Forensics

Learning Objectives Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you will need in a typical corporate environment

Definition Forensic: –“…a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).” The aim of forensic science is: –“…to demonstrate how digital evidence can be used to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.” Ref: Casey, “Digital Evidence and Computer Crime”, 2nd ed., section 1.6, p20.

The Goal of Forensics Forensics seeks to provide an accurate representation of extracted data: find out the truth –How was it lost? –What was lost? –What are my obligations concerning the loss?

Forensics vs. Incident Handling Closely tied together, but different Data collection starts immediately as a part of incident handling Data analysis is not a part of incident handling The incident can sometimes be closed before forensic analysis is complete

Legally Sound Data Collection Security in Computing, chapter 9.5 Goals –Build a solid case –Find out what was lost –Find out the truth

Privacy Issues Generally apply principles from the physical world –Can you: Read my mail? Listen to my phone call? Obtain a copy of my phone bill?

Applicable Statutes Computer fraud and abuse act, 18USC1030 –Protects against unauthorized access (privacy intrusion)

Applicable Statutes (2) Federal Wiretap Act (18USC ) –Protect data in transit (real-time) –Three key exceptions: Provider Consent Trespasser

Applicable Statutes (3) Pen Registers and Trap and Trace Devices, 18USC –Pen/trap or Trap & Trace –Real-time collection of header information What is header information?

Applicable Statutes (4) The Electronics Communications Privacy Act –ECPA –Protects stored data (both headers and content) –What is the difference between read voice mail and unread voice mail?

Applicable Statutes (5) Patriot Act –Patches up ECPA and others by clearly defining how Law Enforcement can gather data –Renewed in early 2006 with only minor changes

Applicable Statutes (6) Other traditional statutes may apply –Trade secrets –Harassment –Copyright Infringement

Applicable Statutes (7) Summary –Headers vs. content –Real-time vs. stored –Complex and changing Acting under the cover of law –What information can you share with law enforcement?

Employee Rights Bannering –What should be in an acceptable use policy? –Is bannering sufficient? Pseudo-employees –Contractors –Consultants –Temps –Interns –Auditors –…

Case Study(1) Acceptable Use Violation –Indications –Initial course of action –What are you certain you can do? –What are you certain you can not do? –Where do you go for guidance?

Regulatory Issues Gramm-Leach-Bliley Act of 1999 (GLBA) –Protect consumer personal financial data Health Insurance Portability and Accountability Act of 1996 (HIPAA) –Federal privacy protection for individually identifiable health information Public Firms –SEC, NASD requirements for document retention

Data Collection Make copies of everything Only work on copies Create MD5 checksums

Data Collection Toolkit Software –Static binaries –Linux-based Hardware –Cables, adapters –Very large drives Chain of custody forms Calibration procedure

Case Study(2) Bringing the evidence to court –Do you really have to explain an MD5 checksum of a hard drive to the jurors?

Lost when machine is powered off Lost if you wait too long Data on the Computer Real-time only In files In log files Browser history Windows prefetch area Slack space Open network connections Virtual memory Physical memory Network traces

Data on Other Computers Infrastructure logs –Web servers, mail servers Archival systems Network / Firewall logs Intrusion detection systems Everything that logs

Data in Unexpected Places Anti-virus alerts, real-time anti-virus scans License enforcement / application metering [anything]Management Software –Patch management –Software management –Configuration management –Asset management

Case Study(3) You receive a workstation anti-virus alert –Where do you expect to find log data?

Case Study(4) Data on someone else’s computer

Gathering Data from People Interviews –With others –With the suspect Interview Techniques –Never reveal what you do or do not know Did you ever ask a first grader what happened in school today?

Data Sources – Summary Defense in depth == forensics in depth Only you know all the potential data sources –It is always your responsibility to help identify and present the data

Corporate Forensics

The Big Question Can you ever imagine this event/incident leading to a court case? –Yes: legally sound collection –No: more flexibility but fewer resources; often a good training execrcise –Always consider the costs: Prosecution Damage to reputation Loss of corporate secrets

Case Study(5) A routine anti-virus alert (revisited)

Preparations Pre-planning Training Consider outsourcing –Managed cost –Impartial results –Add an addendum to your MSSP contract

Decisions, Decisions CSo, CIO, CEO, CLO What decisions need to be made? When and how do you receive elevated authority? –Admin rights –Right to monitor How do you proceed when there is no decision?

Case Study(6)

What can we learn from: – logs –Web server logs –Interviews –Human resources Who would be involved in making decisions? What are some possible outcomes?

Law Enforcement FBI FTC US Postal Inspectors US Secret Service Local law enforcement Task forces and other institutions

Law Enforcement Build relationships beforehand Cooperation leads to resource sharing Law Enforcement does not know your network topology

Conclusion Definition of Forensics –Tell the story: what was lost, how it was lost Be able to understand process in building legally sound case –Complex issues Identify forensic capabilities you will need in a typical corporate environment –Only you know your topology