Welcome Information Systems Security Association May 8, 2007 FBI Update Handling of Digital...

WelcomeWelcomeInformation Systems Information Systems Security AssociationSecurity Association

May 8, 2007May 8, 2007

FBI UpdateFBI Update

Handling of Digital EvidenceHandling of Digital Evidence

AgendaAgenda

Case UpdateCase UpdateFBI ActivitiesFBI ActivitiesHandling of Digital EvidenceHandling of Digital Evidence

FBI Cyber InvestigationsFBI Cyber Investigations

Computer Intrusion MattersComputer Intrusion Matters Innocent Images National InitiativesInnocent Images National Initiatives Intellectual Property Rights MattersIntellectual Property Rights Matters Internet FraudInternet Fraud

Computer Intrusion MattersComputer Intrusion Matters

Financial InstitutionsFinancial InstitutionsPhishing schemesPhishing schemes

ManufacturingManufacturing Installation of Warez siteInstallation of Warez siteUSB HacksawUSB Hacksaw

UniversitiesUniversities InsidersInsiders

Innocent Images National InitiativeInnocent Images National Initiative

Undercover OperationsUndercover OperationsTravelersTravelersDistributorsDistributors

Peer-to-Peer networksPeer-to-Peer networks

Intellectual Property RightsIntellectual Property Rights

Theft of Trade Secret InvestigationsTheft of Trade Secret InvestigationsOrganizations need to protect information in Organizations need to protect information in

accordance with legal requirements (Title 18 accordance with legal requirements (Title 18 US Code Section 1832)US Code Section 1832)

Recording Industry Association of America Recording Industry Association of America (RIAA)(RIAA)

Motion Picture Industry Association of Motion Picture Industry Association of America (MPAA)America (MPAA)

Clothing IndustryClothing Industry

Internet FraudInternet Fraud

Click Fraud InvestigationClick Fraud InvestigationRalph John PeckRalph John Peck

Regional Cyber Action TeamRegional Cyber Action TeamMissionMission

Respond to significant computer intrusions which threaten national Respond to significant computer intrusions which threaten national critical infrastructures or impact the national economy or security. critical infrastructures or impact the national economy or security. Provide expertise and resources to assist affected Field Offices.Provide expertise and resources to assist affected Field Offices. Augment ResourcesAugment Resources

Harvest data during the investigation and analyze that data to derive Harvest data during the investigation and analyze that data to derive useful intelligence.useful intelligence. Strategic intelligenceStrategic intelligence Operational intelligence Operational intelligence

Coordinate the Computer Intrusion Program’s major cases and Coordinate the Computer Intrusion Program’s major cases and initiatives from FBIHQ.initiatives from FBIHQ. Botnet InitiativeBotnet Initiative Top Ten HackersTop Ten Hackers DOE/FBI Working GroupDOE/FBI Working Group

Respond to Domestic & International Cyber IncidentsRespond to Domestic & International Cyber Incidents

Typical CAT DeploymentTypical CAT Deployment SSA (2)SSA (2)

Team LeadersTeam Leaders Experienced cybercrime agentsExperienced cybercrime agents DeployabilityDeployability

Intelligence Analysts (2)Intelligence Analysts (2) Operational intelligenceOperational intelligence

Conduct toll analysis, linkage analysis, public records searches, Conduct toll analysis, linkage analysis, public records searches, financial analysis, ACS and other database mining financial analysis, ACS and other database mining

Interface with Information Sharing & Analysis Section (ISAS) to Interface with Information Sharing & Analysis Section (ISAS) to produce assessments and bulletins, develop cases when not produce assessments and bulletins, develop cases when not deployed in support of Fielddeployed in support of Field

ITS (2)ITS (2) Technically trained specialistsTechnically trained specialists

Interacts with Technical PersonnelInteracts with Technical Personnel Review technical data/evidenceReview technical data/evidence Assists in creation of technical solutions to house and analyze data Assists in creation of technical solutions to house and analyze data

within CATUwithin CATU

RegionalRegional CAT CAT

46** members from four regions46** members from four regions NortheastNortheast Southeast Southeast CentralCentral WestWest

Augments CATAugments CAT ““Cadre” conceptCadre” concept

Specialized training, equipment, communication with Specialized training, equipment, communication with HQ….within Field OfficeHQ….within Field Office

Reduces response timeReduces response time

Handling Digital EvidenceHandling Digital Evidence

DisclaimerDisclaimer

Do not attempt this without first seeking Do not attempt this without first seeking appropriate legal advice and documenting appropriate legal advice and documenting a legal opinion.a legal opinion.

Each and every situation is unique and Each and every situation is unique and should be handled on a case by case should be handled on a case by case basis.basis.

All cases must be handled in accordance All cases must be handled in accordance with a legal framework consistent with with a legal framework consistent with established laws and corporate policies.established laws and corporate policies.

ObjectivesObjectives

What is Digital EvidenceWhat is Digital EvidenceConsiderations with Digital EvidenceConsiderations with Digital EvidenceGuidelines for Seizing Digital EvidenceGuidelines for Seizing Digital EvidenceGuidelines for Seizing Live Digital Guidelines for Seizing Live Digital

EvidenceEvidencePreparing Your CasePreparing Your Case

Typical Legal ProcessTypical Legal Process Incident OccursIncident Occurs

Determine Nature and ScopeDetermine Nature and Scope Policy Violation or Criminal ConductPolicy Violation or Criminal Conduct

Investigation InitiatedInvestigation Initiated Internal Corporate InvestigationInternal Corporate Investigation Referral to Law EnforcementReferral to Law Enforcement

Evidence is CollectedEvidence is Collected Digital Evidence vs. Physical EvidenceDigital Evidence vs. Physical Evidence Follow Legal Protocol for Collection and PreservationFollow Legal Protocol for Collection and Preservation

Interviews are ConductedInterviews are Conducted Direct Witnesses or VictimsDirect Witnesses or Victims Third Party Witnesses Such as ISPsThird Party Witnesses Such as ISPs

Legal Action is InitiatedLegal Action is Initiated Criminal or CivilCriminal or Civil Administrative Sanctions Such as Employee DismissalAdministrative Sanctions Such as Employee Dismissal

May Result in Civil ActionMay Result in Civil Action

Computer Security Incident Computer Security Incident Response TeamResponse Team

Establish User Policies – Implementable, Establish User Policies – Implementable, Enforceable and Function as ExpectedEnforceable and Function as Expected

Establish a CSIRT to Respond to Incidents Establish a CSIRT to Respond to Incidents Within Organizations and Support External Within Organizations and Support External RequestsRequests

Identify Operational Elements – Team Identify Operational Elements – Team BuildingBuilding

Rules Governing Evidence Rules Governing Evidence CollectionCollection

US ConstitutionUS Constitution 44thth Amendment – Reasonable Expectation of Privacy Amendment – Reasonable Expectation of Privacy

Is Government Action Involved?Is Government Action Involved?

The Wiretap ActThe Wiretap Act Omnibus Crime Control and Safe Streets Act of 1968 Omnibus Crime Control and Safe Streets Act of 1968

(18 USC Section 2501)(18 USC Section 2501) Electronic Communications Privacy ActElectronic Communications Privacy Act

18 USC Section 270118 USC Section 2701 Privacy Protection ActPrivacy Protection Act The PATRIOT ActThe PATRIOT Act

What is Digital Evidence?What is Digital Evidence?

Any kind of storage deviceAny kind of storage deviceComputers, CD’s, DVD’s, floppy disks, hard Computers, CD’s, DVD’s, floppy disks, hard

drives, thumb drivesdrives, thumb drivesDigital cameras, memory sticks and memory Digital cameras, memory sticks and memory

cards, PDA’s, cell phonescards, PDA’s, cell phonesFax machines, answering machines, cordless Fax machines, answering machines, cordless

phones, pagers, caller-ID, scanners, printers phones, pagers, caller-ID, scanners, printers and copiersand copiers

X-box, Playstation, etc.X-box, Playstation, etc.

What is Digital Evidence?What is Digital Evidence?

Considerations with Digital Considerations with Digital EvidenceEvidence

Digital evidence is fragileDigital evidence is fragileRecognizing potential evidenceRecognizing potential evidenceThe role of the computer in the The role of the computer in the

crime/violationcrime/violationConsent Search vs. Search WarrantConsent Search vs. Search WarrantForensic AnalysisForensic Analysis

Guidelines for Seizing Digital Guidelines for Seizing Digital EvidenceEvidence

Secure the sceneSecure the scene Check computer for activityCheck computer for activity

Guidelines for Seizing Digital Guidelines for Seizing Digital EvidenceEvidence Determine if any information in Determine if any information in

the memory is importantthe memory is important If computer is “OFF” do NOT If computer is “OFF” do NOT

turn “ON”.turn “ON”. Photograph Monitor & Photograph Monitor &

Document active programsDocument active programs Disconnect Internet/Ethernet Disconnect Internet/Ethernet

AccessAccess Disconnect Power SourceDisconnect Power Source

Guidelines for Seizing Digital Guidelines for Seizing Digital EvidenceEvidence

Take all peripheralsTake all peripherals Obtain passwords, if possibleObtain passwords, if possible Photograph scenePhotograph scene Process scene for other Process scene for other

storage devicesstorage devices

Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital EvidenceEvidence

Four Phases of Incident ResponseFour Phases of Incident Response11

PreparationPreparationDetection/AnalysisDetection/AnalysisContainment, Eradication, and RecoveryContainment, Eradication, and RecoveryPost-Incident ActivityPost-Incident Activity

11 Computer Security Incident Handling Guide NIST 2004Computer Security Incident Handling Guide NIST 2004


PreparationPreparationCapability to respondCapability to respondPreventing incidentsPreventing incidents

Response ToolsResponse ToolsContact listContact listCommunication equipmentCommunication equipmentSoftware/HardwareSoftware/HardwareFacilitiesFacilities


Detection and AnalysisDetection and AnalysisMost challenging part to detect and assessMost challenging part to detect and assess

SoftwareSoftwareProblems users reportProblems users reportObvious signsObvious signs

AssessmentAssessmentDetermine if incident needs attentionDetermine if incident needs attentionDevelop incident category chart to prioritizeDevelop incident category chart to prioritize


Containment, Eradication, and RecoveryContainment, Eradication, and Recovery Develop containment strategyDevelop containment strategy

Will vary based on the type of incidentWill vary based on the type of incident Need to consider when to containNeed to consider when to contain

Document every stepDocument every step Evidence should be accounted for at all timesEvidence should be accounted for at all times Consider screen captures before copying evidenceConsider screen captures before copying evidence After acquiring volatile data, make disk imageAfter acquiring volatile data, make disk image Eradication and RecoveryEradication and Recovery

After cleared from legal/law enforcementAfter cleared from legal/law enforcement


Post-Incident ActivityPost-Incident ActivityPerform debriefingPerform debriefing

Lessons learnedLessons learned

Evidence RetentionEvidence RetentionProsecutionProsecution

Will need to clear with legal/law enforcementWill need to clear with legal/law enforcement

Policy on data retentionPolicy on data retention 90 days, 180 days, etc for future incidents90 days, 180 days, etc for future incidents

CostCost Can be substantial depending on size and time periodCan be substantial depending on size and time period


Document EverythingDocument EverythingAttach Another Device or use Open Attach Another Device or use Open

Network ConnectionNetwork ConnectionRecord System Date/TimeRecord System Date/TimeDetermine LogonDetermine LogonRecord Open SocketsRecord Open Sockets

Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital Evidence (cont.)Evidence (cont.)

List Socket ProcessesList Socket ProcessesList Running ProcessesList Running ProcessesList Systems ConnectedList Systems ConnectedRecord Steps TakenRecord Steps TakenSave all Pertinent Data to External DeviceSave all Pertinent Data to External DeviceMinimal Commands to Acquire Digital Minimal Commands to Acquire Digital

EvidenceEvidenceCause the Least Amount of Damage as Cause the Least Amount of Damage as

PossiblePossible

Preparing Your CasePreparing Your Case

DocumentationDocumentation PreservationPreservation AuthenticationAuthentication

DocumentationDocumentation

Documentation is a Reflection of Your Documentation is a Reflection of Your CaseCase

Problems Arise When Shortcuts are TakenProblems Arise When Shortcuts are TakenConditions of All Evidence Needs to be Conditions of All Evidence Needs to be

DocumentedDocumentedEvery Step Needs to be DocumentedEvery Step Needs to be Documented

PreservationPreservation

If Preservation Poor, Your Handling/Collecting If Preservation Poor, Your Handling/Collecting Techniques Become Questionable.Techniques Become Questionable.

Maintain Chain of CustodyMaintain Chain of Custody Eliminate ANY Possibility of ContaminationEliminate ANY Possibility of Contamination

CollectionCollection TransportationTransportation StorageStorage

Follow Laws and Policies – NO shortcutsFollow Laws and Policies – NO shortcuts

AuthenticationAuthentication

If Authentication is Poor, Everything Comes into If Authentication is Poor, Everything Comes into Question.Question. MD5 or SHA algorithmMD5 or SHA algorithm

Ensure bit-by-bit copy of originalEnsure bit-by-bit copy of original Ensure evidence unalteredEnsure evidence unaltered

Need to Demonstrate Evidence is…Need to Demonstrate Evidence is… What you say it is.What you say it is. Came from where you say it did.Came from where you say it did. Has not been modified in any way since you last handled it.Has not been modified in any way since you last handled it.

No Silver BulletNo Silver Bullet

General Do’s and Don’ts of General Do’s and Don’ts of EvidenceEvidence

Minimize Handling/Corruption of Original DataMinimize Handling/Corruption of Original Data Account for Any Changes and Keep Detailed Logs of Your Actions Account for Any Changes and Keep Detailed Logs of Your Actions

Maintain a detailed log of who handled the evidence and where stored and when Maintain a detailed log of who handled the evidence and where stored and when transferred transferred

Comply with the Five Rules of Comply with the Five Rules of EvidenceEvidence AdmissibleAdmissible AuthenticAuthentic CompleteComplete ReliableReliable Believable (Criminal - Reasonable Doubt? Civil – Preponderance of the Believable (Criminal - Reasonable Doubt? Civil – Preponderance of the

Evidence)Evidence) Do Not Exceed Your Knowledge Do Not Exceed Your Knowledge Follow Your Local Security Policy and Obtain Written Permission Follow Your Local Security Policy and Obtain Written Permission Capture as Accurate an Image of the System as Possible Capture as Accurate an Image of the System as Possible Be Prepared to Testify Be Prepared to Testify Ensure Your Actions are Repeatable Ensure Your Actions are Repeatable Proceed From Volatile to Persistent Proceed From Volatile to Persistent EvidenceEvidence Don't Run Any Programs on the Affected System Don't Run Any Programs on the Affected System Document Document Document!!!! Document Document Document!!!!

ResourcesResources Digital Evidence in the Courtroom: A Guide for Digital Evidence in the Courtroom: A Guide for

Preparing Digital Evidence for Courtroom Preparing Digital Evidence for Courtroom Presentation – The National Center for Forensic Presentation – The National Center for Forensic ScienceScience

Handbook for Computer Security Incident Handbook for Computer Security Incident Response Teams – CERT Coordination CenterResponse Teams – CERT Coordination Center

Searching and Seizing Computers and Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Obtaining Electronic Evidence in Criminal Investigations – US Department of Justice, Investigations – US Department of Justice, Cybercrime.gov/searchmanual.htmCybercrime.gov/searchmanual.htm

Computer Security Incident Handling Guide – Computer Security Incident Handling Guide – NIST Special Publication 800-61NIST Special Publication 800-61

Many Thanks To:Many Thanks To:

Sgt. Aaron DeLashmuttSgt. Aaron DeLashmuttIowa State University PoliceIowa State University Police168 Armory Building168 Armory BuildingAmes, IA 50011Ames, IA 50011

Presented at: Presented at:

InfraGard – Des Moines, IAInfraGard – Des Moines, IA

February 16, 2005February 16, 2005

Welcome Information Systems Security Association May 8, 2007 FBI Update Handling of Digital...

Documents

Transcript of Welcome Information Systems Security Association May 8, 2007 FBI Update Handling of Digital...