Blended Enterprise Investigations

  • 814 views
Uploaded on

Using Digital Forensics and Physical Security to Build Your Case

Using Digital Forensics and Physical Security to Build Your Case

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
814
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Blended Enterprise Investigations Using Digital Forensics and Physical Security to Build Your Case By John Grancarich, Paul Hastings Janofsky & Walker LLP
  • 2. Blended Enterprise Investigations Introduction Pure digital investigations are becoming a thing of the past The physical world is increasingly going digital A puzzle contains more than one piece - investigate them all — Digital forensics — Interviews of key players — Building/floor access logs — Floor plan analysis The essential aspect of the blended role? Solid investigative skills Can one person do it all? Not always P A G E 1
  • 3. Blended Enterprise Investigations Agenda Investigative methodology Case study – workplace harassment Blended investigation techniques P A G E 2
  • 4. Blended Enterprise Investigations Investigative Philosophy The goal of any investigation is to discover and present the truth How do we get to the truth? Trusted, non-biased methodology and technology The effectiveness of the investigative process depends upon high levels of objectivity applied at all stages Intellect over emotion at all times Understand difference between examination and investigation — Examiner reports on findings — Investigator puts all the pieces together P A G E 3
  • 5. Blended Enterprise Investigations Investigative Process Model Persuasion and Testimony Translate and explain Reporting Prepare detailed record Analysis Scrutinize and understand Organization and Search What is the focus? Reduction Filter and eliminate Harvesting Data about data Recovery Get it all! Preservation Maintain integrity Identification or Seizure Recognition & proper packaging Incident Response / Protocol Actions at scene Assessment of Worth Prioritize / choose Incident Alert / Accusation / Claim Crime or policy violation Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 4
  • 6. Blended Enterprise Investigations Investigative Process Model – Stage 1 Persuasion and Testimony Reporting Analysis Organization and Search Reduction • Triggering event Harvesting • Consider source and reliability Recovery of information • Start gathering initial facts Preservation • Delicate stage in an investigation Identification or Seizure Incident Response / Protocol Assessment of Worth Stage 1 Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 5
  • 7. Blended Enterprise Investigations Case Study – Workplace Harassment Incident Alert / Accusation / Claim — Client’s IT group consists of two employees working in secured area — Claimant accuses respondent of downloading adult content to work computer and viewing it in workplace — Alleges this activity has been going on for approximately nine months — Two days before claim was made alleges that respondent attempted to initiate a physical relationship with claimant in the office against claimant’s wishes. Attempt was graphic and involved according to allegation. — Claimant goes to HR and makes claim — Incident is documented and claimant immediately goes on paid leave, stating severe physical side effects and emotional distress as a result of this experience P A G E 6
  • 8. Blended Enterprise Investigations Investigative Process Model – Stage 2 Persuasion and Testimony Reporting Analysis Organization and Search • Apply investigative resources Reduction where needed most • Questions asked to focus on most Harvesting severe problems Recovery • Result of this step is one of two options: no further action or Preservation continue to investigate Identification or Seizure Incident Response / Protocol Stage 2 Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 7
  • 9. Blended Enterprise Investigations Case Study – Workplace Harassment Assessment of Worth — Internal investigators immediately informed of incident — Very serious allegations — Do the respondent’s alleged actions (the unwanted physical advances) constitute harassment only, or sexual assault? — Claimant deserves to have allegations investigated, and company has duty to determine what happened — Would have serious ramifications if not pursued — Continue to investigate? Yes P A G E 8
  • 10. Blended Enterprise Investigations Investigative Process Model – Stage 3 Persuasion and Testimony Reporting Analysis Organization and Search • Retain and document items at scene Reduction • Follow accepted protocols • Result of this step is secure scene Harvesting where evidence is “frozen” in Recovery place Preservation Identification or Seizure Stage 3 Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 9
  • 11. Blended Enterprise Investigations Investigative Process Model – Stage 4 Persuasion and Testimony Reporting • Identify and seize potential Analysis evidence • Goal is not to seize everything – Organization and Search make informed, reasoned decisions • Documentation is key Reduction • Use memory aids (procedures, Harvesting checklists, forms) Recovery Preservation Stage 4 Identification or Seizure Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 10
  • 12. Blended Enterprise Investigations Case Study – Workplace Harassment Incident Response / Seizure — Work area is observed – Claimant and Respondent have left the premises No video surveillance in work area Area is secured though – do access key records exist? — Work area is photographed — Computers are found powered off at time of arrival on scene — Hard drives from Claimant’s and Respondent’s computers are forensically imaged at scene — Any other items of interest on desks or in work areas? CD/DVDs, USB, mobile devices, notes, folders, etc. — Server e-mail, e-mail backups and home shares forensically copied for further analysis P A G E 11
  • 13. Blended Enterprise Investigations Investigative Process Model – Stage 5 Persuasion and Testimony • Take proper actions to ensure integrity Reporting of physical and digital evidence • Often first stage that uses tools of a Analysis particular type Organization and Search • Output of this stage is usually a set of duplicate data Reduction Harvesting Recovery Stage 5 Preservation Identification or Seizure Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 12
  • 14. Blended Enterprise Investigations Investigative Process Model – Stage 6 • Extract deleted, hidden, camouflaged Persuasion and Testimony or otherwise unavailable data • Performed on copies of digital Reporting evidence from the preservation stage • Objective is to identify, and if possible Analysis make visible, all data that belongs to a Organization and Search particular data type Reduction Harvesting Stage 6 Recovery Preservation Identification or Seizure Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 13
  • 15. Blended Enterprise Investigations Case Study – Workplace Harassment Preservation / Recovery — Still primarily in realm of digital forensics at this point — Allegation partially relates to images downloaded from internet — Where to begin: Images and html from allocated and unallocated space All Internet history files All Windows event logs All Windows registry files All files in C:Documents & SettingsRespondentRecent and Desktop and any other potentially relevant user folders Windows prefetch files — Goal is to recover everything that is potentially relevant for later research and analysis — At this point in investigation, no perceived need to conduct physical investigation P A G E 14
  • 16. Blended Enterprise Investigations Investigative Process Model – Stage 7 Persuasion and Testimony Reporting Analysis Organization and Search Reduction Stage 7 Harvesting Recovery • Scrutiny of evidence begins Preservation • Facts begin to take shape that support or negate claims or Identification or Seizure accusations • Look for categories of evidence Incident Response / Protocol that seem or are known to be related Assessment of Worth to key facts of investigation Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 15
  • 17. Blended Enterprise Investigations Case Study – Workplace Harassment Harvesting — First question: does Respondent’s computer have prohibited images on it? — Start with the low hanging fruit - targets or goals which are easily achievable and which do not require a lot of effort — Review of images from allocated space on Respondent’s computer reveals a substantial number of adult images are present — This evidence supports Claimant’s allegation. Or does it? P A G E 16
  • 18. Blended Enterprise Investigations Case Study – Workplace Harassment Harvesting — Two ways to look at Claimant’s allegation: Scenario 1: Yes, Respondent downloaded prohibited images and videos to his computer Scenario 2: There are prohibited images and videos on Respondent’s computer, but we don’t have enough information to determine who put them there — Step outside of digital realm: consider physical layout of work area — Recall that only two employees are in secured work area – Claimant and Respondent — Recall that Claimant alleges several months of illicit downloading of pornography before making claim – this is an unusually long time before making a complaint — Conclusion: there is not enough evidence to prove scenario 1 is true P A G E 17
  • 19. Blended Enterprise Investigations Investigative Process Model – Stage 8 Persuasion and Testimony Reporting Analysis Organization and Search Stage 8 Reduction Harvesting • Separate the wheat from the chaff Recovery • Consider material facts of case to help prioritize evidence Preservation • Intended result is smallest set of evidence that has highest potential Identification or Seizure for containing data of probative value Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 18
  • 20. Blended Enterprise Investigations Case Study – Workplace Harassment Reduction — Initial Findings on Respondent’s Computer Several hundred pornographic images (allocated and unallocated) Multiple visits to various pornographic sites over several month period Approximately 75 e-mails from Claimant’s Yahoo! account, including Claimant’s written complaint to HR from unallocated space Reimaged computer on day claim made against him — Questions How did Claimant’s e-mails get onto Respondent’s computer? Did Claimant download the illicit images onto Respondent’s computer? How credible is Claimant? Further investigation of Claimant warranted P A G E 19
  • 21. Blended Enterprise Investigations Case Study – Workplace Harassment Reduction — Initial Findings on Claimant’s Computer Multiple visits to various pornographic sites over several month period Computer reimaged on same day claim was made Keystroke logger “SoftActivity” installed Summary to this point — There is truth to Claimant’s allegation, but… — Claimant has serious credibility issue too — Who did what and when? — Too many open questions – need to broaden scope of investigation — Need to put people in place and time P A G E 20
  • 22. Blended Enterprise Investigations Case Study – Workplace Harassment Recovery and Harvesting, Phase II — Domain controller logs Who was logged into which computer, and when? What activity took place? — Blended Investigation Techniques Video Surveillance – Work area? Hallways? Stairwells? Floor Plan – Open plan? Small or large space? Access key records (i.e. floor entries and exits) – Who entered or left and when? Interview of supervisor and other knowledgeable personnel – Do they have any helpful information to provide? Ultimate goal is to build defensible timeline of what we know happened P A G E 21
  • 23. Blended Enterprise Investigations Investigative Process Model – Stage 9 Persuasion and Testimony Reporting Analysis Stage 9 Organization and Search Reduction Harvesting • Organize reduced set of material Recovery into meaningful “buckets” • Simplifies locating and identifying Preservation data during analysis stage Identification or Seizure • May incorporate search technology or topic/cluster-based review Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 22
  • 24. Blended Enterprise Investigations Investigative Process Model – Stage 10 Persuasion and Testimony Reporting Stage 10 Analysis Organization and Search Reduction • Detailed scrutiny of materials Harvesting • Assess content and try to determine means, motivation and opportunity Recovery • Experimentation with untested methods Preservation • Correlation and timeline Identification or Seizure • Validation Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 23
  • 25. Blended Enterprise Investigations Case Study – Workplace Harassment: Organization and Analysis Claimant alleges Respondent sexually harassed him on June 16, 2008 between 5:00-5:30pm in secured IT area on 13th floor. Physical security: access key records for June 16, 2008, 4:30-6:00pm Time Activity 06/16/2008 16:32:40 Respondent admitted to 11th floor lobby 06/16/2008 16:40:02 Respondent admitted to 13th floor lobby 06/16/2008 16:40:29 Respondent admitted to 13th floor IT area 06/16/2008 16:55:54 Claimant admitted to 14th floor lobby 06/16/2008 16:57:25 Claimant admitted to 14th floor cafeteria 06/16/2008 16:58:34 Claimant admitted to 13th floor lobby Maximum amount of time together during 06/16/2008 16:58:48 Claimant admitted to 13th floor IT area alleged confrontation: 4 minutes 59 seconds 06/16/2008 17:11:57 Claimant admitted to 13th floor lobby 06/16/2008 17:12:20 Claimant admitted to 13th floor IT area 06/16/2008 17:13:39 Respondent admitted to 13th floor server room 06/16/2008 17:13:46 Respondent admitted to 13th floor IT area 06/16/2008 17:17:19 Respondent admitted to 13th floor server room 06/16/2008 17:32:27 Respondent admitted to 13th floor IT area 06/16/2008 17:38:17 Respondent admitted to 14th floor stairwell P A G E 24
  • 26. Blended Enterprise Investigations Case Study – Workplace Harassment: Organization and Analysis Domain controller log for Claimant’s computer from morning of alleged physical incident until time claim was filed Name Domain Duration Event Login Time Time User ClaimantPC Company 0 Logon 06/16/2008 08:36:58 Claimant ClaimantPC Company 1978 Logoff 06/16/2008 08:36:58 06/17/2008 17:35:29 Claimant ClaimantPC Company 0 Logon 06/17/2008 17:43:16 Respondent ClaimantPC Company 31 Logoff 06/17/2008 17:43:16 06/17/2008 18:15:10 Respondent ClaimantPC Company 0 Logon 06/17/2008 18:15:28 Temp Account ClaimantPC Company 2 Logoff 06/17/2008 18:15:28 06/17/2008 18:17:34 Temp Account ClaimantPC Company 0 Logon 06/17/2008 18:18:48 Administrator ClaimantPC Company 1 Logoff 06/17/2008 18:18:48 06/17/2008 18:19:49 Administrator ClaimantPC Company 0 Logon 06/17/2008 18:23:14 Administrator ClaimantPC Company 11 Logoff 06/17/2008 18:23:14 06/17/2008 18:34:37 Administrator ClaimantPC Company 0 Logon 06/17/2008 18:34:51 Respondent ClaimantPC Company 1 Logoff 06/17/2008 06:34:51 06/17/2008 18:36:38 Respondent ClaimantPC Company 0 Logon 06/18/2008 08:34:43 Claimant ClaimantPC Company 37 Logoff 06/18/2008 08:34:43 06/18/2008 09:12:03 Claimant ClaimantPC Company 0 Logon 06/18/2008 10:24:27 Temp Account ClaimantPC Company 0 Logon 06/19/2008 18:00:31 Temp Account ClaimantPC Company 3 Logoff 06/19/2008 18:00:31 06/19/2008 18:03:31 Temp Account P A G E 25
  • 27. Blended Enterprise Investigations Case Study – Workplace Harassment Organization and Analysis — Interviews of human resources personnel indicate Claimant met with them to discuss allegations on June 18, 2008 between 2:00-5:00pm in 14th floor conference room. — What was Respondent doing during this time frame? Reimaging his computer. Time Activity 06/18/2008 16:47:00 Respondent reimages computer with Windows XP — Is this a coincidence? — What could cause Respondent to reimage his computer during the time Claimant was meeting with HR regarding his claim? Could he have learned of the meeting? P A G E 26
  • 28. Blended Enterprise Investigations Case Study – Workplace Harassment Organization and Analysis — Floor plan for 14th floor mapped with Respondent’s access key records during time frame of Claimant’s meeting with HR 6/18/08 2:51:07pm Respondent enters 14th floor (stairwell 2) – was on same floor during Respondent does not enter Claimant’s meeting with secured administration HR area from 2:00-5:00pm on 6/18/08 2:52:35pm Respondent returns to 13th floor (stairwell 2) 2:52:59pm Respondent enters secured IT area on 13th floor 14th Floor P A G E 27
  • 29. Blended Enterprise Investigations Investigative Process Model – Stage 11 Persuasion and Testimony Stage 11 Reporting Analysis Organization and Search • Should contain important details Reduction from each step • Focus of report is on the analysis Harvesting • Can demonstrate investigator’s Recovery objectivity be describing eliminated theories that were unsupported or Preservation contradicted Identification or Seizure Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 28
  • 30. Blended Enterprise Investigations Case Study – Workplace Harassment Reporting — Should contain important details from each step of the process — Focus of report will be on the analysis leading to each conclusion and descriptions of all of the supporting evidence — In a report, no conclusion should be presented without a thorough description of the supporting digital and physical evidence and your analysis — Be prepared to be challenged — In our case study, because of the significant number of details and movement of the parties, investigator requests a comprehensive timeline of events for both Claimant and Respondent as opposed to a technical examination report – tie the digital and physical evidence together — Investigator reserves right to request background technical information and documentation to corroborate all items in timeline P A G E 29
  • 31. Blended Enterprise Investigations Case Study – Workplace Harassment Reporting / Timeline — Evidence of Respondent’s viewing of pornographic websites and other prohibited activity Approximately 1,200 pornographic images located on computer (allocated and unallocated) Multiple visits to various pornographic sites over several month period Approximately 75 e-mails from Claimant’s Yahoo! Account Installed keystroke logging software on Claimant’s computer P A G E 30
  • 32. Blended Enterprise Investigations Case Study – Workplace Harassment Reporting / Timeline — Evidence of Claimant’s viewing of pornographic websites Time Activity Source 06/17/2008 10:26:33 Claimant enters 13th floor Access Key Records 06/17/2008 10:26:46 Claimant enters secured IT area on 13th floor Access Key Records 06/17/2008 10:35:00 Claimant visits adult website Internet History Analysis — Where was Respondent during this time frame? Time Activity Source 06/17/2008 08:37:46 Respondent enters 14th floor Access Key Records 06/17/2008 09:40:17 Respondent enters 14th floor pantry Access Key Records No entries to any other floors are recorded by 06/17/2008 8:37:47 - 10:53:52 Respondent Access Key Records 06/17/2008 10:53:53 Respondent enters 13th floor Access Key Records 06/17/2008 10:54:32 Respondent enters secured IT area on 13th floor Access Key Records P A G E 31
  • 33. Blended Enterprise Investigations Case Study – Workplace Harassment Reporting / Timeline — Respondent’s spying on Claimant Time Activity Source 06/17/2008 17:34:57 Respondent logs off Respondent's computer Domain Controller Log 06/17/2008 17:35:29 Claimaint logs off Claimant's computer Domain Controller Log 06/17/2008 17:37:23 Respondent enters secured IT area on 13th floor Access Key Records 06/17/2008 17:43:16 Respondent logs on to Claimant's computer using Respondent’s user ID Domain Controller Log 06/17/2008 17:47:00 Respondent visits Yahoo! using Internet Explorer and searches for Yahoo! password helper Internet History Analysis 06/17/2008 17:51:00 Respondent performs another Yahoo! search using Internet Explorer and searches for keystroke Internet History Analysis software 06/17/2008 17:53:00 Respondent performs another Yahoo! search using Internet Explorer and searches for free Internet History Analysis keystroke software 06/17/2008 17:53:00 Respondent visits www.freedownloadscenter.com using Mozilla Firefox and searches for Internet History Analysis keystroke 06/17/2008 17:54:00 Respondent visits www.keyghost.com Internet History Analysis 06/17/2008 17:55:00 Respondent visits www.dirfile.com/revealer_free_edition.htm using Firefox Internet History Analysis 06/17/2008 18:00:00 Respondent visits www.softactivity.com using Firefox Internet History Analysis 06/17/2008 18:05:23 Respondent installs keylogger software "SoftActivity" on Claimant's computer Internet History Analysis 06/17/2008 18:15:10 Respondent logs off of Claimant's computer Domain Controller Log P A G E 32
  • 34. Blended Enterprise Investigations Case Study – Workplace Harassment Social networking evidence also refutes Claimant’s story of physical and emotional distress — Uses pseudonym – same as Yahoo! E-mail account name — Pseudonym was unique, not common – useful for search engine research — Google searches revealed social networking profiles or dating profiles on the following sites: MySpace Facebook Multiple dating websites, including at least one nude photo — MySpace entries during leave of absence include: “Are you ready to party?” “So where will you be tonight?... I am your new stalker.” “Thank you so much for the wonderful experience of last Saturday night”. “We should go and have a blast tonight”. “I had a blast with you guys! Where is the next party?” P A G E 33
  • 35. Blended Enterprise Investigations Case Study – Workplace Harassment Social networking evidence — Photograph of Claimant located on Internet at a trendy hotel in New York City — Taken during time of Claimant’s leave of absence — The hotel was hosting an event the weekend of June 28-29, 2008 P A G E 34
  • 36. Blended Enterprise Investigations Investigative Process Model – Stage 12 Stage 12 Persuasion and Testimony Reporting Analysis • May be necessary to testify or Organization and Search answer questions before decision makers can reach conclusion Reduction • Much preparation required Harvesting • Use techniques and methods to translate technical detail into Recovery understandable terms Preservation Identification or Seizure Incident Response / Protocol Assessment of Worth Incident Alert / Accusation / Claim Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey P A G E 35
  • 37. Blended Enterprise Investigations Case Study – Workplace Harassment Persuasion and Testimony — More difficult to explain digital evidence than physical evidence — If you weren’t a digital forensics practitioner, would YOU understand what you were saying? — Your audience must be able to comprehend what you’re telling them in order to make appropriate decisions — Practice your techniques on a co-worker or lay person if necessary — For some helpful tips on testifying and conveying information, see http://www.justice.gov/usao/ne/vw/prep%20testify.pdf P A G E 36
  • 38. Blended Enterprise Investigations Case Study – Workplace Harassment Investigation results — After two weeks of investigation Respondent was terminated for violation of the company’s technology usage policy — Claimant filed a demand letter threatening to sue employer — Investigation established that Claimant was a ‘bad actor’ and had also violated the company’s technology usage policy — Claimant filed a demand letter threatening to sue the company while on leave — Claimant’s activity was tracked for six weeks while he was on leave; activity clearly refuted claims of physical ailments and emotional distress — In order to avoid further conflict and possible legal action, the company decided to settle the matter with the Claimant P A G E 37
  • 39. Blended Enterprise Investigations Summary Blended investigation techniques are a crucial must-have in your investigative methodology Possible areas to investigate and pursue: — Digital forensics — Face to face interviews — Access card logs — E-mail discovery and review — Voicemail — Video surveillance and analysis — Inventory audits — Financial statement analysis / forensic accounting — Anything else relevant to your investigation P A G E 38
  • 40. Blended Enterprise Investigations Contact information John Grancarich, EnCE Practice Support Electronic Discovery Consultant Paul Hastings Janofsky & Walker LLP johngrancarich@paulhastings.com 212-318-6553 P A G E 39