Forensics

Learning Objectives

• Definition of Forensics

• Be able to understand process in building legally sound case

• Identify forensic capabilities you will need in a typical corporate environment

Definition

• Forensic:– “…a characteristic of evidence that satisfies its

suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).”

• The aim of forensic science is: – “…to demonstrate how digital evidence can be used

to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.”

Ref: Casey, “Digital Evidence and Computer Crime”,2nd ed., section 1.6, p20.

The Goal of Forensics

• Forensics seeks to provide an accurate representation of extracted data: find out the truth– How was it lost?– What was lost?– What are my obligations concerning the loss?

Forensics vs. Incident Handling

• Closely tied together, but different

• Data collection starts immediately as a part of incident handling

• Data analysis is not a part of incident handling

• The incident can sometimes be closed before forensic analysis is complete

Legally Sound Data Collection

• Security in Computing, chapter 9.5

• Goals– Build a solid case– Find out what was lost– Find out the truth

Privacy Issues

• Generally apply principles from the physical world

– Can you:• Read my mail?• Listen to my phone call?• Obtain a copy of my phone bill?

Applicable Statutes

• Computer fraud and abuse act, 18USC1030– Protects against unauthorized access (privacy

intrusion)

Applicable Statutes (2)

• Federal Wiretap Act (18USC2510-22)– Protect data in transit (real-time)– Three key exceptions:

• Provider• Consent• Trespasser

Applicable Statutes (3)

• Pen Registers and Trap and Trace Devices, 18USC3121-27– Pen/trap or Trap & Trace– Real-time collection of header information

• What is header information?

Applicable Statutes (4)

• The Electronics Communications Privacy Act– ECPA– Protects stored data (both headers and

content)

– What is the difference between read voice mail and unread voice mail?

Applicable Statutes (5)

• Patriot Act– Patches up ECPA and others by clearly

defining how Law Enforcement can gather data

– Renewed in early 2006 with only minor changes

Applicable Statutes (6)

• Other traditional statutes may apply– Trade secrets– Harassment– Copyright Infringement

Applicable Statutes (7)

• Summary– Headers vs. content– Real-time vs. stored– Complex and changing

• Acting under the cover of law– What information can you share with law

enforcement?

Employee Rights

• Bannering– What should be in an acceptable use policy?– Is bannering sufficient?

• Pseudo-employees– Contractors– Consultants– Temps– Interns– Auditors– …

Case Study(1)

• Acceptable Use Violation– Indications– Initial course of action– What are you certain you can do?– What are you certain you can not do?– Where do you go for

guidance?

Regulatory Issues

• Gramm-Leach-Bliley Act of 1999 (GLBA)– Protect consumer personal financial data

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)– Federal privacy protection for individually

identifiable health information

• Public Firms– SEC, NASD requirements for document

retention

Data Collection

• Make copies of everything

• Only work on copies

• Create MD5 checksums

Data Collection Toolkit

• Software– Static binaries– Linux-based

• Hardware– Cables, adapters– Very large drives

• Chain of custody forms

• Calibration procedure

Case Study(2)

• Bringing the evidence to court– Do you really have to explain an MD5

checksum of a hard drive to the jurors?

Lost when machine is powered off

Lost if you wait too long

Data on the Computer

Real-time only

• In files• In log files• Browser history• Windows prefetch area• Slack space• Open network connections• Virtual memory• Physical memory• Network traces

Data on Other Computers

• Infrastructure logs– Web servers, mail servers

• Archival systems

• Network / Firewall logs

• Intrusion detection systems

• Everything that logs

Data in Unexpected Places

• Anti-virus alerts, real-time anti-virus scans

• License enforcement / application metering

• [anything]Management Software– Patch management– Software management– Configuration management– Asset management

Case Study(3)

• You receive a workstation anti-virus alert– Where do you expect to find log data?

Case Study(4)

• Data on someone else’s computer

Gathering Data from People

• Interviews– With others– With the suspect

• Interview Techniques– Never reveal what you do or do not know

Did you ever ask a first grader what happened in school today?

Data Sources – Summary

• Defense in depth == forensics in depth

• Only you know all the potential data sources– It is always your responsibility to help identify

and present the data

Corporate ForensicsCorporate Forensics

The Big Question

• Can you ever imagine this event/incident leading to a court case?– Yes: legally sound collection– No: more flexibility but fewer resources; often

a good training execrcise– Always consider the costs:

• Prosecution• Damage to reputation• Loss of corporate secrets

Case Study(5)

• A routine anti-virus alert (revisited)

Preparations

• Pre-planning

• Training

• Consider outsourcing– Managed cost– Impartial results– Add an addendum to your MSSP contract

Decisions, Decisions

• CSo, CIO, CEO, CLO

• What decisions need to be made?

• When and how do you receive elevated authority?– Admin rights– Right to monitor

• How do you proceed when there is no decision?

Case Study(6)

Case Study(6)

Case Study(6)

• What can we learn from:– Email logs– Web server logs– Interviews– Human resources

• Who would be involved in making decisions?

• What are some possible outcomes?

Law Enforcement

• FBI

• FTC

• US Postal Inspectors

• US Secret Service

• Local law enforcement

• Task forces and other institutions

Law Enforcement

• Build relationships beforehand

• Cooperation leads to resource sharing

• Law Enforcement does not know your network topology

Conclusion

• Definition of Forensics– Tell the story: what was lost, how it was lost

• Be able to understand process in building legally sound case– Complex issues

• Identify forensic capabilities you will need in a typical corporate environment– Only you know your topology