technical challenges in cyber forensics

Technical Challenges in Cyber ForensicsGlasgow Caledonian University, Digital Forensics Student Conference

Agenda

The technical challenges

The research areas

Before we begin… Who is NCC?

• 100 million GBP revenue FTSE company• Cyber Security Assurance Practice

• 180 UK technical assurance consultants• applied research (.gov.uk / .co.uk)

• technical security assessments

• cyber forensics incident response

• 50 UK risk / audit consultants

• 90 US technical assurance consultants

• Escrow & Software Assurance = sister BUs

Before we begin…

Hopefully not a lesson in sucking eggs

Things I won’t cover… because Keith did/will

•Accreditation•Big data•Cyber security*•Cloud computing•Mobile*

Why forensics?

•What happened•How it happened•Where it happened•Who did it / who didn’t do it•Why it happened*

Forensic chain of custody requirements

• Intention: Court•high

• Intention: Not court• low

Focus for this talk: not court

What we see today

•Offensive material•Basic data theft

• remote internet• internal employee

•Hacktivisim•Financial related•Complex nation state threat actors

•high value IP theft

Tech challenge #1: non-tech usability

•Triage•Acquisition•Aggregation•Processing•Analysis•Answers

Tech challenge #2: security

•TPM•Crypto

• software•hardware

•Device protection•passphrase• fingerprint•anti-tamper

Tech challenge #3: IoT acquisition

•CCTV, Watches, TVs, Fridges etc..•Vehicles•Multi Functional Devices•BMS / EMS ..

etc..

… storage removal

… storage processing

… ability to make sense

Tech challenge #4: rapid tech evolution

•Devices•Operating systems•Apps•Methods of communication•Methods of storage• Internet services

Tech challenge #4: attribution & intent

•Who•Why•Capabilities•Traits (MO)

Tech challenges: example #1

Tech challenges: example #2

Example research: NCC suggested projects

• Storage Reduction for Network Captures• High Performance Captured Network Meta Data Analysis

• Network Capture Visualization• Automated Net Flow Heuristic Signature Production

• Forensic Memory Resident Password Recover

• Application Location Services in Data Forensics Investigations

Future research

•Usability of forensics tools•Agility / adaptability in forensics tools• Internet forensics / Open Source Intel•Stitching multiple distinct sources•Detecting use of anti-forensics•Detecting use of offensive-forensics•High-speed forensics

Future research

•Reactive forensic supporting systems•Pro-active forensic supporting design pattterns

• systems & apps

•Crowd sourcing / gamification applications in forensics

•Expert systems (AI) use in forensics• inference engines / knowledge basehttp://link.springer.com/chapter/10.1007%2F978-3-540-77368-9_31

Summary

•We need to make it •easier to collect & get answers•scalable & efficient• reliable & adaptable

•We need to be able to• consume intelligence•produce intelligence•share more

UK Offices

Manchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Milton Keynes

North American Offices

San Francisco

Atlanta

New York

Seattle

Austin

Australian Offices

Sydney

European Offices

Amsterdam - Netherlands

Munich – Germany

Zurich - Switzerland

Thanks? Questions?

Ollie Whitehouseollie.whitehouse@nccgroup.com