Digital evidence and the information security manager

Digital Evidence and the Information Security Manager
Dr. Bradley Schatz

About me
Dr. Bradley Schatz | Forensic computer scientist
Director, Schatz Forensic
Adjunct Associate Professor, Information Security Institute (QUT)
Ph.D. (Digital forensics), QUT, 2007
B.Sc. (Computer science), UQ, 1995

Agenda
Characteristics of digital evidence
Why prepare for digital evidence?
Forensic readiness – the good, bad, & ugly
Planning for forensic readiness
Current and future challenges

What is digital evidence?

“Deleted” information is often retrievable
Copy to other HDD
Key points
Exact copy – Inculpatory & Exculpatory
Authentication – hash
Timing

Computers are littered with evidence of the user’s behaviour

Ex-computer consultant convicted in “Google Murder” trial
http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=174403074

“Deleted” information is often retrievable
Computer evidence is fragile
Deleted: outlook/recycle bin
Unallocated space
Temporary files
Backups
Snapshots
Synchronization

Why prepare for producing digital evidence?

Digital evidence is required when businesses face a threat that requires substantiation
Controls fail
Controls work
Risks outside sphere of IS
Assuring controls are effective

Common realised risks requiring digital evidence
Information theft
Departing employees
Data breach
White collar crime/Workplace misconduct
Fraud, Illicit content, Sexual harassment,
Cause for termination
General litigation
Production of information
Transaction records

How do I increase my forensic readiness?

IS policy & procedure should seek to maximise historical visibility

Clock skew,
Shared logins,
Evidence handling,
Quantity

Clock skew,
Shared logins,
Evidence handling issues,
Quantity
“Personal” devices, Network traffic capture

Clock skew,
Shared logins,
Quantity
“Personal” devices, Network traffic capture
File access logs,
Network flow records

Clock skew,
Shared logins,
Quantity
“Personal” devices, Network traffic capture,
Transient events
File access logs,
Network flow records
Premature sanitization, inadvertent overwriting

Forensic readinessThe good

Forensic readiness working well
Ex-worker said to steal Goldman code
http://www.nytimes.com/2009/07/07/business/07goldman.html

Detection
“alerted by a surge of data leaving its servers”

Detection
“alerted by a surge of data leaving its servers”
Claimed Actions
“used his desktop computer … to upload a stream of code to website hosted by server in Germany”
“later, downloaded the files again to his home computer, laptop computer and to a memory device”

Forensic readinessThe bad

Example 1: The “it’s my data too” syndrome
SCENARIO: Key employee departs and sets up in competition.
THREAT: Has she taken company secrets and is using them in her new business?
INVESTIGATION: Identify high value information and seek evidence of information flow
*http://pcworld.about.com/od/dataprotection/Nearly-Two-Thirds-of-Ex-Employ.htm

POTENTIAL DATA FLOWS:

POTENTIAL DATA FLOWS:
Laptop/Desktop storage
Laptop/Desktop network
Laptop/Desktop print
Laptop/Desktop Mobile device
Remote Terminal  Application
Fileserver  VPN Remote Laptop

SCENARIO: Copy from workstation to USB Thumb drive
POTENTIAL EVIDENCE TRACES:
USB Device insertion event
Internet explorer history (document open)
File access audit logs
MS Word recently opened documents
Evidence eliminator
ROADBLOCK:
Evidence destruction
Inability to identify operator
Expectation of privacy
Legal Considerations (Privacy)
NSW Workplace Surveillance Act,
ALRC Privacy Act Inquiry Report, VLRC Workplace Privacy Review

SCENARIO: Workstation Email
Sent Items box
Mail server logs
Archives
Web browser cache/history
Network flow trace
File access audit log
ROADBLOCK:
Inability to identify operator
Expectation of privacy
Cost of backup restoration

SCENARIO:
Corporate network  Personal laptop
Presence on the laptop
Deleted files
Prior examples
ROADBLOCKS:
Rightful access to laptop

SCENARIO:
Personal Laptop  Internet
Web browser history/cache
File access logs
Network trace
Network flow logs
ROADBLOCKS:
Rightful interception of telecommunications
Legal Considerations (Wiretap), (Cyber Crime)
Telecommunications (Interception & Access) Act
Cyber crime act

SCENARIO:
File Server  VPN Personal Laptop
File access logs
VPN Session Logs
Network trace
Network flow logs
Legal Considerations (Wiretap)

Example 2: Email authenticity dispute

SCENARIO:
Litigation disputing an agreement. A single email is in dispute.
THREAT
Is the email authentic?
POTENTIAL EVIDENCE SOURCES:
Native email from inbox
Native email from archived backup
Mail server logs
Case Law: Montague v Montague [2002] NSWSC 328

Forensic readinessThe ugly

Data breach
SCENARIO:
External notification of data breach
THREAT:

What was exposed?
How and when did intruders gain access?
Where are they?

EVIDENCE SOURCES:
Workstation, Server, Network trace, Memory dump

Conclusion

Forensic readiness in a nutshell
Produce and collect evidential data
What systems can further produce logs?
Ensure rightful access to evidential data
Policy, procedure, user expectation & practice
Plan ahead for incident response
Routine data destruction
Usability of evidence oriented systems
Ensure provenance and authenticity of preserved evidential data
Forensic training

Current and future challenges
Behavioural logging and tracing
Anomalous behaviour detection
Real time enterprise visibility
Document “DNA”
Cloud computing

Thank you!
Dr. Bradley Schatz
email: bradley@schatzforensic.com.au
mobile: 0422 949 039