Forensics & E-Discoveryaz9194.vo.msecnd.net/pdfs/110902/2306.pdf · › Improved data...
Transcript of Forensics & E-Discoveryaz9194.vo.msecnd.net/pdfs/110902/2306.pdf · › Improved data...
Forensics & E-Discovery
Presented by the ASIS Information Technology
Security Council
1
The Information Technology Security
Council and its partners deliver a forum to
enhance effectiveness and productivity of
security practitioners through the
development and delivery of educational
material that addresses Information
Technology security and risk topics.
Outreach Research Education
Page 2
Monday 11am (Session 2110): Cloud Computing for the Security Practitioner
Monday 1:45PM (Session 2206): Current Trends in Identity & Access Management
Monday 4:30pm (Session 2306): Forensics and e-Discovery
Tuesday 11am (Session 3112): Cyber Security
Tuesday 1:45 (Session 3208): Utility & Smart Grid Security
Tuesday 4:30pm (Session 3306): Federal Information Security
Wednesday 11am (Session 4111/4184): Legal & Compliance Aspects of IT
Page 3
Forensics & E-Discovery Research Team
Andrew Neal, CISM ,CRISC, CIFI, LPI – Southwest Digital Laboratory
Eric Sifford, CISSP – United States Army KJ Kuchta, CPP, CFE – Forensic Consulting
Solutions Ben Greer, CISSP – Cyber Security SME
David Melnick, CIPP, CISSP, CISA – Deloitte & Touche, LLP
Jim Emerson – Internet Crimes Group, Inc.
Page 4
What is an ESD/ESI Incident?
The differences between recovery, forensics and
discovery.
Basic steps & best practices for incident response.
How organizations prepare for ESD/ESI incidents.
What security practitioners need to know about
ESD/ESI incident response.
Ways incident response efforts can be countered
or attacked.
Future trends and problems for incident response.
Page 5
Three Basic Flavors
Data Recovery
Digital Forensics
E-Discovery
(and composites)
Page 6
Forensics & e-Discovery Agenda
Digital forensics considerations Jim Emerson
for the private sector Internet Crimes Group, Inc
Electronic Discovery Reference KJ Kuchta, CPP, CFE
Model (eDRM) Primer Forensic Consulting Solutions
Organizational readiness David Melnick, CIPP,CISSP,CISA
for e-Discovery activity. Deloitte & Touche, LLP
Evolution from the past: Andrew Neal, CISM, CRISC, LPI
Future trends and problems. Southwest Digital Laboratory
Page 7
for Private Sector Practitioners …
Jim Emerson
Internet Crimes Group, Inc.
Page 8
Page 9
Maintaining Competent Digital Forensic
Resources
Maintaining Practical Digital Forensic
Capabilities
Digital Forensic Considerations for
Emerging Technologies
Page 10
› Variety of Certification Standards?
› State Licensing Requirements?
› Accreditation of Diverse Tools and
Infrastructure?
› Accreditation of Facility and Process?
› Examiner Experience with Diverse and
Changing Technology?
Page 11
› Business, Legal, and Investigative Focused
Process?
› Host, Appliance, and Network based
Forensic Capabilities?
› Triage, Mass Storage, and Automated
Examination Support?
› Remote Enterprise Solutions?
› Integration of Investigation and simple Data
Recovery with eDiscovery?
Page 12
› Cloud Computing and Virtualization
› SaaS, Social Networks and Business
Integration of Public 3rd Party Systems
› Increasingly Capable Wireless Devices and Appliances
› Smart Digital Systems and Vehicles
Page 13
› Is more or less Technical Competence required?
› Is more or less Investigative Competence required?
› Is more or less Ethical Integrity required?
KJ Kuchta, CPP, CFE
Forensic Consulting Solutions
Page 14
Page 15
› New and improved eDRM
› FCS‘ view of the eDRM.
› IntraPrise & Extraprise Considerations for eDiscovery & Informaton Governance.
“It costs about 20 cents to buy 1GB of storage;
however, it costs around $3500 to review 1 GB of
storage.” AIIM International Email Management ROI Calculator
Page 16
Data Data
Data Data
Custodian 1
Data Data
Data Data Source 1
Data Data
Data Data Source 3
Data Data
Data Data
Custodian 3
Data Data
Data Data
Custodian 2
Data Data
Data Data Source 2
Production Presentation
Information Governance
Search & Retrieval
Identification Preservation & Collection
Preprocessing & Analysis
Processing
Review
Post Review Analysis
Page 18
Identify a specific list of custodians that may have relevant information.
Start with the most important and conduct sampling if there are many custodians.
Preserve broadly, process and review narrowly.
› Just because you preserve does not mean you need to process.
Determine whether you need bit-by-bit or logical acquisitions.
Page 19
Must be tailored to the facts of the case. Should include at minimum:
› Name of the matter or individual involved;
› Warning of the importance of the hold and the consequences for not complying with it;
› Direction not to alter or destroy information/documents;
› Reason for the hold – e.g., legal action;
› Reason the recipient is getting the hold notice;
› Types of information included in the hold and the applicable time period.
› Instructions for preserving information/documents;
› Suspension of any routine document retention/destruction policy
The notice should be issued to any employees likely to have relevant information and copied to the employer IT department for them to implement on the backend.
Page 20
Employers have a duty to preserve electronically stored information and paper documents that they know or should know would be relevant to a current or threatened legal action. Events which might trigger this duty could include: Any notice that the employer is a party to an
administrative or a legal proceeding. An email or letter threatening a claim on behalf of an
applicant or current or former employee or client. A verbal threat or demand from an applicant or current
or former employee or client relating to a legal claim. Anything that might realistically indicate an employee
or client intends to pursue legal action.
Page 21
Improper application of legal holds
or simply not implementing legal
holds can result in costly financial
sanctions or the loss of a lawsuit for
employers(millions of dollars).
› Smaller employers are not exempt due to size of company.
Loss of data due to improper legal
hold could lose the pertinent data
that would have protected the
employer in the lawsuit.
David Melnick, CIPP, CISSP, CISA
Deloitte & Touche, LLP
Page 22
Page 23
Legal and Compliance
Information Management
Challenges
Information
Overload
Regulatory
Trends
High Operational
Costs
Security and
Privacy Concerns
•Risks of
Noncompliance
Page 24
Page 25
Developing an enterprise Information Management Program can help maximize the amount of value you achieve from different initiatives
Each one of these areas reinforces the other, for example: › Improved data classification can
make eDiscovery collection and processing processes faster
› Improved data protection can reinforce records management policies and processes
› Appropriate retention policies can reduce the volume of documents that can be presented for eDiscovery
› A programmatic approach is required to ensure policies and processes in each area are mutually reinforcing to provide the greatest integration value to the company.
Page 26
Page 27
Data Management addresses how an organization manages its data. It is a comprehensive set of capabilities that properly manages the data lifecycle requirements of an enterprise — via the development and execution of policies, procedures, architectures, and use of technologies.
Page 28
A ―disconnect‖ between corporate policies, actual operational practices, and technology infrastructure reduces ability to implement changes into the business environment. Examples of activities related to privacy and data protection that led to enforcement actions, law suits, or monetary fines are as follows:
• Misrepresenting the purpose for
collecting PII
• Failure to disclose the means used to
collect PII (i.e., the use and/or duration
of cookies, Web bugs, spyware,
tracking technologies)
• Failure to adequately train personnel
on privacy representations
• Disclosing, sharing, or selling PII to third
parties contrary to the organization‘s
privacy policy
• Exporting PII contrary to the privacy
laws of the originating country
• Misrepresenting the security protection
of PII
Page 29
Organizations must leverage a robust Information Management framework to organize its priorities and approaches around the components of the Information Life Cycle.
Approaches may vary (either top-down or bottom-up) based upon the maturity of the component and the strategic value it represents to the organization.
TOP DOWN
APPROACH FOR THE DISPOSITION OF HISTORICAL INFORMATION Hard Copy/Electronic
INF
OR
MA
TIO
N M
AN
AG
EM
EN
T P
RO
GR
AM
BOTTOM UP
APPLICATION OF RECORD RETENTION SCHEDULES
PROCESSES AND PROCEDURES
Offices Headquarters RIM Department
INFORMATION MANAGEMENT POLICY FRAMEWORK
Data WAREHOUSING AND ELECTRONIC INFORMATION MANAGEMENT
RECORD RETENTION SCHEDULES
INFORMATION GOVERNANCE STRUCTURE
PRIVACY, SECURITY, IMPLEMENTATION AND TRAINING AND COMMUNICATION
PLANNING AND SCOPING
DISCOVERY/LITIGATION READINESS
Andrew Neal CISM, CRISC, CIFI, LPI
Southwest Digital Laboratory
Page 30
Page 31
Watergate
Enron
Katrina
BTK
War on drugs
Osama‘s mySpace
Page 32
Increase in areal density.
New storage devices and media.
Tools independent of data structure.
Cloud integration into storage architecture.
Issues created when physically recovering a drive from a large multi-tenant array.
Regulatory and certification issues.
Page 33
More & different target devices.
Evolving licensing and regulation.
Development of standards and frameworks.
Reduced disruption during acquisition.
Counter-Forensics and Anti-Forensics.
Tool validation.
Risk management for the forensic process.
Page 34
More ‗discoverable‘ sources:
› Social media
› Portable devices
Exponential growth in data storage.
Evolving rules of evidence.
Education of the judiciary.
Development of ‗smart‘ tools for collection and processing.
Professional training and standards.
Page 35
Not a settled science or profession.
Rapidly increasing crossover between technical and operational areas.
Best results achieved with
› Established policy
› Prior planning
› Education of incident responders
› Established vendor relationships
Forensics & e-Discovery
Questions?
KJ Kuchta, CPP, CFE Jim Emerson
Forensic Consulting Solutions Internet Crimes Group, Inc
[email protected] [email protected]
David Melnick, CIPP,CISSP,CISA Andrew Neal, CISM, CRISC, LPI
Deloitte & Touche, LLP Southwest Digital Laboratory
[email protected] [email protected]
Page 36