gareth digby: systems-based approach to cyber investigations
TRANSCRIPT
Introduction
• This presentation outlines some of the issues associated
with cyber investigation evidence collection, analysis and
presentation
• Simple holistic, system thinking approaches are outlined
to help overcome the issues
Background
• The presentation builds on the Gareth Digby’s and Zane
Scott’s, the authors, experience
• Providing system thinking approaches to understand and
tackle complex problems
• Undertaking industrial investigations
An Incident
• “Failure is an unacceptable difference between expected and observed performance”
• Leonards, American Society of Civil Engineers, 1982
• Three phases of process-related incidents • Change from normal to an abnormal operating state
• Breakdown of control of abnormal operating phase
• Loss of control (of energy accumulations)
• Guidelines for Investigating Chemical Process Incidents, Center for Chemical Process Safety, American Institute of Chemical Engineers, 2003
• Causes may be a combination of interrelated deficiencies • Hence the complexity and confusion usually associated with an
incident
Evidence
• Evidence has to support opinion
• Evidence must be compelling and show through a
preponderance of evidence that the fact is proven
• Evidence has to be reliable
• The chain of custody must be maintained
ProvenKnown
Analyze
• We want to analyze the evidence and then develop a
hypothesis that we can test
• The Scientific Method:
• Collect data
• Establish potential causes and hypothesis
• Test for validity
Analyze, contd.
• However
• Hypothesize
• Collect data
• Test
• …. Constrains the exploration of an answer
Present
• Digital systems are inherently complex
• Evidence includes a temporal component
• The evidence, analysis and hypothesis have to be
explained to non-specialists
Simplify Clarify
The Conundrum
• Capture
• Look in appropriate places for evidence
• Analysis
• Consider all aspects
• Presentation
• Effective visualization of complex data
Use a systematic, holistic approach to collection, analysis
and presentation of evidence
People-System-Environment Matrix
Before During After
Environm
ent
System
People
• Encourages thinking
about the environment
and people as well as
the system of interest
• Reminds us to think
about the temporal
aspects
People-System-Environment Matrix
• Alternatively known as the 9-Box Matrix
• Developed by A. Chapanis and P. Fitts of the US Army
Aero Medical Laboratory
• Bibliography
• “Utilizing The Human, Machine and Environment Matrix In
Investigations”, D. Curry, et al, Packer Engineering,
Naperville, IL
Examples of Use
• Using the approach to document evidence from an
incident at an oil storage depot
• Using the approach to document evidence from an
assignment created for teaching computer forensics
Oil Storage Depot Incident Scenario
Based on a review of the Buncefield Major Incident Investigation Board reports http://www.hse.gov.uk/comah/investigation-reports.htm
Example People-System-Environment
Matrix Before During After
Environm
ent
System
People
Cold
Weather Vapor
Contamination
Explosion Containment
damage Mist reported
before incident
Tank overfill causes
vapor cloud
Tank filling
overnight
Control room
operators start
transfer
Cold weather
conditions Firefighters
respond Firefighting foam
contaminates water
Why overfill?
Broken level alarm
Why ignition?
Possibly start of
fire pumps when
alarm raised
Why? Why?
Fictional Scenario
• In June 2009, King Claudius, following an incident in
which a banned play was performed, exiled Hamlet.
• However it came to light that Hamlet may have been
unknowingly setup by others.
• Apologies to Tom Stoppard, “Rosencrantz
& Guildenstern Are Dead”
System(s)
• Rosencrantz’s laptop
• Guildenstern's laptop
• Instant messaging
• USB memory stick
• GPS
Conclusion
The presentation has shown how issues associated with
the
• Collection
• Analysis
• Presentation
… of evidence in cyber investigations can be helped
through
• taking a holistic and systematic approach to the
identification of evidence and
• the use of existing systems methods to present the
temporal, interrelated nature of the evidence