`
Forensic readiness: Forensic readiness: Preparing for the worst, Preparing for the worst,
and how to contain it.and how to contain it.
Campbell MurrayTechnical Director, Encription Limited09 July 2014
Who?Who?
• Campbell Murray
• Technical Director @ Encription
• > 16 years IT security experience• Offensive and Defensive
• CESG CHECK Team Leader
• Expert Witness
09/07/2014
Forensic ReadinessForensic Readiness
• “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.”
• Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation.
09/07/2014
Forensic ReadinessForensic Readiness
• Events vs. Incidents
• An “event” is a noticeable change to a system, environment, process, workflow or person.
• An “incident” is an event that has a root human cause.
• Therefore, all incidents are events, but not all events are incidents.
09/07/2014
Forensic ReadinessForensic Readiness
• All DF investigations start with an incident• Crime e.g. Murder• Malware attack• Loss of data• Misconduct• Confidential information breach• Loss of money • Other digital incident
09/07/2014
Forensic ReadinessForensic Readiness
• Early actions are critical
• DF is dynamic and situation dependant
• As an investigation progresses, often further information/evidence comes to attention which may alter focus.
• e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation
09/07/2014
Forensic ReadinessForensic Readiness
• Lots to consider when planning each case.
• Hard to define which is most important >
• Right people?
• Who can you trust?
• Confidentiality?
• Initial assessment?
• Risk?
09/07/2014
Forensic ReadinessForensic Readiness
• DFS• Digital Forensics Strategy
• What, how, who, why, where?
• Form an hypothesis• Formulate all the possible scenarios
• The hypothesis defines the strategy• What/Who to investigate
• Must be flexible - escalation• Document the strategy!
09/07/2014
Forensic ReadinessForensic Readiness
• Steps of the strategy
• What is ‘ideal’ evidence
• A document, an email, an image
• What supports your hypothesis
• Is it financially viable?• Does the investigation cost outweigh the
incident?
09/07/2014
Forensic ReadinessForensic Readiness
• Where would ideal evidence be found in each case?
• Phone?
• Email trail?
• Presence/Absence from premises?
• etc.
• Focus investigation in these areas first.
09/07/2014
Forensic ReadinessForensic Readiness
• Define the ‘Window of Opportunity’
• Narrow down the investigation to a time frame
• Speed
• Accuracy
• Strategy
09/07/2014
Forensic ReadinessForensic Readiness
• Strategy defines the scope• Where/what is the crime scene?
• Has this incident concluded, or ongoing?
• Observe and document• Written notes / Photographs / Statements
• Gather evidence• Chain of custody
09/07/2014
Forensic ReadinessForensic Readiness
09/07/2014
Forensic ReadinessForensic Readiness
• Chain of Custody case study• Employee suspected of exfiltrating data• Put on suspension pending investigation
• Laptop / Phone seized
• IT department all ‘have a look’• No record of who did what• No legal case could be built, despite
evidence• Employee compensated!!!!
09/07/2014
Forensic ReadinessForensic Readiness
• But … there is more to it than that!
• FR and the DDPRR model
• Deter
• Detect
• Prevent
• React
• Recover
09/07/2014
Forensic ReadinessForensic Readiness
• Raises some questions
• How do you react without DDP?
• Does the absence of deterrent change the scope / strategy / consequences?
• Should you use a first responder?• Is investigation required at all?
• Forensic readiness (eagerness) itself could cause an incident!
09/07/2014
Forensic ReadinessForensic Readiness
• Triage
• Follows strategy!
• An enduring question is always …
• Should you turn it off?
• Case dependent. • Output of strategy led triage is the deciding
factor.
09/07/2014
Forensic ReadinessForensic Readiness
• Off / On decision primarily based on on-going damage and risks of causing a further incident.
• Has the incident concluded?
• Where is the ‘ideal’ evidence?
• All factors that answer the Off/On question
09/07/2014
Forensic ReadinessForensic Readiness
• What do you need for a readiness team?
• Training!• Technical / Legal / Method / Custody of
evidence
• Equipment• Evidence bags / Digital camera / Screwdrivers
/ Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc.
09/07/2014
Forensic ReadinessForensic Readiness
• An FR team should always contain:
• Top level management
• Non-IT department technical capability• Confidentiality
• Well defined role descriptions
• Third party support where necessary• Legal / Technical / HR
09/07/2014
Forensic ReadinessForensic Readiness
• Key factors
• Know your limits!• Do not attempt investigation you are not
100% comfortable with
• Beware of witch hunting!
09/07/2014
`Any questions?Any questions?
Thank YouThank You
Campbell Murray
Encription Limited
www.encription.co.uk
0330 100 2345
09/07/2014
Top Related