Your SlideShare is downloading. ×
0
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Richard Rosalion KPMG: Investigating cyber incidents – eForensics
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Richard Rosalion KPMG: Investigating cyber incidents – eForensics

1,130

Published on

Richard Rosalion, Manager, Forensic Advisory, KPMG delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed …

Richard Rosalion, Manager, Forensic Advisory, KPMG delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconference

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,130
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
66
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. eForensics: Investigating Security Incidents Richard Rosalion rrosalion@kpmg.com.au Corporate Cyber Security Summit November, 2013
  • 2. Overview 1. Introduction 3. eForensic Readiness ■ eForensics 101: eForensics for Security Professionals ■ Helping organisations become “ready” for forensics ■ Incident Response Planning 2. Proactive eForensics 4. eForensics in Security Investigations ■ Role of Proactive eForensics ■ When to call the (forensic) experts ■ Case studies Disclaimer The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 1
  • 3. Curriculum vitae Name Richard Rosalion Position Manager, Forensic Technology Experience Forensic Technology ■ Manager, Forensic Technology - KPMG (2013 – Now) ■ Lecturer and Instructor - Swinburne University (2011 – Now) ■ Digital Forensic Analyst - Victoria Police (2008 – 2013) Information Technology ■ IT/User Support Officer - University of Melbourne (2007 – 2008) ■ System Administrator - MACRO Recruitment (2001 – 2007) Education ■ Masters in eForensics and Enterprise Security, University of Melbourne and ■ Graduate Certificate in Information Security and Assurance, RMIT Qualifications ■ EnCase Certified Examiner (EnCE) ■ Certified Computer Examiner (CCE) © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 2
  • 4. eForensics 101: Forensics for Security Professionals “Find evidence on digital devices without altering original”?
  • 5. eForensics 101: Definitions ■ fo·ren·sic /fəˈrenzik/ ■ adj. Of or used in courts of law ■ Latin root “forensis” (before the forum) Forensic Science: Application of scientific method to answer questions of interest to a legal system © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 4
  • 6. eForensics 101: Locard’s Exchange Principle General Principle of Forensic Science ■ Locard’s Principle: “With contact between two items, there will be an exchange” (Thornton, 1997) ■ Sherlock Holmes’ Principle: "As long as the criminal remains upon two legs so long must there be some indentation, some abrasion, some trifling displacement which can be detected by the scientific researcher” (Doyle, 1904) © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 5
  • 7. eForensics 101: Write Blockers Allow analyst to obtain data from hard disk drives without changes being made to original evidence. © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 6
  • 8. eForensics 101: Types of Data Acquisition Physical • “bit for bit” copy, includes deleted (unallocated) areas of disk Logical • File system (or specific files) only, in tamper-evident container File Copy • Individual file contents only, easily modified • Metadata (e.g. MFT dates and times) lost © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 7
  • 9. eForensics 101: Order of Volitility CPU Registers / Cache Main Memory (RAM) Network State / Running Processes Hard Disk Drives, USB Flash, etc. Backups/Printouts/CD ROM/etc. © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 8
  • 10. eForensics 101: Sources of Electronic Evidence Where’s the Evidence? ■ Physical Sources – Phones, Computers, etc. – BYOD ■ Electronic Sources – Logs, emails, firewalls ■ External Sources – Cloud – Social Media © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 9
  • 11. eForensics 101: Electronic Evidence Guidelines ACPO Good Practice Guide 1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. 2. In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions 3. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. 4. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. Source: http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 10
  • 12. Proactive eForensics
  • 13. Proactive eForensics: Example Proactive Cases Employee Termination Voluntary Departure IT Security Incident Unfair Dismissal IP Theft – Claim for Damages Prosecution of perpetrator 28 November 2012 Bloomberg 5 September 2013 Sydney Morning Herald 6 February 2013 Symantec © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 12
  • 14. Forensic Readiness
  • 15. Forensic Readiness: What is it? Maximise usefulness of evidence What does it mean to be “Forensically Ready” Minimise cost of collection and storage © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 14
  • 16. Forensic Readiness: How do we achieve it? Forensics in IT Systems and Processes Design ■ eDiscovery – Tools with built in preservation / search – Document management and security ■ Intelligence investigations / root cause identification – Centralised logging ■ Who pushed the button? – Identify individuals / No shared accounts – Other evidence? Forensic Data Collection ■ Collect Early: – Collect now, analyse later (automate if possible) ■ Collect Everything (within reason) – How much is a new hard drive? ■ Collect Forensically – Do it right the first time! © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 15
  • 17. Forensic Readiness: Incident Response Plans ■ Does your organisation have an Incident Response Plan? ■ When was it last reviewed? ■ Do you have a proactive cyber incident arrangement in place with one or more specialist forensic organisations? ■ Australian companies wost for number of compromised records on average (34,249), and 2nd most likely to experience malicious or criminal attack ■ Average cost to organisation AU$4,231,888 ■ Controls found to reduce cost of incident: – IR Plan, Strong security posture, responsible CIO, engageing specialists to investigate and remediate incidents Manual (August 2013) Information Security © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 16
  • 18. eForensics in Security Investigations
  • 19. eForensics in Security Investigations: When to involve Forensics? At what point in during the Incident Response process will you discover a criminal element, with the potential to identify the offender? Collection Examination Forensic Analysis Reporting Intelligence Only “Every investigation should be approached on the basis that the prosecution will be put to the test and required to formally prove its case with expert evidence. Persons with appropriate levels of expertise need to be involved in the investigation from the earliest possible date” http://www.v3.co.uk/v3-uk/news/2000581/vital-crime-evidence-destroyed © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 18
  • 20. eForensics in Security Investigations Plan Design Train Involve Specialists • Have an up-to-date IR plan • Include forensic collection and preservation processes • Design IT systems with forensics in mind • Ensure security and IT have basic forensic/IR training • Know when to seek specialist forensic assistance • Have standing agreements with forensic specialists as required © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. 19

×