SlideShare a Scribd company logo

Digital forensic an forensic policy approach

â€ĸ
â€ĸ
S
Shabnamkhan113

Specifying digital forensics science and forensic policy approach

Education
1 of 30
Download to read offline
Specifying Digital Forensics: A Forensics Policy Approach Carol Taylor, Barbara Endicott-Popovsky and Deborah Frincke
DFRWS '07 August 13-15, 2007 2 Overview īŽ Motivation īŽ Forensics Policy īŽ Forensics System Properties īŽ Forensic Readiness īŽ Forensics Policy Example īŽ Conclusion and Future Directions
DFRWS '07 August 13-15, 2007 3 Motivation īŽ Digital forensics has become a critical component of both civil and criminal cases īŽ Slowly being recognized as important by non- technical groups īŽ Judges and lawyers īŽ Law enforcement īŽ Business entities
DFRWS '07 August 13-15, 2007 4 Motivation īŽ Has been some progress in defining recognized good practices in forensics application īŽ Most, aimed at collection of evidence from typical systems īŽ There is still a lack of widely accepted theoretical models or principles īŽ Creates problems in specifying or designing systems capable of capturing digital forensics evidence
DFRWS '07 August 13-15, 2007 5 Motivation īŽ Without standard methods for specifying system forensics capabilities īŽ Measuring or comparing systems is not possible īŽ Implementing forensics capable systems is hit and miss with low probability of success
DFRWS '07 August 13-15, 2007 6 Motivation īŽ Our Solution īŽ Forensics policy approach īŽ Assist with forensics system specification and most importantly verification īŽ Why this approach? īŽ Clear statement of forensics policy allows design of system to meet the policy īŽ Formalizing policy allows formal verification of system capabilities īŽ Borrow from large body of security policy literature
DFRWS '07 August 13-15, 2007 7 Forensics Policy vs. Security Policy īŽ Security Policy īŽ Statement that clearly specifies what is allowed and what is disallowed with regards to security īŽ Partitions system states into secure and unauthorized īŽ Implement mechanisms to enforce system security policy
DFRWS '07 August 13-15, 2007 8 Forensics Policy vs. Security Policy īŽ Forensics policy īŽ Statement īŽ Clearly states which assets are forensically important īŽ Specify data needed for investigation into breach of those assets
DFRWS '07 August 13-15, 2007 9 Forensics Policy vs. Security Policy īŽ Forensics policy īŽ Partitions space of all possible breaches or criminal activity into sets of events that are forensically noteworthy and those that are not īŽ Allows for mechanisms or design decisions to enforce the policy
DFRWS '07 August 13-15, 2007 10 Forensics Policy vs. Security Policy īŽ Another way to view differences â€Ļ īŽ Violate security policy Insecure System īŽ Consequences of break-in or insider misuse īŽ Violate forensics policy Lack of Evidence īŽ Can’t show or prove guilt
DFRWS '07 August 13-15, 2007 11 Security Policies īŽ Security policies īŽ Policies viewed as high level goals for the system īŽ Dictate system behavior to meet the goals īŽ Example: Military Security policy īŽ Unclassified, classified, secret, top secret
12 Security Policies īŽExample: Military Security policy īŽ Goal: ī‚§ System should prevent unauthorized disclosure of information īŽ Policy states: ī‚§ All classified information must be protected from unauthorized disclosure or declassification ī‚§ Classified, secret, top secret
DFRWS '07 August 13-15, 2007 13 Security Policies īŽ Example: Military Security policy continued īŽ Enforcement mechanisms: ī‚§ Mandatory labeling of documents for classification level ī‚§ Assignment of user access categories based on person’s clearance ī‚§ Physical separation of data at highest classifications Top Secret Classified
DFRWS '07 August 13-15, 2007 14 Forensics Policies īŽ Forensics policies define different goals īŽ Deal with assets, data and possible storage issues īŽ Capture digital evidence so forensic integrity of data preserved īŽ Capture enough data to insure prosecution is possible
DFRWS '07 August 13-15, 2007 15 Forensics Policies īŽ Forensics policies define different goals īŽ Deal with assets, data and possible storage issues īŽ Specify events that must be handled and data that must be preserved īŽ Events not included in the policy will not need associated data
DFRWS '07 August 13-15, 2007 16 Forensics Policy Example īŽ Example: Network intrusion policy commercial system Internet based īŽ Goal: īŽ Capture data from network intrusions for possible prosecution īŽ Policy states: īŽ All events identified as intrusions will have their associated data captured and preserved
DFRWS '07 August 13-15, 2007 17 Forensics Policy Example īŽ Example: Network intrusion policy commercial system continued īŽ Enforcement mechanisms: īŽ Routine preservation of IDS, firewall, router and Web server logs for some configurable length of time
DFRWS '07 August 13-15, 2007 18 Forensics Properties
DFRWS '07 August 13-15, 2007 19 Policies Enable Properties īŽ Security policies, specify system behavior, contribute to security properties īŽ Confidentiality, Integrity and availability īŽ Widely recognized security properties īŽ Similarly â€Ļ īŽ Forensics policies, specify forensics system behavior, contribute to forensics properties īŽ What are commonly recognized forensics properties?
DFRWS '07 August 13-15, 2007 20 Forensics Systems Properties īŽ There doesn’t appear to be any widely acknowledged forensics system properties, except one â€Ļ īŽ Forensic Readiness īŽ Yet, concept not well defined in forensics literature and many would argue its not a property at all !!!
DFRWS '07 August 13-15, 2007 21 Forensic Readiness Definitions īŽ Tan – 2001 īŽ Maximize environment’s ability to collect creditable digital evidence īŽ Minimize cost of forensics in incident response īŽ Rowlinson – 2004 īŽ Expanded definition for enterprise systems and defined 10 steps for forensic readiness īŽ Endicott-Popovsky īŽ Defined forensic readiness in terms of hardware devices and their capacity for dropping packets
DFRWS '07 August 13-15, 2007 22 Forensic Policy Example īŽ For purposes of discussion, īŽ Forensic readiness is a property īŽ Enabled through a forensics policy īŽ Enforced through system design mechanisms
DFRWS '07 August 13-15, 2007 23 Forensic Policy Example īŽ Define a Forensics policy to ensure the property of Forensic Readiness īŽ Steps: ī€ą ī€Ž Identify digital assets of value ī€˛ī€Ž Perform risk assessment for potential loss and threats to assets ī€ŗī€Ž Identify associated data needed plus storage and collection needs
DFRWS '07 August 13-15, 2007 24 Forensics Policy Example īŽ Define a Forensics policy to ensure the property of forensic readiness īŽ Steps continued: 4. Write the forensic policy in terms of assets, forensic events, data collection and storage 5. Ensure there are forensic policy enforcement mechanisms
DFRWS '07 August 13-15, 2007 25 Forensics Policy Example īŽ Using above approach, īŽHypothetical forensics policy for corporation īŽ High value Oracle database, īŽ Lower value Apache web server, īŽ Various routers, several firewalls īŽ Snort IDS
DFRWS '07 August 13-15, 2007 26 Forensic Policy Example 1 All access to Oracle DB must be monitored. 2 Access logs and Administration logs to Oracle DB will be preserved for no less than one year 3 Access and activity to Web server is monitored 4 Apache Web server logs will be preserved for one year months 5 Firewall and Snort logs will be preserved for one year 6 Router logs will be preserved for 6 months 7 Network will be tested every 6 months for congestion situation by overloading it until it begins to drop traffic 8 Network capacity will be increased before traffic hits the level where packets will be dropped
DFRWS '07 August 13-15, 2007 27 Conclusion īŽ Forensics policies can help by clearly stating which events and associated data important īŽ Leading to systems capable of capturing and preserving only data needed as opposed to all potential data īŽ Mechanisms can then be identified for policy enforcement īŽ Result will likely be systems more capable of supporting digital investigations without unnecessary cost
28 Future īŽ Ideas in this paper were preliminary īŽ Write and implement forensic policies for actual systems. See them as complimentary to existing security policies īŽ Define forensics properties for systems īŽ Capturability, System Integrity (valid logs, accurate time stamps, authenticated users) īŽ Availability, Data integrity
DFRWS '07 August 13-15, 2007 29 Future īŽ Formal definition of policies īŽ Reason about forensics capabilities īŽ Discover inconsistencies and incomplete specification of forensic capabilities prior to system design
DFRWS '07 August 13-15, 2007 30 Thank you Questions

Recommended

Investigative skills
Investigative skillsInvestigative skills
Investigative skillsDickson Mfune
 
Cyber forensics question bank
Cyber forensics question bankCyber forensics question bank
Cyber forensics question bankArthyR3
 
Viruses,antiviruses & firewalls
Viruses,antiviruses & firewallsViruses,antiviruses & firewalls
Viruses,antiviruses & firewallsJay Shah
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxJavedAjmal1
 
Wireshark
WiresharkWireshark
Wiresharkbtohara
 
Historia de la criptografia 1
Historia de la criptografia 1Historia de la criptografia 1
Historia de la criptografia 1Juan Carlos Broncanotorres
 
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypots
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypotsCehv8 - Module 17: Evading, IDS, firewalls, and honeypots
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypotsVuz DáģŸ HÆĄi
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 

Recommended

Investigative skills
Investigative skillsInvestigative skills
Investigative skillsDickson Mfune
 
Cyber forensics question bank
Cyber forensics question bankCyber forensics question bank
Cyber forensics question bankArthyR3
 
Viruses,antiviruses & firewalls
Viruses,antiviruses & firewallsViruses,antiviruses & firewalls
Viruses,antiviruses & firewallsJay Shah
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxJavedAjmal1
 
Wireshark
WiresharkWireshark
Wiresharkbtohara
 
Historia de la criptografia 1
Historia de la criptografia 1Historia de la criptografia 1
Historia de la criptografia 1Juan Carlos Broncanotorres
 
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypots
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypotsCehv8 - Module 17: Evading, IDS, firewalls, and honeypots
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypotsVuz DáģŸ HÆĄi
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 
3 definition of operating systems
3 definition of operating systems3 definition of operating systems
3 definition of operating systemsmyrajendra
 
Understanding remote access technologies (Nov 16, 2011) (beginner)
Understanding remote access technologies (Nov 16, 2011) (beginner)Understanding remote access technologies (Nov 16, 2011) (beginner)
Understanding remote access technologies (Nov 16, 2011) (beginner)Henry Van Styn
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic PresentationMD. SHORIFUL ISLAM
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Halstead's software science - ananalytical technique
Halstead's software science - ananalytical techniqueHalstead's software science - ananalytical technique
Halstead's software science - ananalytical techniqueVishnupriya T H
 
FILE SERVER
FILE SERVERFILE SERVER
FILE SERVERJagdeep Singh Malhi
 
ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentBill Lisse
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityMark Scanlon
 
Staying Out of the Crosshairs
Staying Out of the CrosshairsStaying Out of the Crosshairs
Staying Out of the CrosshairsJoAnna Cheshire
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.pptImXaib
 
10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdf10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdfSparity1
 

More Related Content

What's hot

Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 
3 definition of operating systems
3 definition of operating systems3 definition of operating systems
3 definition of operating systemsmyrajendra
 
Understanding remote access technologies (Nov 16, 2011) (beginner)
Understanding remote access technologies (Nov 16, 2011) (beginner)Understanding remote access technologies (Nov 16, 2011) (beginner)
Understanding remote access technologies (Nov 16, 2011) (beginner)Henry Van Styn
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic PresentationMD. SHORIFUL ISLAM
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Halstead's software science - ananalytical technique
Halstead's software science - ananalytical techniqueHalstead's software science - ananalytical technique
Halstead's software science - ananalytical techniqueVishnupriya T H
 

What's hot (17)

Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slides
 
3 definition of operating systems
3 definition of operating systems3 definition of operating systems
3 definition of operating systems
 
Understanding remote access technologies (Nov 16, 2011) (beginner)
Understanding remote access technologies (Nov 16, 2011) (beginner)Understanding remote access technologies (Nov 16, 2011) (beginner)
Understanding remote access technologies (Nov 16, 2011) (beginner)
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architecture
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Halstead's software science - ananalytical technique
Halstead's software science - ananalytical techniqueHalstead's software science - ananalytical technique
Halstead's software science - ananalytical technique
 
FILE SERVER
FILE SERVERFILE SERVER
FILE SERVER
 

Similar to Digital forensic an forensic policy approach

ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentBill Lisse
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityMark Scanlon
 
Staying Out of the Crosshairs
Staying Out of the CrosshairsStaying Out of the Crosshairs
Staying Out of the CrosshairsJoAnna Cheshire
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.pptImXaib
 
10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdf10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdfSparity1
 
Data Privacy Assessment Checklist
Data Privacy Assessment ChecklistData Privacy Assessment Checklist
Data Privacy Assessment Checklistpriyanshamadhwal2
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityPriyanka Aash
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?Peter Witsenburg
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Data Privacy Assessment Checklist.pdf...
Data Privacy Assessment Checklist.pdf...Data Privacy Assessment Checklist.pdf...
Data Privacy Assessment Checklist.pdf...Infosec train
 
Data_Protection_WP - Jon Toigo
Data_Protection_WP - Jon ToigoData_Protection_WP - Jon Toigo
Data_Protection_WP - Jon ToigoEd Ahl
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help Niklas Hjorthen
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
The CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionDigital Guardian
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKnowledge Management Associates, LLC
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 

Similar to Digital forensic an forensic policy approach (20)

ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy Development
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
 
Staying Out of the Crosshairs
Staying Out of the CrosshairsStaying Out of the Crosshairs
Staying Out of the Crosshairs
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
 
10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdf10 Key Data Privacy Checklists for B2B 1.pdf
10 Key Data Privacy Checklists for B2B 1.pdf
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
Data Privacy Assessment Checklist
Data Privacy Assessment ChecklistData Privacy Assessment Checklist
Data Privacy Assessment Checklist
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Data Privacy Assessment Checklist.pdf...
Data Privacy Assessment Checklist.pdf...Data Privacy Assessment Checklist.pdf...
Data Privacy Assessment Checklist.pdf...
 
Data_Protection_WP - Jon Toigo
Data_Protection_WP - Jon ToigoData_Protection_WP - Jon Toigo
Data_Protection_WP - Jon Toigo
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
The CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss Prevention
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centers
 

More from Shabnamkhan113

Proof marks of weapons (Forensic Ballistic)
Proof marks of weapons (Forensic Ballistic) Proof marks of weapons (Forensic Ballistic)
Proof marks of weapons (Forensic Ballistic) Shabnamkhan113
 
Forensic significance of DNA Profiling (Forensic biology)
Forensic significance of DNA Profiling (Forensic biology) Forensic significance of DNA Profiling (Forensic biology)
Forensic significance of DNA Profiling (Forensic biology) Shabnamkhan113
 
Cultural writing systems and their languages (questioned document)
Cultural writing systems and their languages (questioned document) Cultural writing systems and their languages (questioned document)
Cultural writing systems and their languages (questioned document) Shabnamkhan113
 
Forensic diatomology
Forensic diatomologyForensic diatomology
Forensic diatomologyShabnamkhan113
 
computer security and its relationship to computer forensic
computer security and its relationship to computer forensic computer security and its relationship to computer forensic
computer security and its relationship to computer forensicShabnamkhan113
 
Hardy – weinberg law
Hardy – weinberg law Hardy – weinberg law
Hardy – weinberg lawShabnamkhan113
 
Forensic characterization of blood
Forensic characterization of bloodForensic characterization of blood
Forensic characterization of bloodShabnamkhan113
 
Intoduction and brief analysis of arson
Intoduction and brief analysis of arsonIntoduction and brief analysis of arson
Intoduction and brief analysis of arsonShabnamkhan113
 
Infrared spectroscopy
Infrared spectroscopyInfrared spectroscopy
Infrared spectroscopyShabnamkhan113
 

More from Shabnamkhan113 (9)

Proof marks of weapons (Forensic Ballistic)
Proof marks of weapons (Forensic Ballistic) Proof marks of weapons (Forensic Ballistic)
Proof marks of weapons (Forensic Ballistic)
 
Forensic significance of DNA Profiling (Forensic biology)
Forensic significance of DNA Profiling (Forensic biology) Forensic significance of DNA Profiling (Forensic biology)
Forensic significance of DNA Profiling (Forensic biology)
 
Cultural writing systems and their languages (questioned document)
Cultural writing systems and their languages (questioned document) Cultural writing systems and their languages (questioned document)
Cultural writing systems and their languages (questioned document)
 
Forensic diatomology
Forensic diatomologyForensic diatomology
Forensic diatomology
 
computer security and its relationship to computer forensic
computer security and its relationship to computer forensic computer security and its relationship to computer forensic
computer security and its relationship to computer forensic
 
Hardy – weinberg law
Hardy – weinberg law Hardy – weinberg law
Hardy – weinberg law
 
Forensic characterization of blood
Forensic characterization of bloodForensic characterization of blood
Forensic characterization of blood
 
Intoduction and brief analysis of arson
Intoduction and brief analysis of arsonIntoduction and brief analysis of arson
Intoduction and brief analysis of arson
 
Infrared spectroscopy
Infrared spectroscopyInfrared spectroscopy
Infrared spectroscopy
 

Recently uploaded

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...
Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...
Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...Nguyen Thanh Tu Collection
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 

Recently uploaded (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...
Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...
Táģ”NG ÔN TáēŦP THI VÀO LáģšP 10 MÔN TIáēžNG ANH NĂM HáģŒC 2023 - 2024 CÓ ĐÁP ÁN (NGáģŽ Â...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 

Digital forensic an forensic policy approach

  • 1. Specifying Digital Forensics: A Forensics Policy Approach Carol Taylor, Barbara Endicott-Popovsky and Deborah Frincke
  • 2. DFRWS '07 August 13-15, 2007 2 Overview īŽ Motivation īŽ Forensics Policy īŽ Forensics System Properties īŽ Forensic Readiness īŽ Forensics Policy Example īŽ Conclusion and Future Directions
  • 3. DFRWS '07 August 13-15, 2007 3 Motivation īŽ Digital forensics has become a critical component of both civil and criminal cases īŽ Slowly being recognized as important by non- technical groups īŽ Judges and lawyers īŽ Law enforcement īŽ Business entities
  • 4. DFRWS '07 August 13-15, 2007 4 Motivation īŽ Has been some progress in defining recognized good practices in forensics application īŽ Most, aimed at collection of evidence from typical systems īŽ There is still a lack of widely accepted theoretical models or principles īŽ Creates problems in specifying or designing systems capable of capturing digital forensics evidence
  • 5. DFRWS '07 August 13-15, 2007 5 Motivation īŽ Without standard methods for specifying system forensics capabilities īŽ Measuring or comparing systems is not possible īŽ Implementing forensics capable systems is hit and miss with low probability of success
  • 6. DFRWS '07 August 13-15, 2007 6 Motivation īŽ Our Solution īŽ Forensics policy approach īŽ Assist with forensics system specification and most importantly verification īŽ Why this approach? īŽ Clear statement of forensics policy allows design of system to meet the policy īŽ Formalizing policy allows formal verification of system capabilities īŽ Borrow from large body of security policy literature
  • 7. DFRWS '07 August 13-15, 2007 7 Forensics Policy vs. Security Policy īŽ Security Policy īŽ Statement that clearly specifies what is allowed and what is disallowed with regards to security īŽ Partitions system states into secure and unauthorized īŽ Implement mechanisms to enforce system security policy
  • 8. DFRWS '07 August 13-15, 2007 8 Forensics Policy vs. Security Policy īŽ Forensics policy īŽ Statement īŽ Clearly states which assets are forensically important īŽ Specify data needed for investigation into breach of those assets
  • 9. DFRWS '07 August 13-15, 2007 9 Forensics Policy vs. Security Policy īŽ Forensics policy īŽ Partitions space of all possible breaches or criminal activity into sets of events that are forensically noteworthy and those that are not īŽ Allows for mechanisms or design decisions to enforce the policy
  • 10. DFRWS '07 August 13-15, 2007 10 Forensics Policy vs. Security Policy īŽ Another way to view differences â€Ļ īŽ Violate security policy Insecure System īŽ Consequences of break-in or insider misuse īŽ Violate forensics policy Lack of Evidence īŽ Can’t show or prove guilt
  • 11. DFRWS '07 August 13-15, 2007 11 Security Policies īŽ Security policies īŽ Policies viewed as high level goals for the system īŽ Dictate system behavior to meet the goals īŽ Example: Military Security policy īŽ Unclassified, classified, secret, top secret
  • 12. 12 Security Policies īŽExample: Military Security policy īŽ Goal: ī‚§ System should prevent unauthorized disclosure of information īŽ Policy states: ī‚§ All classified information must be protected from unauthorized disclosure or declassification ī‚§ Classified, secret, top secret
  • 13. DFRWS '07 August 13-15, 2007 13 Security Policies īŽ Example: Military Security policy continued īŽ Enforcement mechanisms: ī‚§ Mandatory labeling of documents for classification level ī‚§ Assignment of user access categories based on person’s clearance ī‚§ Physical separation of data at highest classifications Top Secret Classified
  • 14. DFRWS '07 August 13-15, 2007 14 Forensics Policies īŽ Forensics policies define different goals īŽ Deal with assets, data and possible storage issues īŽ Capture digital evidence so forensic integrity of data preserved īŽ Capture enough data to insure prosecution is possible
  • 15. DFRWS '07 August 13-15, 2007 15 Forensics Policies īŽ Forensics policies define different goals īŽ Deal with assets, data and possible storage issues īŽ Specify events that must be handled and data that must be preserved īŽ Events not included in the policy will not need associated data
  • 16. DFRWS '07 August 13-15, 2007 16 Forensics Policy Example īŽ Example: Network intrusion policy commercial system Internet based īŽ Goal: īŽ Capture data from network intrusions for possible prosecution īŽ Policy states: īŽ All events identified as intrusions will have their associated data captured and preserved
  • 17. DFRWS '07 August 13-15, 2007 17 Forensics Policy Example īŽ Example: Network intrusion policy commercial system continued īŽ Enforcement mechanisms: īŽ Routine preservation of IDS, firewall, router and Web server logs for some configurable length of time
  • 18. DFRWS '07 August 13-15, 2007 18 Forensics Properties
  • 19. DFRWS '07 August 13-15, 2007 19 Policies Enable Properties īŽ Security policies, specify system behavior, contribute to security properties īŽ Confidentiality, Integrity and availability īŽ Widely recognized security properties īŽ Similarly â€Ļ īŽ Forensics policies, specify forensics system behavior, contribute to forensics properties īŽ What are commonly recognized forensics properties?
  • 20. DFRWS '07 August 13-15, 2007 20 Forensics Systems Properties īŽ There doesn’t appear to be any widely acknowledged forensics system properties, except one â€Ļ īŽ Forensic Readiness īŽ Yet, concept not well defined in forensics literature and many would argue its not a property at all !!!
  • 21. DFRWS '07 August 13-15, 2007 21 Forensic Readiness Definitions īŽ Tan – 2001 īŽ Maximize environment’s ability to collect creditable digital evidence īŽ Minimize cost of forensics in incident response īŽ Rowlinson – 2004 īŽ Expanded definition for enterprise systems and defined 10 steps for forensic readiness īŽ Endicott-Popovsky īŽ Defined forensic readiness in terms of hardware devices and their capacity for dropping packets
  • 22. DFRWS '07 August 13-15, 2007 22 Forensic Policy Example īŽ For purposes of discussion, īŽ Forensic readiness is a property īŽ Enabled through a forensics policy īŽ Enforced through system design mechanisms
  • 23. DFRWS '07 August 13-15, 2007 23 Forensic Policy Example īŽ Define a Forensics policy to ensure the property of Forensic Readiness īŽ Steps: ī€ą ī€Ž Identify digital assets of value ī€˛ī€Ž Perform risk assessment for potential loss and threats to assets ī€ŗī€Ž Identify associated data needed plus storage and collection needs
  • 24. DFRWS '07 August 13-15, 2007 24 Forensics Policy Example īŽ Define a Forensics policy to ensure the property of forensic readiness īŽ Steps continued: 4. Write the forensic policy in terms of assets, forensic events, data collection and storage 5. Ensure there are forensic policy enforcement mechanisms
  • 25. DFRWS '07 August 13-15, 2007 25 Forensics Policy Example īŽ Using above approach, īŽHypothetical forensics policy for corporation īŽ High value Oracle database, īŽ Lower value Apache web server, īŽ Various routers, several firewalls īŽ Snort IDS
  • 26. DFRWS '07 August 13-15, 2007 26 Forensic Policy Example 1 All access to Oracle DB must be monitored. 2 Access logs and Administration logs to Oracle DB will be preserved for no less than one year 3 Access and activity to Web server is monitored 4 Apache Web server logs will be preserved for one year months 5 Firewall and Snort logs will be preserved for one year 6 Router logs will be preserved for 6 months 7 Network will be tested every 6 months for congestion situation by overloading it until it begins to drop traffic 8 Network capacity will be increased before traffic hits the level where packets will be dropped
  • 27. DFRWS '07 August 13-15, 2007 27 Conclusion īŽ Forensics policies can help by clearly stating which events and associated data important īŽ Leading to systems capable of capturing and preserving only data needed as opposed to all potential data īŽ Mechanisms can then be identified for policy enforcement īŽ Result will likely be systems more capable of supporting digital investigations without unnecessary cost
  • 28. 28 Future īŽ Ideas in this paper were preliminary īŽ Write and implement forensic policies for actual systems. See them as complimentary to existing security policies īŽ Define forensics properties for systems īŽ Capturability, System Integrity (valid logs, accurate time stamps, authenticated users) īŽ Availability, Data integrity
  • 29. DFRWS '07 August 13-15, 2007 29 Future īŽ Formal definition of policies īŽ Reason about forensics capabilities īŽ Discover inconsistencies and incomplete specification of forensic capabilities prior to system design
  • 30. DFRWS '07 August 13-15, 2007 30 Thank you Questions