Digital Forensics Lecture 11df/lectures/11 Evidence... · • Sleuth Kit. 0011 0010 1010 1101 0001...
Transcript of Digital Forensics Lecture 11df/lectures/11 Evidence... · • Sleuth Kit. 0011 0010 1010 1101 0001...
0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Certifications• Risk Analysis• Normal (non-IT) Parents Keeping Their
Children Safe and Happy• Encase• Sleuth Kit
0011 0010 1010 1101 0001 0100 1011
Next Week’s Presentations
• Cynthia Veitch: Summary of Past Two Years Cases
• Damen Del Curto: Testifying Tips • Vince Urias: Laws - International • Cynthia Veitch: Laws - Federal (EC) • Lorraine Chavez: Laws - State (New Mexico) • Michael Kozloski: Laws - State (California)
0011 0010 1010 1101 0001 0100 1011
News Item
• Nine people in China have received prison sentences for activity related to digital piracy. Four of the people received 13-year sentences for producing and selling bootlegged material. Another individual was sentenced to two years in prison for selling pirated software and DVDs. Fines ranged from 40,000 yuan (US$5,000) to 200,000 yuan ($25,000).
• An unnamed Swedish man is the first person in his country to be convicted of making copyrighted songs available for sharing over the Internet.
USATODAY.COM
0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• General Guidelines• Corporate Investigations• Federal Investigations• State and Local Investigations• Personal Investigations
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
General DF Framework
• Purpose (society, economic, individual)• Risk management• Law (public, private, and administrative)
– With and without case authority• Policy
– Implementation of policy• Preparation• Process• Technology• Resources
0011 0010 1010 1101 0001 0100 1011
General Goals
• Influence law– Create case authority
• Prosecute offenders• Make injured parties whole• Protect assets• Maximize profits
• By seeking the truth and providing evidence/data– Who, how, why, where, what, and when
0011 0010 1010 1101 0001 0100 1011
General Incident Response(SANS)
• Preparation – policy, logging, banners, training, etc.
• Identification – were you really compromised?
• Containment – balance operations and investigation
• Eradication – address asset-threat-vulnerability
• Recovery – restore necessary operations• Follow-up – refine the above steps
0011 0010 1010 1101 0001 0100 1011
General DF Process
• Acquire the evidence– Don’t alter or damage original
• Authenticate the recorded evidence– Ensure identical to original
• Analyze the data– Don’t modify acquired data
• Recall that the rigor is based on duty
0011 0010 1010 1101 0001 0100 1011
Corporate Profile
• Goal: maximize profit• Primary beneficiary: shareholders• Duty: follow policy• Scope: corporate wide, all individuals with
cyber presence, network boundary at ISP• Stakeholders: corporate officials, law
enforcement, judicial system• Evidence handling: “standard practices”• Primary decision mechanism: risk
management
0011 0010 1010 1101 0001 0100 1011
Risk Management
• Risk measurement (many measures)– = f(consequence, p(attack), p(success),
p(mitigation))– OR, a combination of threat, vulnerability, and
cost• Process of characterizing/measuring risks
and mitigations– Invest in mitigation if the cost of the risk
outweighs the cost of the mitigation
0011 0010 1010 1101 0001 0100 1011
General Decisions
• General Process– What process should be adopted?
• Live vs. Dead– What are the risks?
• Seizing Evidence– What to seize?– How to seize it?
• Analysis methods• Reporting format
0011 0010 1010 1101 0001 0100 1011
Broad Strategies
• Restore operations• Allow exploit to continue and
monitor/record carefully• Remove affected systems from network• Unplug affected systems• Contact law enforcement (could limit future
activities)
0011 0010 1010 1101 0001 0100 1011
DF Principles
• Impossible to measure without effecting• Don’t rely on tools from affected system• Use tested tools• Stay cognizant of the overall goal• Do not discuss details outside of
investigation• Establish and respect the ownership of
information• Know the established standards for
evidence treatment, recording, and reporting
0011 0010 1010 1101 0001 0100 1011
Best Practices
• Follow documented policy• Maintain demonstrable objectivity• Do not seek to prove, but to understand• Media analysis should be performed as we
did in the labs (this is the most mature)• Exercise reasonable control over data
– no duty to exercise full chain of custody• Use “proven” tools• Avoid detailed records of conclusions
0011 0010 1010 1101 0001 0100 1011
Testimony• Ensure the technical accuracy of your evidence• Thoroughly prepare your testimony with your attorney
– Make sure your evidence tells a logically consistent story• Request a peer review from FBI (or other expert)
– They have much more experience– Clear this with your attorney
• Do not discuss anything with opposing attorneys without yours present
• Learn as much about the opposing technical witness as possible
• Learn about trial procedures• Be professional, polite, ask for clarification if necessary
0011 0010 1010 1101 0001 0100 1011
Federal Profile
• Goal: enforce the law (shape the law?)• Primary beneficiary: law-abiding public• Duty: follow and uphold the law• Scope: private, public, and corporate based
on interstate commerce provisions, U.S. Code, etc.
• Stakeholders: individuals, public, corporations
• Evidence handling: strictly defined (manuals, handbooks, standards, etc.)
• Primary decision mechanism:
0011 0010 1010 1101 0001 0100 1011
Required Practices
• Based on mostly proven legal standards• Well documented• Criminal investigations are focused• More contemporary investigations have
broader scope• Media analysis has the most rigorous
practices• Full chain of custody is required• Evidence handling procedures are well
understood• Not sure about the detail of records
0011 0010 1010 1101 0001 0100 1011
DOJ Model• Preparation – Equipment and Tools for investigation• Collection – Search for electronic evidence• Secure and Evaluate the Scene. Ensure integrity of
evidence, identify evidence• Document the Scene. Document physical attributes
(photos of digital evidence)• Evidence Collection. Collect system or copy data• Examination – Technical review searching for evidence• Analysis – Review examination results• Reporting – Notes from the case
0011 0010 1010 1101 0001 0100 1011
U.S. Air Force Model
• Identification – Detect the incident/crime
• Preparation – Tools, techniques and obtain approval
• Approach Strategy – Maximize collection of evidence, minimize impact on victim
• Preservation – Isolate and secure physical and digital evidence
• Collection – Record physical crime scene and duplicate digital evidence
• Examination – Search for evidence relating to the crime
• Analysis – Develop theory based on evidence found
• Presentation – Summarize and explain final conclusion and theory
• Return Evidence – Return collected evidence to the owner
0011 0010 1010 1101 0001 0100 1011
State and Local Profile
• Goal: Similar with Federal• Primary beneficiary: Same as Federal• Duty: Same as Federal• Scope: Much more narrow than Federal• Stakeholders: Same as Federal• Evidence handling: Similar to Federal• Primary decision mechanism: Resources
0011 0010 1010 1101 0001 0100 1011
Personal Investigations
• Goal: ________• Primary beneficiary: The individual• Duty: Follow the law• Scope: Some personal information
resources• Stakeholders: Users of the personal network• Evidence handling: None• Primary decision mechanism: Varies
0011 0010 1010 1101 0001 0100 1011
Difficult Problems
• Rapidly emerging law, lack of case authority– Creative and adaptive criminals
• Very little design-for-forensics• Fail-safe evidence handling processes• Lack of meaningful borders
– International investigations add significant complexity
• Current balance favors privacy/anonymity – Difficult to answer the “who” question
• Balancing privacy with security– Current balance favors privacy/anonymity