz, CISSP, GSEC."— Presentation transcript:

1 Cyber Forensics: Find Out What You Are Missing Calvin Weeks, CISSP, CISM, EnCE University of Oklahoma Director, Cyber Forensics Lab Sean Ensz, CISSP, GSEC University of Oklahoma IT Security Analyst

2 | 2 © COPYRIGHT 2005 by The University of Oklahoma Board of Regents This document is an official publication of The University of Oklahoma. Unless otherwise indicated, all text and photographs appearing on the homepage or subsequent official pages linked to it are copyrighted and should not be reproduced without written permission from the OU Public Affairs Office, (405) Trademarks® The University of Oklahoma has an established independent licensing program to control the use of the name, abbreviations, symbols, emblems, logos, mascots, slogans, and other terminology associated with the University. Unauthorized use of the any of the for stated representations may be trademark infringement. Any unauthorized productions or sale of registered marks or names is a violation of the federal Lanham Trademark Act of 1946 and the federal Trademark Act of Such violations subject one to liability for damages, injunctive relief, attorney' fees and other penalties. Infringing merchandise is subject to seizure. For more information regarding the use of the University' trademarks for commercial purposes, or to report unlicensed uses, call the OU Public Affairs Office, (405) Use of Materials The document to which this notice is attached is protected by copyright owned in whole or in principal part by The University of Oklahoma Board of Regents in the state of Oklahoma. You may download the document for reference and research purposes only. Distribution and/or alteration by not-for-profit research or educational institutions for their local use is permitted as long as this notice is kept intact and attached to the document. Any other distribution of copies of the document or any altered version thereof is expressly prohibited without prior written consent of the University. For permission requests, licensing proposals, questions, or further information, please contact the OU Public Affairs Office,(405)

3 | 3 Overview What is Cyber Forensics? Why you must or want Cyber Forensics? Who should perform Cyber Forensics? How to manage Cyber Forensics?

4 | 4 What is Cyber Forensics? Computer Forensics Network Forensics Internet Forensics

5 | 5 Why you must perform Cyber Forensics Regulatory requirements Compliance requirements Grant compliance Properly respond to security incidents

6 | 6 Must have Legal oversight Many laws that govern forensics Civil / Criminal Gramm-Leach Bliley Act (GLBA) Sarbanes-Oxley (SOX) Health Information Privacy Portability Act (HIPPA) ate/legal/index.shtm

7 | 7 Is / Should be included with Incident Response Procedures Policy Standards Guidelines PROTOCOLS

8 | 8 Protocols Computer Assessment Response Team (CART) Field Security Officers (FSO) Services

9 | 9 Provides informed decisions Administrative Policy Actions Legal Actions Legal Defense Actions Security Management initiatives

10 | 10 Why perform Cyber Forensics? To gather pertinent evidence of computer misuse or abuse of computer resources that is: –Needed for legal proceedings –Used to determine scope and priority of an incident –Hidden or deleted –Overwhelming without the proper forensics software

11 | 11 Why perform Cyber Forensics? Gather evidence in a matter that meets legal standards by –G–Gaining consent Implicit or Explicit –R–Reducing the disturbance to the original evidence by Using CLI during live foreniscs Write protecting original media –M–Making a bit-by-bit image –U–Using validated forensic software

12 | 12 Why perform Cyber Forensics? –Tracking chain of custody What is the evidence Who handled the evidence and when Where was it stored and how –Documenting what took place Digital photographs of the evidence and surrounding area What the system admin did prior to your arrival What the forensic examiner did after he/she arrived

13 | 13 Why perform Cyber Forensic? Initially treat each escalated incident with the same care –difficult to determine scope of the incident from the beginning –You can’t redo an incident after you have damaged evidence –Evidence may be turned over to Law Enforcement –Evidence may be used in civil litigation

14 | 14 Why perform Cyber Forensics? Correlate network and IDS logs –It is difficult to discern what truly happened from logs alone –Logs may not show if an attack was successful –Logs may not show what happened after an attack –Logs may not show the extent of the attack

15 | 15 Why perform Cyber Forensics? Cyber Forensics gives a more complete picture –It will show which files were accessed or written to the host –Might show why the host was compromised File store Launching point for further attacks Accessing sensitive information stored on the host –Knowledge level of the attacker

16 | 16 Who should do Forensics? Experienced and Trained personnel whom: –U–Understand applicable legal requirements and policies –A–Are willing to testify in court –R–Received professional training –H–Have a firm grasp of security threats and vulnerabilities

17 | 17 What is needed? Dedicated “beefy” Workstation Write-blocking hardware Laptop for on-site forensics Several spare hard drives Write once media –CDR’s –DVDR’s Forensics Software

18 | 18 Resources Best Practices for Seizing and Searching Electronic Evidence Searching and Seizing Computers Computer Security Incident Handling Guide csrc.nist.gov/publications/nistpubs/index.html EnCase Professional Organizations HTCIA –


Download ppt "Cyber Forensics: Find Out What You Are Missing Calvin Weeks, CISSP, CISM, EnCE University of Oklahoma Director, Cyber Forensics Lab Sean Ensz, CISSP, GSEC."

Similar presentations


Ads by Google