More Related Content Similar to Digital Forensics_Lecture.pptx (20) Digital Forensics_Lecture.pptx1. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Organizational Liability and the
Management of Digital Forensics
Chapter 02: Compliance: Law and Ethics
2. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
2
Management of Information Security, 6th ed. - Whitman & Mattord
3. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
3
Management of Information Security, 6th ed. - Whitman & Mattord
• Deterrence can prevent an illegal or unethical activity from
occurring. Successful deterrence requires the institution of severe
penalties, the probability of apprehension, and an expectation
that penalties will be enforced
• As part of an effort to sponsor positive ethics, a number of
professional organizations have established codes of conduct
and/or codes of ethics that their members are expected to follow
• Laws are formally adopted rules for acceptable behavior in
modern society. Ethics are socially acceptable behaviors. The key
difference between laws and ethics is that laws bear the sanction
of a governing authority and ethics do not
Summary
4. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
4
Management of Information Security, 6th ed. - Whitman & Mattord
• Organizations formalize desired behaviors in documents called policies.
Unlike laws, policies must be distributed, read, understood, explicitly
agreed to by employees and uniformly enforced before they are
enforceable
• Civil law encompasses a wide variety of laws that regulate relationships
between and among individuals and organizations. Criminal law
addresses violations that harm society and that are prosecuted by the
state. Tort law is a subset of civil law that deals with lawsuits by
individuals rather than criminal prosecution by the state
• U.S. copyright law extends intellectual property rights to the published
word, including electronic publication
• A number of key U.S. federal agencies are charged with the protection of
American information resources and the investigation of threats or
attacks against these resources
Summary (Continued)
5. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
5
Management of Information Security, 6th ed. - Whitman & Mattord
• Digital forensics involves the preservation, identification, extraction,
documentation, and interpretation of computer media for evidentiary
and root cause analysis. E-discovery is the identification and
preservation of evidentiary materials related to a specific legal action
• Most organizations cannot sustain a permanent digital forensics team.
Even so, people in the InfoSec group should be trained to understand
and manage the forensics process
• In digital forensics, all investigations follow the same basic methodology:
identify relevant items of evidentiary value, acquire (seize) the evidence
without alteration or damage, take steps to assure that the evidence is
verifiably authentic at every stage and is unchanged from the time it was
seized, analyze the data without risking modification or unauthorized
access, and report the findings to the proper authority
Summary (Continued)
6. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Self paced Reading:
Digital Forensics
Chapter 02: Compliance: Law and Ethics
7. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
7
Management of Information Security, 6th ed. - Whitman & Mattord
Cybercrime
• Various names: Computer crime, High-tech crimes,
or Cybercrime.
7
8. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
8
Management of Information Security, 6th ed. - Whitman & Mattord
Cybercrime
• Cybercrime is used to describe criminal activity in which
computers, mobiles, or networks are a tool, a target, or a
place of criminal activity (contains evidence).
•Electronic device as a target: Viruses, Denial-of-service
attacks.
•Electronic device as a tool: Identity theft, Phishing.
•Electronic device contains evidence: emails, internet
browsing, contacts, location data and images.
8
https://www.fbi.gov/about-us/investigate/cyber
9. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
9
Management of Information Security, 6th ed. - Whitman & Mattord
Cybercrime: examples
• Cyber-based terrorism
• Espionage
• Computer intrusions: Hacking
• Identity theft
• Cyber financial fraud
• Child exploitation
• Cyber Money Laundering
• Online Gambling
• Harassment including Cyberstalking
• Drug trafficking
• Offensive content including Internet pornography
9
10. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
10
Management of Information Security, 6th ed. - Whitman & Mattord
More New Smart Devices
10
11. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
11
Management of Information Security, 6th ed. - Whitman & Mattord
Forensics Science
• Forensic science is the application of science to criminal and
civil laws. The aim is to determine the evidential value of the
crime scene and related evidence.
11
12. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
12
Management of Information Security, 6th ed. - Whitman & Mattord
Forensics Science
12
13. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
13
Management of Information Security, 6th ed. - Whitman & Mattord
Digital Forensics
•Digital forensics is a collection of specialized techniques,
processes, and procedures used to preserve, extract,
analyze, and present electronic evidence that is found in
digital devices, often in relation to computer or
cybercrime.
13
14. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
14
Management of Information Security, 6th ed. - Whitman & Mattord
Digital Forensics Process
14
15. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
15
Management of Information Security, 6th ed. - Whitman & Mattord
DFInvestigation Methodology
15
16. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
16
Management of Information Security, 6th ed. - Whitman & Mattord
Digital Forensics Specialties
16
1.Computer Forensics: Static & Live Acquisition
2.OS Forensics: Windows, Linux.
3.Mobile Forensics: Logical & Physical Extraction.
4.Network/Intrusion Forensics.
5.Malware Analysis: Reverse Engineering.
6.Open Source Intelligence.
7.Digital Forensics and Cloud Computing
8.Digital Forensics and Social Networks
17. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
17
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 17
The Digital Crime Scene
18. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
18
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 18
Getting Control and Officer Safety
Get Immediate Control of
Devices
Computers
Mobile Devices
Storage Devices
19. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
19
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 19
Getting Control and Officer Safety
Check for Destructive
Activities
Drive Formatting/Wiping
Mobile Device
Resetting/Destruction
20. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
20
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 20
Getting Control and Officer Safety
If Destructive Activity
Noted:
Computers
• Pull the Power Plug from
Computer
(More on this topic to be covered
elsewhere)
21. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
21
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 21
Getting Control and Officer Safety
If Destructive Activity
Noted:
Mobile Devices
• Pull the Battery if Possible
(More on this topic to be covered
elsewhere)
22. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
22
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 22
Identifying Devices
What not to seize!
• Devices that cannot store digital evidence.
• Most Printers
• Monitors
• Keyboards
However, don’t forget traditional
evidence that may be on those devices.
• Fingerprints
• Bodily Fluids
23. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
23
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 23
Evidence Preservation
Running Computers
• When in doubt, pull the plug!
Running Cell Phones
• If off, leave it off
• If on, leave it on but protect with a
Faraday Bag!
24. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
24
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 24
Evidence Acquisition
(Imaging and Cloning)
• Forensic Imaging is the process of copying the
data from a suspect device to a file or set of files
on another device.
• Forensic cloning is the process of ‘cloning’ one
device to another device.
25. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
25
Management of Information Security, 6th ed. - Whitman & Mattord
Slide 25
Evidence Acquisition
Cloning
All data from drive
Hard
Drive
Cloned Drive
The drives are now
identical
26. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
26
Management of Information Security, 6th ed. - Whitman & Mattord
Cell phone and
Mobile Device Forensics
26
27. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
27
Management of Information Security, 6th ed. - Whitman & Mattord
Acquisition Phase
27
- The third phase in the Mobile Forensic
Process is to perform acquisition.
- Acquisition is the process of imaging or
otherwise obtaining information from a
mobile device and its associated media.
- Data needs to be extracted from: SIM
card, external memory card, and most
importantly the handset memory
microchip.
28. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
28
Management of Information Security, 6th ed. - Whitman & Mattord
What to Acquire?
28
Data stored electronically
within the SIM
Data stored externally within
the memory expansion card
such as Trans Flash Micro
SD
Data stored within the
internal Memory Microchip
29. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
29
Management of Information Security, 6th ed. - Whitman & Mattord
Why to do acquisition?
29
- We never work on the original, we always try to perform
things in forensically sound manner.
- We do extraction, duplication, of the original and then
examine the copy not the original.
- This is very important in order to not affect the integrity of
the evidence.
30. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
30
Management of Information Security, 6th ed. - Whitman & Mattord
Manual Extraction
30
- It is the most basic extraction method where an examiner
manually accesses the phone through the user interface.
- To ensure that all details are documented, this process is
normally photographed or videotaped.
- Only data accessible through the operating system is
retrievable.
31. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
31
Management of Information Security, 6th ed. - Whitman & Mattord
31
32. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
32
Management of Information Security, 6th ed. - Whitman & Mattord
Dealing with Password Protection
32
- Many mobile devices permit users to set a password to
restrict access to the device.
- For certain devices, it is possible to bypass or recover
such protection.
- It is generally inadvisable to guess a lock code or
passphrase because some mobile devices will wipe their
contents after too many failed attempts.
33. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
33
Management of Information Security, 6th ed. - Whitman & Mattord
UFED Phone Detective
33
34. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
34
Management of Information Security, 6th ed. - Whitman & Mattord
Device Information
34
35. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
35
Management of Information Security, 6th ed. - Whitman & Mattord
SMS (including deleted ones)
35
36. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
36
Management of Information Security, 6th ed. - Whitman & Mattord
Files including photos, videos
36
37. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
37
Management of Information Security, 6th ed. - Whitman & Mattord
Web Browsers Cache Analyzer
37
38. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
38
Management of Information Security, 6th ed. - Whitman & Mattord
Passwords can be retrieved
38
39. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
39
Management of Information Security, 6th ed. - Whitman & Mattord
WiFi Connections & Location Services
39
40. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
40
Management of Information Security, 6th ed. - Whitman & Mattord
Communication Activities
40
41. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
41
Management of Information Security, 6th ed. - Whitman & Mattord
• When an incident or disaster violates civil or criminal law, it is the
organization’s responsibility to notify the proper authorities.
• Selecting the appropriate law enforcement agency depends on the
type of crime committed.
Law Enforcement Involvement
42. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
42
Management of Information Security, 6th ed. - Whitman & Mattord
•Involving law enforcement agencies has both advantages
and disadvantages:
• Such agencies are usually much better equipped to process
evidence than a business and are also prepared to handle the
warrants and subpoenas necessary when documenting a case
• The disadvantages of law enforcement involvement include
possible loss of control over the chain of events following an
incident—for example, the collection of information and
evidence and the prosecution of suspects
• A very real issue is the confiscation of vital equipment as
evidence
Law Enforcement Involvement (Continued)
43. © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
43
Management of Information Security, 6th ed. - Whitman & Mattord
As of this writing, the rules are as follows:
1) The people who design, develop, or deploy a computing artifact are morally responsible for that
artifact, and for the foreseeable effects of that artifact. This responsibility is shared with other
people who design, develop, deploy or knowingly use the artifact as part of a sociotechnical
system.
2) The shared responsibility of computing artifacts is not a zero-sum game. The responsibility of an
individual is not reduced simply because more people become involved in designing, developing,
deploying, or using the artifact. Instead, a person’s responsibility includes being answerable for the
behaviors of the artifact and for the artifact’s effects after deployment, to the degree to which
these effects are reasonably foreseeable by that person.
3) People who knowingly use a particular computing artifact are morally responsible for that use.
4) People who knowingly design, develop, deploy, or use a computing artifact can do so responsibly
only when they make a reasonable effort to take into account the sociotechnical systems in which
the artifact is embedded.
5) People who design, develop, deploy, promote, or evaluate a computing artifact should not
explicitly or implicitly deceive users about the artifact or its foreseeable effects, or about the
sociotechnical systems in which the artifact is embedded.
Editor's Notes As of this writing, the rules are as follows:
1. The people who design, develop, or deploy a computing artifact are morally
responsible for that artifact, and for the foreseeable effects of that artifact.
This responsibility is shared with other people who design, develop, deploy or
knowingly use the artifact as part of a sociotechnical system.
2. The shared responsibility of computing artifacts is not a zero-sum game. The
responsibility of an individual is not reduced simply because more people
become involved in designing, developing, deploying, or using the artifact.
Instead, a person’s responsibility includes being answerable for the behaviors
of the artifact and for the artifact’s effects after deployment, to the degree to
which these effects are reasonably foreseeable by that person.
3. People who knowingly use a particular computing artifact are morally responsible
for that use.
4. People who knowingly design, develop, deploy, or use a computing artifact
can do so responsibly only when they make a reasonable effort to take into
account the sociotechnical systems in which the artifact is embedded.
5. People who design, develop, deploy, promote, or evaluate a computing artifact
should not explicitly or implicitly deceive users about the artifact or its foreseeable
effects, or about the sociotechnical systems in which the artifact is embedded.
Compared to the codes of ethics discussed earlier, The Rules are few in
number and quite general in nature. They are intended to apply to a broad spectrum
of people involved in computer system design and development. The Rules have
gathered broad support as useful guidelines by academics, practitioners, computer
scientists, and philosophers from a number of countries [MILL11]. It seems likely
that The Rules will influence future versions of codes of ethics by computer-related
professional organizations.