2. DFRWS '07 August 13-15, 2007 2
Overview
īŽ Motivation
īŽ Forensics Policy
īŽ Forensics System Properties
īŽ Forensic Readiness
īŽ Forensics Policy Example
īŽ Conclusion and Future Directions
3. DFRWS '07 August 13-15, 2007 3
Motivation
īŽ Digital forensics has become a critical
component of both civil and criminal cases
īŽ Slowly being recognized as important by non-
technical groups
īŽ Judges and lawyers
īŽ Law enforcement
īŽ Business entities
4. DFRWS '07 August 13-15, 2007 4
Motivation
īŽ Has been some progress in defining
recognized good practices in forensics
application
īŽ Most, aimed at collection of evidence from
typical systems
īŽ There is still a lack of widely accepted
theoretical models or principles
īŽ Creates problems in specifying or designing
systems capable of capturing digital forensics
evidence
5. DFRWS '07 August 13-15, 2007 5
Motivation
īŽ Without standard methods for
specifying system forensics capabilities
īŽ Measuring or comparing systems is not
possible
īŽ Implementing forensics capable
systems is hit and miss with low
probability of success
6. DFRWS '07 August 13-15, 2007 6
Motivation
īŽ Our Solution
īŽ Forensics policy approach
īŽ Assist with forensics system
specification and most importantly
verification
īŽ Why this approach?
īŽ Clear statement of forensics policy allows
design of system to meet the policy
īŽ Formalizing policy allows formal verification of
system capabilities
īŽ Borrow from large body of security policy
literature
7. DFRWS '07 August 13-15, 2007 7
Forensics Policy vs. Security Policy
īŽ Security Policy
īŽ Statement that clearly specifies what is
allowed and what is disallowed with
regards to security
īŽ Partitions system states into secure and
unauthorized
īŽ Implement mechanisms to enforce
system security policy
8. DFRWS '07 August 13-15, 2007 8
Forensics Policy vs. Security Policy
īŽ Forensics policy
īŽ Statement
īŽ Clearly states which assets are
forensically important
īŽ Specify data needed for investigation
into breach of those assets
9. DFRWS '07 August 13-15, 2007 9
Forensics Policy vs. Security Policy
īŽ Forensics policy
īŽ Partitions space of all possible breaches
or criminal activity into sets of events
that are forensically noteworthy and
those that are not
īŽ Allows for mechanisms or design
decisions to enforce the policy
10. DFRWS '07 August 13-15, 2007 10
Forensics Policy vs. Security Policy
īŽ Another way to view differences âĻ
īŽ Violate security policy Insecure System
īŽ Consequences of break-in or insider
misuse
īŽ Violate forensics policy Lack of Evidence
īŽ Canât show or prove guilt
11. DFRWS '07 August 13-15, 2007 11
Security Policies
īŽ Security policies
īŽ Policies viewed as high level goals for
the system
īŽ Dictate system behavior to meet the
goals
īŽ Example: Military Security policy
īŽ Unclassified, classified, secret, top
secret
12. 12
Security Policies
īŽExample: Military Security policy
īŽ Goal:
ī§ System should prevent unauthorized
disclosure of information
īŽ Policy states:
ī§ All classified information must be
protected from unauthorized
disclosure or declassification
ī§ Classified, secret, top secret
13. DFRWS '07 August 13-15, 2007 13
Security Policies
īŽ Example: Military Security policy continued
īŽ Enforcement mechanisms:
ī§ Mandatory labeling of documents for
classification level
ī§ Assignment of user access categories
based on personâs clearance
ī§ Physical separation of data at highest
classifications
Top Secret
Classified
14. DFRWS '07 August 13-15, 2007 14
Forensics Policies
īŽ Forensics policies define different goals
īŽ Deal with assets, data and possible
storage issues
īŽ Capture digital evidence so forensic
integrity of data preserved
īŽ Capture enough data to insure
prosecution is possible
15. DFRWS '07 August 13-15, 2007 15
Forensics Policies
īŽ Forensics policies define different goals
īŽ Deal with assets, data and possible
storage issues
īŽ Specify events that must be handled
and data that must be preserved
īŽ Events not included in the policy will not
need associated data
16. DFRWS '07 August 13-15, 2007 16
Forensics Policy Example
īŽ Example: Network intrusion policy
commercial system Internet based
īŽ Goal:
īŽ Capture data from network intrusions for
possible prosecution
īŽ Policy states:
īŽ All events identified as intrusions will
have their associated data captured and
preserved
17. DFRWS '07 August 13-15, 2007 17
Forensics Policy Example
īŽ Example: Network intrusion policy
commercial system continued
īŽ Enforcement mechanisms:
īŽ Routine preservation of IDS,
firewall, router and Web server logs
for some configurable length of
time
19. DFRWS '07 August 13-15, 2007 19
Policies Enable Properties
īŽ Security policies, specify system behavior,
contribute to security properties
īŽ Confidentiality, Integrity and availability
īŽ Widely recognized security properties
īŽ Similarly âĻ
īŽ Forensics policies, specify forensics system
behavior, contribute to forensics properties
īŽ What are commonly recognized forensics
properties?
20. DFRWS '07 August 13-15, 2007 20
Forensics Systems Properties
īŽ There doesnât appear to be any widely
acknowledged forensics system properties,
except one âĻ
īŽ Forensic Readiness
īŽ Yet, concept not well defined in forensics
literature and many would argue its not a
property at all !!!
21. DFRWS '07 August 13-15, 2007 21
Forensic Readiness Definitions
īŽ Tan â 2001
īŽ Maximize environmentâs ability to collect
creditable digital evidence
īŽ Minimize cost of forensics in incident response
īŽ Rowlinson â 2004
īŽ Expanded definition for enterprise systems
and defined 10 steps for forensic readiness
īŽ Endicott-Popovsky
īŽ Defined forensic readiness in terms of
hardware devices and their capacity for
dropping packets
22. DFRWS '07 August 13-15, 2007 22
Forensic Policy Example
īŽ For purposes of discussion,
īŽ Forensic readiness is a property
īŽ Enabled through a forensics policy
īŽ Enforced through system design
mechanisms
23. DFRWS '07 August 13-15, 2007 23
Forensic Policy Example
īŽ Define a Forensics policy to ensure the
property of Forensic Readiness
īŽ Steps:
īą
īŽ
Identify digital assets of value
ī˛īŽ
Perform risk assessment for potential
loss and threats to assets
īŗīŽ
Identify associated data needed plus
storage and collection needs
24. DFRWS '07 August 13-15, 2007 24
Forensics Policy Example
īŽ Define a Forensics policy to ensure the
property of forensic readiness
īŽ Steps continued:
4. Write the forensic policy in terms of
assets, forensic events, data collection
and storage
5. Ensure there are forensic policy
enforcement mechanisms
25. DFRWS '07 August 13-15, 2007 25
Forensics Policy Example
īŽ Using above approach,
īŽHypothetical forensics policy for
corporation
īŽ High value Oracle database,
īŽ Lower value Apache web server,
īŽ Various routers, several firewalls
īŽ Snort IDS
26. DFRWS '07 August 13-15, 2007 26
Forensic Policy Example
1 All access to Oracle DB must be monitored.
2 Access logs and Administration logs to Oracle DB will
be preserved for no less than one year
3 Access and activity to Web server is monitored
4 Apache Web server logs will be preserved for one year
months
5 Firewall and Snort logs will be preserved for one year
6 Router logs will be preserved for 6 months
7 Network will be tested every 6 months for congestion
situation by overloading it until it begins to drop traffic
8 Network capacity will be increased before traffic hits
the level where packets will be dropped
27. DFRWS '07 August 13-15, 2007 27
Conclusion
īŽ Forensics policies can help by clearly stating
which events and associated data important
īŽ Leading to systems capable of capturing and
preserving only data needed as opposed to all
potential data
īŽ Mechanisms can then be identified for policy
enforcement
īŽ Result will likely be systems more capable of
supporting digital investigations without
unnecessary cost
28. 28
Future
īŽ Ideas in this paper were preliminary
īŽ Write and implement forensic policies for
actual systems. See them as complimentary
to existing security policies
īŽ Define forensics properties for systems
īŽ Capturability, System Integrity (valid logs,
accurate time stamps, authenticated users)
īŽ Availability, Data integrity
29. DFRWS '07 August 13-15, 2007 29
Future
īŽ Formal definition of policies
īŽ Reason about forensics capabilities
īŽ Discover inconsistencies and
incomplete specification of forensic
capabilities prior to system design