• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Investigating computer system abuse power point final

Investigating computer system abuse power point final






Total Views
Views on SlideShare
Embed Views



1 Embed 231

http://allaboutinformation.ca 231



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • KJB
  • KJB -can’t stress knowing limits enough -ideal – legal and IT forensics guidance -call us though – we can judge limits.. we can put you in touch or get quick guidance for you
  • Next two slides are basics – helps to step back though Defined by mandate Who stole the cookies from the cookie jar? Did Hugo steal the cookies from the cookie jar? If yes, does his conduct in the investigation demonstrate understanding of his responsibility? Gather evidence Piece of information that supports a conclusion Mom saw one cookie in the cookie jar at 3:00 pm Mom saw the cookie was gone by 4:00 pm Hugo came home from school at 3:30 pm Different reliability Hugo says he saw Penny with cookie crumbs on her shirt at 3:40 Conclusions The cookie was taken between 3:30 and 4:00 Hugo did take the cookie He has accepted responsibility. (Goes to penalty.)
  • Process flow is here Key ideas -Spend time planning -What’s the scope -What do you need to figure our -Usually a covert phase (preserve evidence, prevent fabrication) -Esp. with computer abuse, best source of evidence -If you are more prepared you are more likely to get admissions -Don’t dawdle… legal prejudice in some cases -If there are risks and the investigation will take time, issue a non-disciplinary suspension -Consider whether there are reasonable grounds to suspect -I usually recommend with pay -Efficiency through preparation -Avoid looping inquiries
  • So you must have access to stored communications Preconditions -Notice that personal use does not come with an expectation of privacy -Be explicit, “If you don’t want personal communications viewed by us, don’t send them on our system.” -Reserve the rights you need in express terms -Routine monitoring (exceptional… is it justified by cost? more risky from ER and legal perspective) -Routine audits (should be standard) -Investigations based on “reasonable suspicion” More and more employers are implementing controls (good thing in my view) -Audits follow this protocol -Investigations only authorized by director of IT security or delegate -And so on
  • KJB
  • KJB
  • Advising is associated with a risk of destruction of evidence So have a plan Key risk – corporate blackberry -SMS will go from the device to the carrier (may or may not be retained) to the device -Understand SMS logging is possible but not ideal -More and more apps will put information on the device -Very important source of information -So secure the device – take it, stick it in an envelope, sign over, store it -I’m wary about taking Micro SD card only without forensic advice -Also understand ways of deleting information post seizure – Faraday bag -Get advice on that type of file
  • Scenario – anonymous postings… suspect it is an employee Most common approach – send a preservation letter and (expeditiously) consider alternative sources Consider local sources of evidence first -Usually will recommend contact with IT forensic person to assess sources Consider you whether you can identify by circumstantial evidence first -Time of post (though be wary of electronic time stamps) -Content of post (he knew something, only he had an interest) Ultimately there are legal remedies to identify wrongdoers Downside of even engaging a 3P -expensive -may only lead to circumstantial evidence of identification -may have a policy to notify client Test -bona fide claim, 3P involved in acts complained of, 3P only practicable source, indemnification of costs, interests of justice
  • KJB
  • KJB
  • Investigations are about collecting evidence Must preserve what you collect Electronic evidence requires very careful handling Esp. e-mails, text message logs, internet log files (changed easily) So think about preservation Who is the first question -person getting called may need to prove the authenticity of the document -very important for lengthy log files, which can’t be identified by inspection -if the process is at all fancy, need a technical expert -alternative… IT working under the written direction and guidance of a forensic expert -I got this guidance… I followed all the steps I like physical preservation solutions -put it on a read once disk and sign and secure the disk… simple -also mathematical means… hashing files… do under guidance of expert Preserve a copy before you review -do not review the evidence itself -leave you open to attack
  • Take a hard drive out of a machine Create a log Next person who takes does the same
  • Most important advice – do it quickly first… then do it better later Seen it disappear in 10 minutes Second most important advice Do it periodically Evidence of duration is often relevant Websites evolve Method -try to capture how the page looked… printouts distort -try to capture links, which may be relevant context -printouts of screen captures may be okay in many cases (sign and date) -can use adobe acrobat to capture websites -important thing to do is keep a physical log when dealing with electronics -be sceptical of “black box” solutions
  • This is a common risk we see -keep these things as a matter of policy -simple but important message Two options -one uniform preservation rule -discretion – preserve for short period in all cases, longer period in certain kinds of terminations
  • Very common IT security problem -having and enforcing password change policy helps -generates circumstantial evidence… last time changed password was three days before! -may be better alternatives (biometrics authentication, biographical quiz authentication), but passwords are the reality These are the kind of questions you have -get facts from the person -gather evidence form others
  • May get long log files… internet log files Hard to authenticate Also don’t present well Do some synthesis in advance Also identify the key parts of the log in advance Use them to extract admissions Much more “usable” evidence

Investigating computer system abuse power point final Investigating computer system abuse power point final Presentation Transcript

  • Investigating Computer System Abuse Help for Human Resources Dan Michaluk and Kathryn Bird HRPA 2011 February 2, 2011
  • Outline
    • Investigation basics
    • Sources of digital evidence
    • Why digital evidence is different
    • Preservation best practices
    • Interview tips
    • Managing the investigation record
  • Investigation Basics
    • Your objectives
      • To gather relevant evidence
      • To weigh the reliability of the evidence
      • To draw one or more reliable conclusions of fact
      • To appear neutral throughout
  • Investigation Basics
    • Process flow
      • Receive complaint or identify problem
      • Define questions of fact
      • Investigate covertly (identify, gather and preserve)
      • Interview respondent employee
      • Investigate response as necessary
      • Draw conclusions
  • Investigation Basics
    • Employer access to employer systems
      • Generally okay with a “no expectation of privacy” policy, but personal use is changing expectations
      • But a policy that sets out an audit right and an investigation right is good practice
      • Identify how investigations are authorized
      • Treat information gathered with a view to scrutiny
  • Sources of Digital Evidence
    • Your pre-confrontation sources
      • Your servers
        • E-mail
        • Voice mail
        • Mobile messaging
  • Sources of Digital Evidence
    • Your pre-confrontation sources
      • Your network “clients”
        • Stored information
        • Specially captured information*
        • *Beware: highly intrusive
  • Sources of Digital Evidence
    • Your post-confrontation sources
      • Thumb drives, cameras and other peripherals
      • Media cards on mobile devices
      • Peer to peer mobile communications
        • Messaging applications
        • Transfers through other applications
      • Home computers
  • Sources of Digital Evidence
    • Third-party sources
      • Internet service providers
      • Telecommunications carriers
  • Why Digital Evidence is Different
    • Proving authenticity can be very difficult
      • Can be readily altered
      • Alternations may not be testable
  • Why Digital Evidence is Different
    • People think it’s private
      • Conversations are now stored
      • E-mail is bad, chat is worse
      • Chat is becoming more prevalent
      • E-mail and chat are producible
  • Preservation of Digital Evidence
    • Preservation through collection
      • Decide who will collect
        • Is it a forensics case?
        • What’s at stake?
        • Is your IT staff qualified?
        • Will the person collecting be available?
        • Will the person collecting be a good witness?
      • Preserve a copy before you review!
  • Preservation of Digital Evidence
    • Record the chain of custody
      • Identify where the copy came from
      • Identify the physical object by description
      • Record the time and date
      • Sign it
      • Secure it
  • Preservation of Digital Evidence
    • Preserving web pages
      • Difficult to do a true forensic capture
      • There are services and software tools, but they need to be applied with care
      • If it is about words on the screen periodically printing and signing or taking a screen capture may suffice
      • But otherwise, get help
  • Preservation of Digital Evidence
    • Exit procedures are important
      • Computers should be held for a cooling off period
      • Mobile devices can be remotely wiped
      • Routine preservation may often be warranted
  • Interview tips
    • Basic tips
      • Build rapport and stress neutrality
      • Sit face to face, not behind a desk
      • Take notes, don’t tape
      • Save the interrogation for interview #2
  • Interview Tips
    • Show the witness the records
  • Interview Tips
    • How to handle, “Someone must have accessed my computer!”
      • Who knew your password?
      • Who had access to your office?
      • Where were you? Were you with someone else?
      • Consider circumstantial evidence (e.g. content of communication, timing of e-mails)
      • Go through every event
  • Interview Tips
    • Turn logs into usable evidence
      • Probe at…
      • … time period
      • … frequency
      • … volume
      • … and other contextual facts shown by logs
  • Interview Tips
    • Turn logs into usable evidence
      • This shows sixty downloads in the month of May. Does that accurately represent your activity over that period?
      • You mostly downloaded from a site called “BT Junkie” correct?
  • Managing the Investigation Record
    • Records produced in the course of an investigation will not be privileged except in the most extraordinary circumstances
    • So everything you create may be producible
  • Managing the Investigation Record
    • Tips for keeping a “tight” record
      • Don’t conclude before you conclude
      • Interview notes have factual observations only
      • Don’t think over e-mail
      • Don’t send draft reports by e-mail
  • Managing the Investigation Record
    • The logic of the written report
      • Conclusions and recommendations
      • Facts
      • Evidence
        • What’s relevant
        • What’s reliable
        • What’s compelling
  • Investigating Computer System Abuse Help for Human Resources Dan Michaluk and Kathryn Bird HRPA 2011 February 2, 2011