Forensics & E-Discovery

Presented by the ASIS Information Technology

Security Council

1

The Information Technology Security

Council and its partners deliver a forum to

enhance effectiveness and productivity of

security practitioners through the

development and delivery of educational

material that addresses Information

Technology security and risk topics.

Outreach Research Education

Page 2

Monday 11am (Session 2110): Cloud Computing for the Security Practitioner

Monday 1:45PM (Session 2206): Current Trends in Identity & Access Management

Monday 4:30pm (Session 2306): Forensics and e-Discovery

Tuesday 11am (Session 3112): Cyber Security

Tuesday 1:45 (Session 3208): Utility & Smart Grid Security

Tuesday 4:30pm (Session 3306): Federal Information Security

Wednesday 11am (Session 4111/4184): Legal & Compliance Aspects of IT

Page 3

Forensics & E-Discovery Research Team

Andrew Neal, CISM ,CRISC, CIFI, LPI – Southwest Digital Laboratory

Eric Sifford, CISSP – United States Army KJ Kuchta, CPP, CFE – Forensic Consulting

Solutions Ben Greer, CISSP – Cyber Security SME

David Melnick, CIPP, CISSP, CISA – Deloitte & Touche, LLP

Jim Emerson – Internet Crimes Group, Inc.

Page 4

What is an ESD/ESI Incident?

The differences between recovery, forensics and

discovery.

Basic steps & best practices for incident response.

How organizations prepare for ESD/ESI incidents.

What security practitioners need to know about

ESD/ESI incident response.

Ways incident response efforts can be countered

or attacked.

Future trends and problems for incident response.

Page 5

Three Basic Flavors

Data Recovery

Digital Forensics

E-Discovery

(and composites)

Page 6

Forensics & e-Discovery Agenda

Digital forensics considerations Jim Emerson

for the private sector Internet Crimes Group, Inc

Electronic Discovery Reference KJ Kuchta, CPP, CFE

Model (eDRM) Primer Forensic Consulting Solutions

Organizational readiness David Melnick, CIPP,CISSP,CISA

for e-Discovery activity. Deloitte & Touche, LLP

Evolution from the past: Andrew Neal, CISM, CRISC, LPI

Future trends and problems. Southwest Digital Laboratory

Page 7

for Private Sector Practitioners …

Jim Emerson

Internet Crimes Group, Inc.

Page 8

Page 9

Maintaining Competent Digital Forensic

Resources

Maintaining Practical Digital Forensic

Capabilities

Digital Forensic Considerations for

Emerging Technologies

Page 10

› Variety of Certification Standards?

› State Licensing Requirements?

› Accreditation of Diverse Tools and

Infrastructure?

› Accreditation of Facility and Process?

› Examiner Experience with Diverse and

Changing Technology?

Page 11

› Business, Legal, and Investigative Focused

Process?

› Host, Appliance, and Network based

Forensic Capabilities?

› Triage, Mass Storage, and Automated

Examination Support?

› Remote Enterprise Solutions?

› Integration of Investigation and simple Data

Recovery with eDiscovery?

Page 12

› Cloud Computing and Virtualization

› SaaS, Social Networks and Business

Integration of Public 3rd Party Systems

› Increasingly Capable Wireless Devices and Appliances

› Smart Digital Systems and Vehicles

Page 13

› Is more or less Technical Competence required?

› Is more or less Investigative Competence required?

› Is more or less Ethical Integrity required?

KJ Kuchta, CPP, CFE

Forensic Consulting Solutions

Page 14

Page 15

› New and improved eDRM

› FCS‘ view of the eDRM.

› IntraPrise & Extraprise Considerations for eDiscovery & Informaton Governance.

“It costs about 20 cents to buy 1GB of storage;

however, it costs around $3500 to review 1 GB of

storage.” AIIM International Email Management ROI Calculator

Page 16

Data Data

Data Data

Custodian 1

Data Data

Data Data Source 1

Data Data

Data Data Source 3

Data Data

Data Data

Custodian 3

Data Data

Data Data

Custodian 2

Data Data

Data Data Source 2

Production Presentation

Information Governance

Search & Retrieval

Identification Preservation & Collection

Preprocessing & Analysis

Processing

Review

Post Review Analysis

Page 18

Identify a specific list of custodians that may have relevant information.

Start with the most important and conduct sampling if there are many custodians.

Preserve broadly, process and review narrowly.

› Just because you preserve does not mean you need to process.

Determine whether you need bit-by-bit or logical acquisitions.

Page 19

Must be tailored to the facts of the case. Should include at minimum:

› Name of the matter or individual involved;

› Warning of the importance of the hold and the consequences for not complying with it;

› Direction not to alter or destroy information/documents;

› Reason for the hold – e.g., legal action;

› Reason the recipient is getting the hold notice;

› Types of information included in the hold and the applicable time period.

› Instructions for preserving information/documents;

› Suspension of any routine document retention/destruction policy

The notice should be issued to any employees likely to have relevant information and copied to the employer IT department for them to implement on the backend.

Page 20

Employers have a duty to preserve electronically stored information and paper documents that they know or should know would be relevant to a current or threatened legal action. Events which might trigger this duty could include: Any notice that the employer is a party to an

administrative or a legal proceeding. An email or letter threatening a claim on behalf of an

applicant or current or former employee or client. A verbal threat or demand from an applicant or current

or former employee or client relating to a legal claim. Anything that might realistically indicate an employee

or client intends to pursue legal action.

Page 21

Improper application of legal holds

or simply not implementing legal

holds can result in costly financial

sanctions or the loss of a lawsuit for

employers(millions of dollars).

› Smaller employers are not exempt due to size of company.

Loss of data due to improper legal

hold could lose the pertinent data

that would have protected the

employer in the lawsuit.

David Melnick, CIPP, CISSP, CISA

Deloitte & Touche, LLP

Page 22

Page 23

Legal and Compliance

Information Management

Challenges

Information

Overload

Regulatory

Trends

High Operational

Costs

Security and

Privacy Concerns

•Risks of

Noncompliance

Page 24

Page 25

Developing an enterprise Information Management Program can help maximize the amount of value you achieve from different initiatives

Each one of these areas reinforces the other, for example: › Improved data classification can

make eDiscovery collection and processing processes faster

› Improved data protection can reinforce records management policies and processes

› Appropriate retention policies can reduce the volume of documents that can be presented for eDiscovery

› A programmatic approach is required to ensure policies and processes in each area are mutually reinforcing to provide the greatest integration value to the company.

Page 26

Page 27

Data Management addresses how an organization manages its data. It is a comprehensive set of capabilities that properly manages the data lifecycle requirements of an enterprise — via the development and execution of policies, procedures, architectures, and use of technologies.

Page 28

A ―disconnect‖ between corporate policies, actual operational practices, and technology infrastructure reduces ability to implement changes into the business environment. Examples of activities related to privacy and data protection that led to enforcement actions, law suits, or monetary fines are as follows:

• Misrepresenting the purpose for

collecting PII

• Failure to disclose the means used to

collect PII (i.e., the use and/or duration

of cookies, Web bugs, spyware,

tracking technologies)

• Failure to adequately train personnel

on privacy representations

• Disclosing, sharing, or selling PII to third

parties contrary to the organization‘s

privacy policy

• Exporting PII contrary to the privacy

laws of the originating country

• Misrepresenting the security protection

of PII

Page 29

Organizations must leverage a robust Information Management framework to organize its priorities and approaches around the components of the Information Life Cycle.

Approaches may vary (either top-down or bottom-up) based upon the maturity of the component and the strategic value it represents to the organization.

TOP DOWN

APPROACH FOR THE DISPOSITION OF HISTORICAL INFORMATION Hard Copy/Electronic

INF

OR

MA

TIO

N M

AN

AG

EM

EN

T P

RO

GR

AM

BOTTOM UP

APPLICATION OF RECORD RETENTION SCHEDULES

PROCESSES AND PROCEDURES

Offices Headquarters RIM Department

INFORMATION MANAGEMENT POLICY FRAMEWORK

Data WAREHOUSING AND ELECTRONIC INFORMATION MANAGEMENT

RECORD RETENTION SCHEDULES

INFORMATION GOVERNANCE STRUCTURE

PRIVACY, SECURITY, IMPLEMENTATION AND TRAINING AND COMMUNICATION

PLANNING AND SCOPING

DISCOVERY/LITIGATION READINESS

Andrew Neal CISM, CRISC, CIFI, LPI

Southwest Digital Laboratory

Page 30

Page 31

Watergate

Enron

Katrina

BTK

War on drugs

Osama‘s mySpace

Page 32

Increase in areal density.

New storage devices and media.

Tools independent of data structure.

Cloud integration into storage architecture.

Issues created when physically recovering a drive from a large multi-tenant array.

Regulatory and certification issues.

Page 33

More & different target devices.

Evolving licensing and regulation.

Development of standards and frameworks.

Reduced disruption during acquisition.

Counter-Forensics and Anti-Forensics.

Tool validation.

Risk management for the forensic process.

Page 34

More ‗discoverable‘ sources:

› Social media

› Portable devices

Exponential growth in data storage.

Evolving rules of evidence.

Education of the judiciary.

Development of ‗smart‘ tools for collection and processing.

Professional training and standards.

Page 35

Not a settled science or profession.

Rapidly increasing crossover between technical and operational areas.

Best results achieved with

› Established policy

› Prior planning

› Education of incident responders

› Established vendor relationships

Forensics & e-Discovery

Questions?

KJ Kuchta, CPP, CFE Jim Emerson

Forensic Consulting Solutions Internet Crimes Group, Inc

kkuchta@forensicsconsulting.com jje@icginc.com

David Melnick, CIPP,CISSP,CISA Andrew Neal, CISM, CRISC, LPI

Deloitte & Touche, LLP Southwest Digital Laboratory

dmelnick@deloitte.com aneal@southwestdigitallab.com

Page 36