Investigating computer system abuse power point final
-
Upload
dan-michaluk -
Category
Documents
-
view
110 -
download
2
description
Transcript of Investigating computer system abuse power point final
![Page 1: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/1.jpg)
Investigating Computer System AbuseHelp for Human Resources
Dan Michaluk and Kathryn BirdHRPA 2011February 2, 2011
![Page 2: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/2.jpg)
Investigating Computer System Abuse
Outline
• Investigation basics
• Sources of digital evidence
• Why digital evidence is different
• Preservation best practices
• Interview tips
• Managing the investigation record
![Page 3: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/3.jpg)
Investigating Computer System Abuse
![Page 4: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/4.jpg)
Investigating Computer System Abuse
Investigation Basics
• Your objectives
• To gather relevant evidence
• To weigh the reliability of the evidence
• To draw one or more reliable conclusions of fact
• To appear neutral throughout
![Page 5: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/5.jpg)
Investigating Computer System Abuse
Investigation Basics
• Process flow
• Receive complaint or identify problem
• Define questions of fact
• Investigate covertly (identify, gather and preserve)
• Interview respondent employee
• Investigate response as necessary
• Draw conclusions
![Page 6: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/6.jpg)
Investigating Computer System Abuse
Investigation Basics
• Employer access to employer systems
• Generally okay with a “no expectation of privacy”
policy, but personal use is changing expectations
• But a policy that sets out an audit right and an
investigation right is good practice
• Identify how investigations are authorized
• Treat information gathered with a view to scrutiny
![Page 7: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/7.jpg)
Investigating Computer System Abuse
Sources of Digital Evidence
• Your pre-confrontation sources
• Your servers• E-mail• Voice mail• Mobile messaging
![Page 8: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/8.jpg)
Investigating Computer System Abuse
Sources of Digital Evidence
• Your pre-confrontation sources
• Your network “clients”• Stored information• Specially captured information*
*Beware: highly intrusive
![Page 9: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/9.jpg)
Investigating Computer System Abuse
Sources of Digital Evidence
• Your post-confrontation sources
• Thumb drives, cameras and other peripherals
• Media cards on mobile devices
• Peer to peer mobile communications• Messaging applications• Transfers through other applications
• Home computers
![Page 10: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/10.jpg)
Investigating Computer System Abuse
Sources of Digital Evidence
• Third-party sources
• Internet service providers
• Telecommunications carriers
![Page 11: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/11.jpg)
Investigating Computer System Abuse
Why Digital Evidence is Different
• Proving authenticity can be very difficult
• Can be readily altered
• Alternations may not be testable
![Page 12: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/12.jpg)
Investigating Computer System Abuse
Why Digital Evidence is Different
• People think it’s private
• Conversations are now stored
• E-mail is bad, chat is worse
• Chat is becoming more prevalent
• E-mail and chat are producible
![Page 13: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/13.jpg)
Investigating Computer System Abuse
Preservation of Digital Evidence
• Preservation through collection
• Decide who will collect• Is it a forensics case?• What’s at stake?• Is your IT staff qualified?• Will the person collecting be available?• Will the person collecting be a good witness?
• Preserve a copy before you review!
![Page 14: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/14.jpg)
Investigating Computer System Abuse
Preservation of Digital Evidence
• Record the chain of custody
• Identify where the copy came from
• Identify the physical object by description
• Record the time and date
• Sign it
• Secure it
![Page 15: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/15.jpg)
Investigating Computer System Abuse
Preservation of Digital Evidence
• Preserving web pages
• Difficult to do a true forensic capture
• There are services and software tools, but they need
to be applied with care
• If it is about words on the screen periodically printing
and signing or taking a screen capture may suffice
• But otherwise, get help
![Page 16: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/16.jpg)
Investigating Computer System Abuse
Preservation of Digital Evidence
• Exit procedures are important
• Computers should be held for a cooling off period
• Mobile devices can be remotely wiped
• Routine preservation may often be warranted
![Page 17: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/17.jpg)
Investigating Computer System Abuse
Interview tips
• Basic tips
• Build rapport and stress neutrality
• Sit face to face, not behind a desk
• Take notes, don’t tape
• Save the interrogation for interview #2
![Page 18: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/18.jpg)
Investigating Computer System Abuse
Interview Tips
• Show the witness the records
![Page 19: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/19.jpg)
Investigating Computer System Abuse
Interview Tips
• How to handle, “Someone must have accessed my computer!”
• Who knew your password?
• Who had access to your office?
• Where were you? Were you with someone else?
• Consider circumstantial evidence (e.g. content of
communication, timing of e-mails)
• Go through every event
![Page 20: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/20.jpg)
Investigating Computer System Abuse
Interview Tips
• Turn logs into usable evidence
• Probe at…
• …time period
• …frequency
• …volume
• …and other contextual facts shown by logs
![Page 21: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/21.jpg)
Investigating Computer System Abuse
Interview Tips
• Turn logs into usable evidence
• This shows sixty downloads in the month of May.
Does that accurately represent your activity over
that period?
• You mostly downloaded from a site called “BT
Junkie” correct?
![Page 22: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/22.jpg)
Investigating Computer System Abuse
Managing the Investigation Record
• Records produced in the course of an investigation will not be privileged except in the most extraordinary circumstances
• So everything you create may be producible
![Page 23: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/23.jpg)
Investigating Computer System Abuse
Managing the Investigation Record
• Tips for keeping a “tight” record
• Don’t conclude before you conclude
• Interview notes have factual observations only
• Don’t think over e-mail
• Don’t send draft reports by e-mail
![Page 24: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/24.jpg)
Investigating Computer System Abuse
Managing the Investigation Record
• The logic of the written report
• Conclusions and recommendations
• Facts
• Evidence• What’s relevant• What’s reliable• What’s compelling
![Page 25: Investigating computer system abuse power point final](https://reader036.fdocuments.us/reader036/viewer/2022062511/54c893974a7959b33a8b457a/html5/thumbnails/25.jpg)
Investigating Computer System AbuseHelp for Human Resources
Dan Michaluk and Kathryn BirdHRPA 2011February 2, 2011