SlideShare a Scribd company logo

Computer Forensics in the Age of Compliance

Anton Chuvakin
Anton Chuvakin

Computer forensics under regulations

Technology
1 of 4
Computer Forensics in the Age of Compliance Dr. Anton Chuvakin WRITTEN: 2007 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. In previous articles, I have discussed log management and incident response in the age of compliance. Now, it is time to cover a separate topic that has connections to both log analysis and incident response, but is different enough to justify its own paper: digital forensics. Wikipedia defined “digital forensics” as the application of the scientific method to digital media in order to establish factual information for judicial review. It involves the systematic inspection of IT systems (especially data storage devices) for evidence of a civil wrong or criminal act. Because of its focus on “facts” and “scientific method,” computer forensics processes must adhere to courtroom standards of admissible evidence, which severely complicates some of the otherwise simple data analysis tasks, such as looking at logs to determine who connected to the system. Thus, forensic investigation of computer evidence is different from a routine review of logs and system data, which often produces “hunch-quality data” and not facts. For example, if you see a source IP address that resolves to “jsmith.example.com,” you might assume that John Smith is responsible here. It might be good enough for an informal investigation, but will certainly not be sufficient in court. A well-known example of a computer forensic investigation is a search for child pornography, during which an investigator removes a hard drive from a computer, loads the disk into a forensics tool, and reviews the contents to find illegal image files that a user is hiding or thought he had deleted. However, digital forensics has a broader reach than this case, and electronic evidence can be collected from a variety of sources, such as network gear, desktops and servers, mobile devices, databases, etc. For example, review of data produced by these IT components can show investigators of a data breach whether company employees have accessed confidential data, what steps they took to obtain the
data and what they did with it. This is where the link between log data and computer forensics becomes most obvious – logs become the first place to look during the investigation. Even though sometimes seen as difficult to analyze, logs are still easier to obtain and review than full disk contents. If logs are generated, they can help to figure out the who’s, what’s, where’s, when’s, and how’s of user and system activities. Of course, using logging for forensic ends assumes that the log data itself is immutable and its C-I-A (confidentiality, integrity and availability) are protected; if not, who is to say that the timestamp is truthful or crucial information about the sequence of events hasn’t been altered, injected or removed? Having control over forensics processes from data gathering to “chain of custody” protection is seen as key by many of the compliance mandates. Thus, we are brought back to the three regulations we have discussed all along to take a look at what they say about computer forensics. Much of the regulatory discussion of computer forensics links back to log management and incident response, because the two concepts are inexorably linked to digital forensics. The Federal Information Security Management Act of 2002 (FISMA) Tying incident response to forensic analysis, NIST 800-53 Recommended Security Controls for Federal Information Systems, requires that federal organizations generate and retain immutable audit records that are sufficient to support after-the-fact investigations of security incidents. This document also describes the need to automate mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation of and response to suspicious activities. Further establishing the link between incident response and computer forensics, 800-53 requires the organization to provide an incident response support resource to offer assistance, including access to forensics services in the handling and reporting of security incidents. Additionally, network forensic analysis tools are described as a way to guarantee intrusion detection and system monitoring capabilities. Thus, even though it is implied that forensics will be performed by the outside consultants, evidence data collection and preservation activities, compatible with the forensic use of such data, are mandated. NIST SP 800-92, Guide to Computer Security Log Management, describes the need for inalterable log generation, review, protection, and management for performing forensic analysis. The guide describes the need of organizations to keep digital forensics in mind when setting log storage requirements and designing a log management infrastructure due to the potential impact of log data preservation techniques; for example, forensic analysis that requires queries of logs across many systems might be significantly slowed by the chosen log storage media. The Health Insurance Portability and Accountability Act of 1996 HIPAA NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, details HIPAA- related computer forensics requirements and suggestions. Section 164.308 discusses information system activity review requirements, including the implementation of
procedures to regularly review records of activity such as audit logs, access reports, and security incident tracking. It provides a variety of questions to consider including whether the audit trail can support after-the-fact forensic investigations. Additionally, like FISMA, HIPAA discusses the importance of secure auditing and logging activity so that there are records in event of an investigation. 800-66 also mandates the development and deployment of specific incident response measures, which are necessary (even though often not sufficient!) to assure that the evidence data will end up being useful for extracting “factual information.” Payment Card Industry Data Security Standard (PCI DSS) PCI DSS, which applies to organizations that handle credit card transactions, does not directly address forensic requirements for evidence collection and analysis or forensic processes. Still, it mandates that all service providers with access to cardholder data enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider in Appendix A, Requirement A.1 (“Hosting providers protect cardholder data environment”). Additionally, Requirement 10 (“Track and monitor all access to network resources and cardholder data”) describes a variety of log- and audit-related activities to ensure that trails of authorized and unauthorized user activity are clear in the case that an event must be investigated. Also, PCI requirement for log data protection, such as cryptographic hashing, clearly have forensic use of log data in mind. The above review of regulations shows that recent compliance mandates do keep forensics needs in mind. Specifically, they govern taking steps to preserve forensic quality of data as well as to establish incident response and forensics programs. The key distinction to keep in mind is that the forensics aims to establish facts and not just “good enough” conclusions from data. And as has been the case with log analysis, incident response, and intrusion detection, the goal of the forensics language in these mandates is to ensure yet another facet of regulatory compliance and IT security. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK,
Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Recommended

Log Management in the Age of Compliance
Log Management in the Age of ComplianceLog Management in the Age of Compliance
Log Management in the Age of Compliance
Anton Chuvakin
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Anton Chuvakin
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
Craig Mullins
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
Craig Mullins
 
WPCCS 16 Presentation
WPCCS 16 PresentationWPCCS 16 Presentation
WPCCS 16 Presentation
Denys A. Flores, PhD
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
rajab ssemwogerere
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 

Recommended

Log Management in the Age of Compliance
Log Management in the Age of ComplianceLog Management in the Age of Compliance
Log Management in the Age of Compliance
Anton Chuvakin
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Anton Chuvakin
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
Craig Mullins
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
Craig Mullins
 
WPCCS 16 Presentation
WPCCS 16 PresentationWPCCS 16 Presentation
WPCCS 16 Presentation
Denys A. Flores, PhD
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
rajab ssemwogerere
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
JudgeEagle
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227
Denys A. Flores, PhD
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Forensic Investigation of Employee Internet Activity
Forensic Investigation of Employee Internet ActivityForensic Investigation of Employee Internet Activity
Forensic Investigation of Employee Internet Activity
Wavecrest Computing
 
Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
madamseane
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Ted Myerson
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET Journal
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
Ulf Mattsson
 
Operational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportOperational CyberSecurity Final Case Report
Operational CyberSecurity Final Case Report
James Konderla
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...
Ulf Mattsson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
harshadthakar
 
Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?
Joe Orlando
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
Anton Chuvakin
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Anton Chuvakin
 

More Related Content

What's hot

Forensic Investigation of Employee Internet Activity
Forensic Investigation of Employee Internet ActivityForensic Investigation of Employee Internet Activity
Forensic Investigation of Employee Internet Activity
Wavecrest Computing
 
Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
madamseane
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
Ulf Mattsson
 
Operational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportOperational CyberSecurity Final Case Report
Operational CyberSecurity Final Case Report
James Konderla
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
harshadthakar
 

What's hot (20)

How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Forensic Investigation of Employee Internet Activity
Forensic Investigation of Employee Internet ActivityForensic Investigation of Employee Internet Activity
Forensic Investigation of Employee Internet Activity
 
Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
 
Operational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportOperational CyberSecurity Final Case Report
Operational CyberSecurity Final Case Report
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
 
Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?
 

Similar to Computer Forensics in the Age of Compliance

Implementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control PlanImplementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control Plan
Angie Willis
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
CSCJournals
 
HIPAA summit presentation
HIPAA summit presentationHIPAA summit presentation
HIPAA summit presentation
Sue Popkes, MSM
 
Events Classification in Log Audit
Events Classification in Log Audit Events Classification in Log Audit
Events Classification in Log Audit
IJNSA Journal
 
Maintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docxMaintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docx
smile790243
 

Similar to Computer Forensics in the Age of Compliance (20)

Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
 
Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
 
Implementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control PlanImplementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control Plan
 
Logging "BrainBox" Short Article
Logging "BrainBox" Short ArticleLogging "BrainBox" Short Article
Logging "BrainBox" Short Article
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
HIPAA summit presentation
HIPAA summit presentationHIPAA summit presentation
HIPAA summit presentation
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...
 
Events Classification in Log Audit
Events Classification in Log Audit Events Classification in Log Audit
Events Classification in Log Audit
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
CST 610 RANK Redefined Education--cst610rank.com
CST 610 RANK Redefined Education--cst610rank.comCST 610 RANK Redefined Education--cst610rank.com
CST 610 RANK Redefined Education--cst610rank.com
 
Cst 610 Enhance teaching / snaptutorial.com
Cst 610 Enhance teaching / snaptutorial.comCst 610 Enhance teaching / snaptutorial.com
Cst 610 Enhance teaching / snaptutorial.com
 
Maintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docxMaintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docx
 
CST 610 Effective Communication/tutorialrank.com
CST 610 Effective Communication/tutorialrank.comCST 610 Effective Communication/tutorialrank.com
CST 610 Effective Communication/tutorialrank.com
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...
 
Cyb 610 Enhance teaching / snaptutorial.com
Cyb 610 Enhance teaching / snaptutorial.comCyb 610 Enhance teaching / snaptutorial.com
Cyb 610 Enhance teaching / snaptutorial.com
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 

More from Anton Chuvakin

SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Computer Forensics in the Age of Compliance

  • 1. Computer Forensics in the Age of Compliance Dr. Anton Chuvakin WRITTEN: 2007 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. In previous articles, I have discussed log management and incident response in the age of compliance. Now, it is time to cover a separate topic that has connections to both log analysis and incident response, but is different enough to justify its own paper: digital forensics. Wikipedia defined “digital forensics” as the application of the scientific method to digital media in order to establish factual information for judicial review. It involves the systematic inspection of IT systems (especially data storage devices) for evidence of a civil wrong or criminal act. Because of its focus on “facts” and “scientific method,” computer forensics processes must adhere to courtroom standards of admissible evidence, which severely complicates some of the otherwise simple data analysis tasks, such as looking at logs to determine who connected to the system. Thus, forensic investigation of computer evidence is different from a routine review of logs and system data, which often produces “hunch-quality data” and not facts. For example, if you see a source IP address that resolves to “jsmith.example.com,” you might assume that John Smith is responsible here. It might be good enough for an informal investigation, but will certainly not be sufficient in court. A well-known example of a computer forensic investigation is a search for child pornography, during which an investigator removes a hard drive from a computer, loads the disk into a forensics tool, and reviews the contents to find illegal image files that a user is hiding or thought he had deleted. However, digital forensics has a broader reach than this case, and electronic evidence can be collected from a variety of sources, such as network gear, desktops and servers, mobile devices, databases, etc. For example, review of data produced by these IT components can show investigators of a data breach whether company employees have accessed confidential data, what steps they took to obtain the
  • 2. data and what they did with it. This is where the link between log data and computer forensics becomes most obvious – logs become the first place to look during the investigation. Even though sometimes seen as difficult to analyze, logs are still easier to obtain and review than full disk contents. If logs are generated, they can help to figure out the who’s, what’s, where’s, when’s, and how’s of user and system activities. Of course, using logging for forensic ends assumes that the log data itself is immutable and its C-I-A (confidentiality, integrity and availability) are protected; if not, who is to say that the timestamp is truthful or crucial information about the sequence of events hasn’t been altered, injected or removed? Having control over forensics processes from data gathering to “chain of custody” protection is seen as key by many of the compliance mandates. Thus, we are brought back to the three regulations we have discussed all along to take a look at what they say about computer forensics. Much of the regulatory discussion of computer forensics links back to log management and incident response, because the two concepts are inexorably linked to digital forensics. The Federal Information Security Management Act of 2002 (FISMA) Tying incident response to forensic analysis, NIST 800-53 Recommended Security Controls for Federal Information Systems, requires that federal organizations generate and retain immutable audit records that are sufficient to support after-the-fact investigations of security incidents. This document also describes the need to automate mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation of and response to suspicious activities. Further establishing the link between incident response and computer forensics, 800-53 requires the organization to provide an incident response support resource to offer assistance, including access to forensics services in the handling and reporting of security incidents. Additionally, network forensic analysis tools are described as a way to guarantee intrusion detection and system monitoring capabilities. Thus, even though it is implied that forensics will be performed by the outside consultants, evidence data collection and preservation activities, compatible with the forensic use of such data, are mandated. NIST SP 800-92, Guide to Computer Security Log Management, describes the need for inalterable log generation, review, protection, and management for performing forensic analysis. The guide describes the need of organizations to keep digital forensics in mind when setting log storage requirements and designing a log management infrastructure due to the potential impact of log data preservation techniques; for example, forensic analysis that requires queries of logs across many systems might be significantly slowed by the chosen log storage media. The Health Insurance Portability and Accountability Act of 1996 HIPAA NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, details HIPAA- related computer forensics requirements and suggestions. Section 164.308 discusses information system activity review requirements, including the implementation of
  • 3. procedures to regularly review records of activity such as audit logs, access reports, and security incident tracking. It provides a variety of questions to consider including whether the audit trail can support after-the-fact forensic investigations. Additionally, like FISMA, HIPAA discusses the importance of secure auditing and logging activity so that there are records in event of an investigation. 800-66 also mandates the development and deployment of specific incident response measures, which are necessary (even though often not sufficient!) to assure that the evidence data will end up being useful for extracting “factual information.” Payment Card Industry Data Security Standard (PCI DSS) PCI DSS, which applies to organizations that handle credit card transactions, does not directly address forensic requirements for evidence collection and analysis or forensic processes. Still, it mandates that all service providers with access to cardholder data enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider in Appendix A, Requirement A.1 (“Hosting providers protect cardholder data environment”). Additionally, Requirement 10 (“Track and monitor all access to network resources and cardholder data”) describes a variety of log- and audit-related activities to ensure that trails of authorized and unauthorized user activity are clear in the case that an event must be investigated. Also, PCI requirement for log data protection, such as cryptographic hashing, clearly have forensic use of log data in mind. The above review of regulations shows that recent compliance mandates do keep forensics needs in mind. Specifically, they govern taking steps to preserve forensic quality of data as well as to establish incident response and forensics programs. The key distinction to keep in mind is that the forensics aims to establish facts and not just “good enough” conclusions from data. And as has been the case with log analysis, incident response, and intrusion detection, the goal of the forensics language in these mandates is to ensure yet another facet of regulatory compliance and IT security. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK,
  • 4. Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.