Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Peter Sommer, 2005 Workshop 21 September 2005 Digital Investigations and Evidence Workshop 21 September 2005 Digital Investigations and Evidence Peter.

Similar presentations


Presentation on theme: "© Peter Sommer, 2005 Workshop 21 September 2005 Digital Investigations and Evidence Workshop 21 September 2005 Digital Investigations and Evidence Peter."— Presentation transcript:

1 © Peter Sommer, 2005 Workshop 21 September 2005 Digital Investigations and Evidence Workshop 21 September 2005 Digital Investigations and Evidence Peter Sommer London School of Economics peter@pmsommer.comp.m.sommer@lse.ac.uk

2 © Peter Sommer, 2005 Guide has been prepared: In the light of experience of :In the light of experience of : post-incident investigations post-incident investigations work for insurers and loss adjusters work for insurers and loss adjusters instructions as an expert in court instructions as an expert in court Surprise at the poor level of preparedness to produce evidence, or understand what is involvedSurprise at the poor level of preparedness to produce evidence, or understand what is involved To lift digital forensics from its the techies will solve everything mythTo lift digital forensics from its the techies will solve everything myth

3 © Peter Sommer, 2005 Evidence in the Corporate Agenda Role in Information Assurance / Information SecurityRole in Information Assurance / Information Security Low Frequency / High Impact Events Low Frequency / High Impact Events Role in semi-routine operationsRole in semi-routine operations Higher Frequency / Lower Impact Events Higher Frequency / Lower Impact Events Records to demonstrate ComplianceRecords to demonstrate Compliance Forensic Readiness ProgramsForensic Readiness Programs HMG Infosec Standard No 2 HMG Infosec Standard No 2

4 © Peter Sommer, 2005 Traditional Information Assurance Agenda Risk AnalysisRisk Analysis PreventionPrevention Technology Technology Management Management Incident ManagementIncident Management Loss Mitigation Loss Mitigation Contingency Plans Contingency Plans Insurance Insurance

5 © Peter Sommer, 2005 Incident Management: Aims Corporate interest: organisation continuanceorganisation continuance rapid recovery to full operationrapid recovery to full operation recovery of assetsrecovery of assets successful insurance claimssuccessful insurance claims successful 3rd party legal claimssuccessful 3rd party legal claims largest possible number of options for future actionlargest possible number of options for future action

6 © Peter Sommer, 2005 Life-cycle of incidents

7 © Peter Sommer, 2005 Importance of Evidence Post Disaster RecoveryPost Disaster Recovery To mitigate and control losses To mitigate and control losses To make insurance claims – direct and consequential loss To make insurance claims – direct and consequential loss To sue third parties To sue third parties To resist claims from third parties To resist claims from third parties To assist law enforcement To assist law enforcement

8 © Peter Sommer, 2005 Evidence Collection In a disaster: How would you make the choice between stopping a system in order to preserve reliable evidence – and keeping your business going?How would you make the choice between stopping a system in order to preserve reliable evidence – and keeping your business going? What managerial and technical structures do you need to have in place?What managerial and technical structures do you need to have in place? How does this fit in with existing DR/BC Plans?How does this fit in with existing DR/BC Plans?

9 © Peter Sommer, 2005 Conflicts There are many internal conflicts, eg : rapid return to normal working = keep the computers goingrapid return to normal working = keep the computers going evidence collection = stop the computers to avoid contaminationevidence collection = stop the computers to avoid contamination network surveillance causes:network surveillance causes: threats to employee trust, privacy threats to employee trust, privacy use of network resources / slow-down of system response use of network resources / slow-down of system response possible compromise of integrity of transactions & records possible compromise of integrity of transactions & records

10 © Peter Sommer, 2005 Lesser Incidents Frauds by employees and 3 rd partiesFrauds by employees and 3 rd parties Contractual disputesContractual disputes Allegations of failure of duty of careAllegations of failure of duty of care E-mail and Internet abuseE-mail and Internet abuse Breach of confidentialityBreach of confidentiality Online defamationOnline defamation Employee / HR disputesEmployee / HR disputes Sexual harassmentSexual harassment Acquisition and storage of child abuse imagesAcquisition and storage of child abuse images Datatheft / Industrial EspionageDatatheft / Industrial Espionage Software piracySoftware piracy Theft of source codeTheft of source code

11 © Peter Sommer, 2005 Lesser Incidents Unauthorised access by employeesUnauthorised access by employees Unauthorised access by 3 rd parties – hackingUnauthorised access by 3 rd parties – hacking Unauthorised data modification – incl viruses and trojansUnauthorised data modification – incl viruses and trojans Abuse of corporate IT resources for private gainAbuse of corporate IT resources for private gain Use of corporate IT resources as one stage in a complex criminal act and where a 3 rd party is victimisedUse of corporate IT resources as one stage in a complex criminal act and where a 3 rd party is victimised Use of corporate IT resources for illegal file-sharingUse of corporate IT resources for illegal file-sharing DoS and DdoS attacksDoS and DdoS attacks Phishing and Pharming attemptsPhishing and Pharming attempts Etc etcEtc etc Requirements of disclosure in civil litigationRequirements of disclosure in civil litigation

12 © Peter Sommer, 2005 Cybercrime Policing Prosecutions are impossible without evidenceProsecutions are impossible without evidence There will never be enough cybercopsThere will never be enough cybercops If you let in the cybercops to locate evidence after the crime, they will inevitably be more disruptive and less successful than if you had planned ahead and are able to produce evidence yourselfIf you let in the cybercops to locate evidence after the crime, they will inevitably be more disruptive and less successful than if you had planned ahead and are able to produce evidence yourself

13 © Peter Sommer, 2005 Reliable record keeping regulatory compliance Sarbanes-OxleySarbanes-Oxley Basel IIBasel II International Standard on Records Management - ISO 15489International Standard on Records Management - ISO 15489 UK Combined Code of Corporate GovernanceUK Combined Code of Corporate Governance Freedom of Information legislationFreedom of Information legislation Forensic Compliance ServicesForensic Compliance Services

14 © Peter Sommer, 2005 Practicalities What is evidence?What is evidence? Admissibility / ReliabilityAdmissibility / Reliability Brief History of Computer EvidenceBrief History of Computer Evidence How do produce a Forensic Readiness Plan?How do produce a Forensic Readiness Plan?

15 © Peter Sommer, 2005 Computer Evidence......is like any other evidence, it must be: admissibleadmissible authenticauthentic accurateaccurate completecomplete convincing to juriesconvincing to juries

16 © Peter Sommer, 2005 Computer Evidence... admissible common / civil code traditionscommon / civil code traditions adversarial / inquisitorial trialsadversarial / inquisitorial trials proving documents, copiesproving documents, copies US: 4th amendment rights / Federal Rules of EvidenceUS: 4th amendment rights / Federal Rules of Evidence UK: PACE, 1984; business records (s 24 CJA, 1988) etc etc; Human Rights, Data Protection, problems of interceptionUK: PACE, 1984; business records (s 24 CJA, 1988) etc etc; Human Rights, Data Protection, problems of interception

17 © Peter Sommer, 2005 Computer Evidence... authentic can we explicitly link files, data to specific individuals and events?can we explicitly link files, data to specific individuals and events? access control access control logging, audit logs logging, audit logs collateral evidence collateral evidence crypto-based authentication crypto-based authentication

18 © Peter Sommer, 2005 Computer Evidence... accurate reliability of computer process not data contentreliability of computer process not data content can we explain how an exhibit came into being?can we explain how an exhibit came into being? what does the computer system do? what does the computer system do? what are its inputs? what are its inputs? what are the internal processes? what are the internal processes? what are the controls? what are the controls?

19 © Peter Sommer, 2005 Computer Evidence... complete tells within its own terms a complete story of particular circumstancestells within its own terms a complete story of particular circumstances

20 © Peter Sommer, 2005 Computer Evidence... convincing to juries have probative valuehave probative value a subjective, practical test of presentationa subjective, practical test of presentation

21 © Peter Sommer, 2005 Computer Evidence......is different from other evidence - computer data: can change from moment to moment within a computer and along a transmission linecan change from moment to moment within a computer and along a transmission line can be easily altered without tracecan be easily altered without trace can be changed during evidence collectioncan be changed during evidence collection

22 © Peter Sommer, 2005 Computer Evidence......is different from other evidence: much immediate computer evidence cannot be read by humansmuch immediate computer evidence cannot be read by humans many exhibits are print-out derived from primary electronic material many exhibits are print-out derived from primary electronic material computers create evidence as well as record itcomputers create evidence as well as record it rate of change of technologyrate of change of technology

23 © Peter Sommer, 2005 Computer Evidence......creates as many opportunities as it provides threats: many more commercial transactions are recordedmany more commercial transactions are recorded data, once recorded, is very persistent and many copies may existdata, once recorded, is very persistent and many copies may exist it is much easier to trace a persons history and activitiesit is much easier to trace a persons history and activities computer-assisted investigation methods become possible...computer-assisted investigation methods become possible...

24 © Peter Sommer, 2005 Brief History of Computer Evidence MainframesMainframes PCsPCs LANsLANs InternetInternet

25 © Peter Sommer, 2005 Brief History of Computer Evidence MainframesMainframes Controlled print- out Early problem of admissibility How do we test reliability?

26 © Peter Sommer, 2005 Brief History of Computer Evidence PCsPCs Can be seized Disks can be imaged and then analysed Real evidence can we trust the imaging? Quality of inferences

27 © Peter Sommer, 2005 Brief History of Computer Evidence LANs / Complex SystemsLANs / Complex Systems Too complex to seize How do we ensure completeness? How do we ensure reliability?

28 © Peter Sommer, 2005 Brief History of Computer Evidence InternetInternet We can seize individual PCs, but we may also rely on: evidence from remote computers evidence from investigators computers intercepts

29 © Peter Sommer, 2005 Forensic procedures.. Freezing the sceneFreezing the scene a formal process a formal process imaging imaging Maintaining continuity of evidenceMaintaining continuity of evidence controlled copying controlled copying controlled print-out controlled print-out Contemporaneous notes > witness statementsContemporaneous notes > witness statements

30 © Peter Sommer, 2005 Forensic procedures.. authenticity, accuracy, completeness, admissibility repeatabilityrepeatability independent checking / auditingindependent checking / auditing well-defined procedureswell-defined procedures check-listscheck-lists novel scientific methods / juridicial qualitynovel scientific methods / juridicial quality anticipation of criticismanticipation of criticism

31 © Peter Sommer, 2005 Corporate Plan How to plan for evidence collection Identification of risk scenariosIdentification of risk scenarios Analysis and identification of likely evidence requirementsAnalysis and identification of likely evidence requirements Procedures and resources for collecting and preserving evidenceProcedures and resources for collecting and preserving evidence Integration with existing BCP, HR and legal management structuresIntegration with existing BCP, HR and legal management structures

32 © Peter Sommer, 2005 Preservation of Evidence Forensic imaging for single hard-disksForensic imaging for single hard-disks Now well-established Now well-established Digital fingerprinting for log filesDigital fingerprinting for log files How do you make a proper selection from larger, more complex systems?How do you make a proper selection from larger, more complex systems? How do you prove the reliability of data captured in transmission?How do you prove the reliability of data captured in transmission?

33 © Peter Sommer, 2005 Selection of Evidence In a large complex system – how much is enough? No simple one-size-fits-all answer… but if you have thought things through, you have a better chance of justifying your decision in court

34 © Peter Sommer, 2005 Corporate Plan Anticipatory Risk Analysis /Scenario IdentificationRisk Analysis /Scenario Identification Desirable Evidence AnalysisDesirable Evidence Analysis Available Evidence ReviewAvailable Evidence Review Assembly of Key System DocumentationAssembly of Key System Documentation Review of Back-up and Archiving FacilitiesReview of Back-up and Archiving Facilities Produce Evidence Collection & Preservation Policy & Specific GuideProduce Evidence Collection & Preservation Policy & Specific Guide Incident Management TeamIncident Management Team Review Employment ContractsReview Employment Contracts Identify 3 rd party specialistsIdentify 3 rd party specialists

35 © Peter Sommer, 2005 Corporate Plan Incident Management Reporting Point / First ResponderReporting Point / First Responder Incident Management TeamIncident Management Team Role of Top ManagementRole of Top Management Resourcing – internalResourcing – internal Resourcing – externalResourcing – external Asset recovery, loss mitigationAsset recovery, loss mitigation Legal and law enforcement liaisonLegal and law enforcement liaison

36 © Peter Sommer, 2005 Corporate Plan Longer Term Measures Program to address gaps in available evidenceProgram to address gaps in available evidence Improvements in overall system specification to ensure more useful evidence is captured – or available for captureImprovements in overall system specification to ensure more useful evidence is captured – or available for capture Improved local trainingImproved local training

37 © Peter Sommer, 2005 Corporate Plan Forensic Readiness Plan :Forensic Readiness Plan : HMG Infosec Standard No 2HMG Infosec Standard No 2 Needs to beNeeds to be prepared as a consensual corporate exercise prepared as a consensual corporate exercise documented documented audited audited subject to revision subject to revision as the organisation changesas the organisation changes as IT infrastructure changesas IT infrastructure changes in the light of experiencein the light of experience

38 © Peter Sommer, 2005 Corporate Plan A great deal of this activity sits naturally with existing Information Assurance /Emergency Response / Disaster Recovery activity.A great deal of this activity sits naturally with existing Information Assurance /Emergency Response / Disaster Recovery activity. Much of what can be achieved requires pre-planning, not just an emergency response.Much of what can be achieved requires pre-planning, not just an emergency response.

39 © Peter Sommer, 2005 The detail is in the Report!

40 © Peter Sommer, 2005 Workshop 21 September 2005 Digital Investigations and Evidence Workshop 21 September 2005 Digital Investigations and Evidence Peter Sommer London School of Economics peter@pmsommer.comp.m.sommer@lse.ac.uk


Download ppt "© Peter Sommer, 2005 Workshop 21 September 2005 Digital Investigations and Evidence Workshop 21 September 2005 Digital Investigations and Evidence Peter."

Similar presentations


Ads by Google