Digital Evidence and the Information Security Manager<br />Dr. Bradley Schatz<br />
About me<br />Dr. Bradley Schatz | Forensic computer scientist<br />Director, Schatz Forensic<br />Adjunct Associate Profe...
Agenda<br />Characteristics of digital evidence<br />Why prepare for digital evidence?<br />Forensic readiness – the good,...
What is digital evidence?<br />
“Deleted” information is often retrievable<br />Copy to other HDD<br />Key points<br />Exact copy – Inculpatory & Exculpat...
Computers are littered with evidence of the user’s behaviour <br />
Ex-computer consultant convicted in “Google Murder” trial<br />http://www.informationweek.com/news/security/cybercrime/sho...
“Deleted” information is often retrievable<br />Computer evidence is fragile<br />Deleted: outlook/recycle bin<br />Unallo...
Why prepare for producing digital evidence?<br />
Digital evidence is required when businesses face a threat that requires substantiation<br />Controls fail<br />Controls w...
Common realised risks requiring digital evidence<br />Information theft<br />Departing employees<br />Data breach<br />Whi...
How do I increase my forensic readiness?<br />
IS policy & procedure should seek to maximise historical visibility <br />
IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence ha...
IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence ha...
IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence ha...
IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence ha...
Forensic readinessThe good<br />
Forensic readiness working well<br />Ex-worker said to steal Goldman code<br />http://www.nytimes.com/2009/07/07/business/...
Forensic readiness working well<br />Detection<br />“alerted by a surge of data leaving its servers”<br />
Forensic readiness working well<br />Detection<br />“alerted by a surge of data leaving its servers”<br />Claimed Actions<...
Forensic readinessThe bad<br />
Example 1: The “it’s my data too” syndrome<br />SCENARIO: Key employee departs and sets up in competition.<br />THREAT: Ha...
Example 1: The “it’s my data too” syndrome<br /><ul><li>POTENTIAL DATA FLOWS: </li></li></ul><li>Example 1: The “it’s my d...
Laptop/Desktop storage
Laptop/Desktop network
Laptop/Desktop print
Laptop/Desktop Mobile device
Remote Terminal  Application
Fileserver  VPN Remote Laptop</li></li></ul><li>Example 1: The “it’s my data too” syndrome<br /><ul><li>SCENARIO: Copy f...
POTENTIAL EVIDENCE TRACES:
USB Device insertion event
Internet explorer history (document open)
File access audit logs
MS Word recently opened documents
Evidence eliminator
ROADBLOCK:
Upcoming SlideShare
Loading in …5
×

Digital evidence and the information security manager

2,201 views

Published on

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,201
On SlideShare
0
From Embeds
0
Number of Embeds
311
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Digital evidence and the information security manager

  1. 1. Digital Evidence and the Information Security Manager<br />Dr. Bradley Schatz<br />
  2. 2. About me<br />Dr. Bradley Schatz | Forensic computer scientist<br />Director, Schatz Forensic<br />Adjunct Associate Professor, Information Security Institute (QUT)<br />Ph.D. (Digital forensics), QUT, 2007<br />B.Sc. (Computer science), UQ, 1995<br />
  3. 3. Agenda<br />Characteristics of digital evidence<br />Why prepare for digital evidence?<br />Forensic readiness – the good, bad, & ugly<br />Planning for forensic readiness<br />Current and future challenges <br />
  4. 4. What is digital evidence?<br />
  5. 5. “Deleted” information is often retrievable<br />Copy to other HDD<br />Key points<br />Exact copy – Inculpatory & Exculpatory<br />Authentication – hash<br />Timing <br />
  6. 6. Computers are littered with evidence of the user’s behaviour <br />
  7. 7. Ex-computer consultant convicted in “Google Murder” trial<br />http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=174403074<br />
  8. 8. “Deleted” information is often retrievable<br />Computer evidence is fragile<br />Deleted: outlook/recycle bin<br />Unallocated space<br />Temporary files<br />Backups<br />Snapshots<br />Synchronization<br />
  9. 9. Why prepare for producing digital evidence?<br />
  10. 10. Digital evidence is required when businesses face a threat that requires substantiation<br />Controls fail<br />Controls work<br />Risks outside sphere of IS <br />Assuring controls are effective<br />
  11. 11. Common realised risks requiring digital evidence<br />Information theft<br />Departing employees<br />Data breach<br />White collar crime/Workplace misconduct<br />Fraud, Illicit content, Sexual harassment, <br />Cause for termination<br />General litigation<br />Production of information<br />Transaction records<br />
  12. 12. How do I increase my forensic readiness?<br />
  13. 13. IS policy & procedure should seek to maximise historical visibility <br />
  14. 14. IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence handling,<br />Quantity<br />
  15. 15. IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence handling issues,<br />Quantity<br />“Personal” devices, Network traffic capture<br />
  16. 16. IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence handling issues,<br />Quantity<br />“Personal” devices, Network traffic capture<br />File access logs, <br />Network flow records<br />
  17. 17. IS policy & procedure should seek to maximise historical visibility <br />Clock skew,<br />Shared logins,<br />Evidence handling issues,<br />Quantity<br />“Personal” devices, Network traffic capture,<br />Transient events<br />File access logs, <br />Network flow records<br />Premature sanitization, inadvertent overwriting<br />
  18. 18. Forensic readinessThe good<br />
  19. 19. Forensic readiness working well<br />Ex-worker said to steal Goldman code<br />http://www.nytimes.com/2009/07/07/business/07goldman.html<br />
  20. 20. Forensic readiness working well<br />Detection<br />“alerted by a surge of data leaving its servers”<br />
  21. 21. Forensic readiness working well<br />Detection<br />“alerted by a surge of data leaving its servers”<br />Claimed Actions<br />“used his desktop computer … to upload a stream of code to website hosted by server in Germany”<br />“later, downloaded the files again to his home computer, laptop computer and to a memory device”<br />
  22. 22. Forensic readinessThe bad<br />
  23. 23. Example 1: The “it’s my data too” syndrome<br />SCENARIO: Key employee departs and sets up in competition.<br />THREAT: Has she taken company secrets and is using them in her new business?<br />INVESTIGATION: Identify high value information and seek evidence of information flow<br />*http://pcworld.about.com/od/dataprotection/Nearly-Two-Thirds-of-Ex-Employ.htm<br />
  24. 24. Example 1: The “it’s my data too” syndrome<br /><ul><li>POTENTIAL DATA FLOWS: </li></li></ul><li>Example 1: The “it’s my data too” syndrome<br /><ul><li>POTENTIAL DATA FLOWS:
  25. 25. Laptop/Desktop storage
  26. 26. Laptop/Desktop network
  27. 27. Laptop/Desktop print
  28. 28. Laptop/Desktop Mobile device
  29. 29. Remote Terminal  Application
  30. 30. Fileserver  VPN Remote Laptop</li></li></ul><li>Example 1: The “it’s my data too” syndrome<br /><ul><li>SCENARIO: Copy from workstation to USB Thumb drive
  31. 31. POTENTIAL EVIDENCE TRACES:
  32. 32. USB Device insertion event
  33. 33. Internet explorer history (document open)
  34. 34. File access audit logs
  35. 35. MS Word recently opened documents
  36. 36. Evidence eliminator
  37. 37. ROADBLOCK:
  38. 38. Evidence destruction
  39. 39. Inability to identify operator
  40. 40. Expectation of privacy
  41. 41. Legal Considerations (Privacy)
  42. 42. NSW Workplace Surveillance Act,
  43. 43. ALRC Privacy Act Inquiry Report, VLRC Workplace Privacy Review</li></li></ul><li>Example 1: The “it’s my data too” syndrome<br /><ul><li>SCENARIO: Workstation Email
  44. 44. POTENTIAL EVIDENCE TRACES:
  45. 45. Sent Items box
  46. 46. Mail server logs
  47. 47. Archives
  48. 48. Web browser cache/history
  49. 49. Network flow trace
  50. 50. File access audit log
  51. 51. ROADBLOCK:
  52. 52. Inability to identify operator
  53. 53. Expectation of privacy
  54. 54. Cost of backup restoration
  55. 55. Legal Considerations (Privacy)</li></li></ul><li>Example 1: The “it’s my data too” syndrome<br /><ul><li>SCENARIO:
  56. 56. Corporate network  Personal laptop
  57. 57. POTENTIAL EVIDENCE TRACES:
  58. 58. Presence on the laptop
  59. 59. Deleted files
  60. 60. Prior examples
  61. 61. ROADBLOCKS:
  62. 62. Rightful access to laptop
  63. 63. Legal Considerations (Privacy)</li></li></ul><li>Example 1: The “it’s my data too” syndrome<br /><ul><li>SCENARIO:
  64. 64. Personal Laptop  Internet
  65. 65. POTENTIAL EVIDENCE TRACES:
  66. 66. Web browser history/cache
  67. 67. File access logs
  68. 68. Network trace
  69. 69. Network flow logs
  70. 70. ROADBLOCKS:
  71. 71. Rightful interception of telecommunications
  72. 72. Legal Considerations (Wiretap), (Cyber Crime)
  73. 73. Telecommunications (Interception & Access) Act
  74. 74. Cyber crime act</li></li></ul><li>Example 1: The “it’s my data too” syndrome<br /><ul><li>SCENARIO:
  75. 75. File Server  VPN Personal Laptop
  76. 76. POTENTIAL EVIDENCE TRACES:
  77. 77. File access logs
  78. 78. VPN Session Logs
  79. 79. Network trace
  80. 80. Network flow logs
  81. 81. Legal Considerations (Wiretap)</li></li></ul><li>Example 2: Email authenticity dispute<br /><ul><li>SCENARIO:
  82. 82. Litigation disputing an agreement. A single email is in dispute.
  83. 83. THREAT
  84. 84. Is the email authentic?
  85. 85. POTENTIAL EVIDENCE SOURCES:
  86. 86. Native email from inbox
  87. 87. Native email from archived backup
  88. 88. Mail server logs
  89. 89. Case Law: Montague v Montague [2002] NSWSC 328</li></li></ul><li>Forensic readinessThe ugly<br />
  90. 90. Data breach<br />SCENARIO:<br />External notification of data breach<br />THREAT:<br /><ul><li>What was exposed?
  91. 91. How and when did intruders gain access?
  92. 92. Where are they?</li></ul>EVIDENCE SOURCES:<br />Workstation, Server, Network trace, Memory dump<br />
  93. 93. Conclusion<br />
  94. 94. Forensic readiness in a nutshell<br />Produce and collect evidential data<br />What systems can further produce logs?<br />Ensure rightful access to evidential data<br />Policy, procedure, user expectation & practice<br />Plan ahead for incident response<br />Routine data destruction<br />Usability of evidence oriented systems<br />Ensure provenance and authenticity of preserved evidential data<br />Forensic training<br />
  95. 95. Current and future challenges<br />Behavioural logging and tracing<br />Anomalous behaviour detection<br />Real time enterprise visibility<br />Document “DNA”<br />Cloud computing<br />
  96. 96. Thank you!<br />Dr. Bradley Schatz<br />email: bradley@schatzforensic.com.au<br />mobile: 0422 949 039<br />

×