4. Workshop Agenda
Day #1
Introducing Digital Forensics
Concept and Definition
Objectives and Goals
Why Important?
Trends and Challenges
Types, Phases and Activities
Various Tools
September 2016Digital Forensics
4
Image: gutbuilder
5. Workshop Agenda (cont’d)
September 2016Digital Forensics
5
Day #2
Implementing Digital Forensics
Sample Cases
Types in Details
Phases and Activities in Details
Tools in Details
Demonstration
6. Workshop Agenda (cont’d)
September 2016Digital Forensics
6
Day #3
Digital Forensics Workshop
Case Studies
Preventive Actions
Policies and Procedures
Standards and Frameworks
Regulations
9. Concept and Definition
September 2016Digital Forensics
9
Digital (Oxford Dictionary)
(of signals or data) expressed as series of the
digits 0 and 1, typically represented by values of
a physical quantity such as voltage or magnetic
polarization. Often contrasted with analogue.
Involving or relating to the use of computer
technology: the digital revolution.
Forensics (Oxford Dictionary)
Scientific tests or techniques used in connection
with the detection of crime.
10. Concepts and Definitions (cont’d)
September 2016Digital Forensics
10
Therefore Digital Forensics is…
“Discipline that combines elements of law
and computer science to collect and
analyze data from computer systems,
networks, wireless communications and
storage devices in a way that is admissible
as evidence in a court of law.”
11. Digital Evidence
September 2016Digital Forensics
11
Information and data of value to an
investigation that is stored on,
received, or transmitted by an
electronic device.
Is acquired when data or electronic
devices are seized and secured for
examination.
12. Digital Evidence (cont’d)
September 2016Digital Forensics
12
Traits of Digital Evidence
May be found in
Storage devices like hard disc, CD, DVD, memory
card, USB drive, mobile phones, SIM card and online
resource like mail servers and cloud servers.
Can be hidden in
Password protected files, Encrypted files,
Steganography files, Formatted hard disc, HPA (Host
Protected Area) or DCO (Device Configuration
Overlay) of the hard drives.
Can relate to
Online fraud, Organized crime, Identity theft, Data theft,
Unauthorized access, Malicious files (Virus attack), Data
alteration, Cyber defamation, Cyber pornography,
Online gambling, Sale of illegal items etc.
18. Objectives (cont’d)
September 2016Digital Forensics
18
Most common is to support or
refute a hypothesis before
criminal or civil (as part of the
electronic discovery process)
courts.
Known as identifying direct
evidence of a crime or fraud.
19. Help to protect from and solve cases:
Theft of intellectual property
• Any act that allows access to patient, trade
secrets, customer data, and any confidential
information.
Financial Fraud
• Anything that uses fraudulent solicitation of
victims information to conduct fraudulent
transactions.
In Practical
September 2016Digital Forensics
19
20. In Practical (cont’d)
Hacker system penetration
• Taking advantage of vulnerabilities of
systems or software using tools such as
rootkits and sniffers.
Distribution and execution of viruses,
malware and worms
• These are the most common forms of
cyber crime and often cost the most
damage.
September 2016Digital Forensics
20
21. Goals
September 2016Digital Forensics
21
Could be utilized to
Attribute evidence to specific suspects
Confirm alibis or statements
Determine intent
Identify sources (for example, in copyright
cases)
Authenticate documents
23. Because of (Cyber) Crime
Definition of Crime
“An event, which subjects the doer to
legal punishment or any offence
against morality, social order or any
unjust or shameful act” ~ Oxford
Dictionary
September 2016
23
Digital Forensics
24. What is Crime? (cont’d)
Doing Crime is Illegal?
Being a criminal = a bad person?
Crime = Illegal against Law + Bad Motive(s) + On Purpose
Crime != Illegal against Law + Unintentional + Good Motive
(s)
Crime != Illegal against Law + Unintentional + Bad Motive (s)
Crime != Illegal against Law + On Purpose + Good Motive
(s)
September 2016
24
Digital Forensics
25. What is Crime? (cont’d)
And so CRIMES are NOT to be MEASURED by the
ISSUE of EVENTS, but by BAD INTENSION of a
PERSON or ENTITY.
September 2016
25
Digital Forensics
26. Defining Cyber Crime
It’s an unlawful act wherein the computer is either a
tool or a target or both.
Acts that are punishable by Information Technology
Act.
Happened in and or through cyber space – a virtual
space that has become as important as real space for
economy, business, educations, politics, and
communities.
September 2016
26
Digital Forensics
27. Defining Cyber Crime (cont’d)
Former descriptions were "computer crime", "computer-
related crime" or "crime by computer“.
With the pervasion of digital technology, some new terms
like "high-technology" or "information-age" crime were
added to the definition. Also, Internet brought other new
terms, like "cybercrime" and "net" crime.
Other forms include "digital", "electronic", "virtual" , "IT",
"high-tech" and technology-enabled" crime.
September 2016
27
Digital Forensics
28. Fraud
Oxford Dictionary
Wrongful or criminal deception intended to result in
financial or personal gain.
or
A person or thing intended to deceive others, typically by
unjustifiably claiming or being credited with
accomplishments or qualities.
Association of Certified Fraud Examiner (ACFE)
Any crime for gain that uses deception as its principal
modus operandi.
28
September 2016Digital Forensics
29. Fraud (cont’d)
Black’s Law Dictionary
A knowing misrepresentation of the truth or
concealment of a material fact to induce another
to act to his or her detriment.
or
Any intentional or deliberate act to deprive
another of property or money by guile, deception,
or other unfair means.
29
September 2016Digital Forensics
30. Fraud vs Lying
Fraud usually involves lying for a specific gain
that causes someone loss while lying does not
always include hurt.
Example, if we take our car to an unscrupulous
mechanic, he may tell us he makes $1,000 a year. If this
is a lie, it does not hurt us.
However, if our car does not need repairs but the
mechanic says our car needs $500 in body work,
he/she has committed fraud because truth is twisted
and causes financial loss for us.
30
September 2016Digital Forensics
31. Types of Fraud
Internal Fraud
When employee,
manager, or executive
commits fraud against
his or her employer.
External Fraud
Vendors, customers,
suppliers, integrators,
consultants, and other
third parties (known or
unknown).
September 2016
31
Image courtesy of: City Caucus
Digital Forensics
36. September 2016
36
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies
Digital Forensics
38. Notable Cyber Attacks
September 2016Digital Forensics
38
In 2015 FBI unveils from the most frequent one:
Viruses
Employee abuse of internet privileges
Unauthorized access by insiders
Denial of Service
System penetration from the outside
Theft of proprietary information
Sabotage of data/networks
Proving/scanning systems
Financial fraud
39. Notable Cyber Attacks (cont’d)
September 2016Digital Forensics
39
Manipulate data
integrity
Installed a sniffer
Stole password
files
Trojan logons
IP spoofing
40. Common Cyber Attacks
Unauthorized access
Theft of information
Email bombing
Data diddling
Salami attacks
Denial of Service
September 2016
40
Image courtesy of accidentalcreative.com
Digital Forensics
41. Common Cyber Attacks (cont’d)
Virus and worm attacks
Logic bombs
Trojan attacks
Internet time thefts
Web jacking
Theft of computer system
Physically damaging a
computer system
September 2016
41
Image courtesy of indiatimes.com
Digital Forensics
42. Cyber Criminals: Who They Are?
Kids (age group below 17)
Disgruntled employees
Organized hacktivists
Professional hackers
(corporate espionage)
either white or black hats
Cyber Terrorist (political
motive)
September 2016
42
Image courtesy of Travaux
Digital Forensics
44. Rise of Anti-Forensics
September 2016Digital Forensics
44
A set of techniques used as countermeasures to forensic
analysis:
Ex. Full-Disk Encryption
Truecrypt on Linux, Windows and OSX
Filevault 2 on OSX
BitLocker Windows
File Eraser
AbsoluteShield File Shredder
Heidi Eraser
Permanent Eraser
45. Rise of Anti-Forensics (cont’d)
September 2016Digital Forensics
45
Natively provided by software principal/vendor
48. Type of Digital Forensics
September 2016Digital Forensics
48
49. Type of Digital Forensics (cont’d)
September 2016Digital Forensics
49
Disk Forensic
◆ Flash, HDD, USB Device
Network Forensic
◆ monitoring and analyzing network traffic
Memory Forensic
◆ analysis of system dump
Mobile Forensic
◆ acquire deleted or undeleted data
Cloud Forensic
◆ forensic network analysis on Cloud computing architecture
50. Type of Digital Forensics (cont’d)
September 2016Digital Forensics
50
Mobile Forensics
Source: RSA AP
Conference 2013
51. Phases and Activities
September 2016Digital Forensics
51
Phase 1: Identification of
storage media for potential evidence
Phase 2: Acquisition of the storage
media
Phase 3: Examine and Analyze of the
acquired media
Phase 4: Documentation & Reporting
54. Type of Tools
September 2016Digital Forensics
54
Commercial/Proprietary Tools
Software applications designed with a commercial
objective. The source code & the internal working
of the software application is privileged and
concealed from the user.
Open Source Free Tools
Software applications available for usage at no cost.
The source code & the internal working of the
software application is known to the user. Further
more, user has the liberty of altering the source code
as per the requirements.
55. Acquisition Tools
September 2016Digital Forensics
55
Proprietary Tools
EnCase Forensic -
Guidance Software
www.guidancesoftware.com/encase-forensic.htm
FTK – AccessData www.accessdata.com/products/digital-forensics/ftk
WinHex - X-Ways
Software Technology AG
www.x-ways.net/winhex/
Forensics Apprentice www.registryforensics.com/
BlackLight www.blackbagtech.com/blacklight-1.html
Cellebrite - Mobile
Forensics and Data
transfer solutions
www.cellebrite.com/
Paraben – Handheld
Digital Forensics
http://www.paraben.com/handheld-forensics.html
Open Source Tools
Digital Forensics Framework www.digital-forensic.org
CAINE www.caine-live.net/
DEFT www.deftlinux.net/
56. Examination and Analysis Tools
September 2016Digital Forensics
56
Proprietary Tools
EnCase Forensic -
Guidance Software
www.guidancesoftware.com/encase-
forensic.htm
FTK – AccessData www.accessdata.com/products/digital-
forensics/ftk
WinHex - X-Ways
Software Technology
AG
www.x-ways.net/winhex/
Forensics Apprentice www.registryforensics.com/
BlackLight www.blackbagtech.com/blacklight-1.html
Cellebrite - Mobile
Forensics and Data
transfer solutions
www.cellebrite.com/
Paraben – Handheld
Digital Forensics
http://www.paraben.com/handheld-
forensics.html
Open Source Tools
Digital Forensics
Framework
www.digital-forensic.org
CAINE www.caine-live.net/
DEFT www.deftlinux.net/
SAFT Mobile
Forensics
www.signalsec.com/saft/
Analyzing digital
information
Identifying & examining
malicious files
Recovering deleted,
fragmented, corrupted data
Analyzing
Online Activities
Analyzing mobiles
62. Indonesia Facts
Security Threat and Symantec says
36,6 million cyber attacks (35% from outside, the rests from inside
the country) from 2012 to 2014.
497 cyber crime cases from 2012 to April 2015 with 389 are
foreigners and 108 local citizens.
Fake bank account, money laundering, artificial LC document,
camouflage posting.
Accounted for 4.1% of the world cyber crimes.
The highest percentage of PC infected by malware across the globe.
Government CSRIT says
60% of government domains encountered web defacements and
36% infected by malware
September 2016
62
Digital Forensics
63. Indonesia Facts (cont’d)
According to Norton latest Cyber
Crime report, global consumer cyber
crime cost over than USD 150bn
annually.
Yet the figures for Indonesia are
unknown.
Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
From Ministry of Communication and
IT’s total budget of USD 500m, 1%
allocated for Cyber Security.
September 2016
63
Digital Forensics
65. Cyber Crime-as-a-Service
Marketplace
Continues to mature over the past two years.
Enables more fraudsters to cash in without needing to
understand the chain of fraud, how to phish or spam, or
IT infrastructure requirements.
Becomes fiercely competitive.
Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.’
Generalized increase in quality of malware produced.
Enables much larger pool of bad actors with no
technical knowledge to profit from.
September 2016
65
Digital Forensics
66. Cyber Crime-as-a-Service
Marketplace (cont’d)
Many types of attack are simple and low
cost.
Phishing attacks: 500,000 email
addresses cost $30.
Hosting a phishing site can be more or less
free.
Thousands of credit cards can be stolen in
return for around $100. September 2016
66
Digital Forensics
68. Mobile Encounters Larger Attack Surface
In 2015 1.5 billion units are shipped.[1]
Vast majority of mobile malware is still focused on Android platform due to
open platform and popularity with 79%, iOS of 15% and 5% the rests [2]
Banking Trojans, used with SMS sniffers, are increasing
A user is persuaded through social engineering to download mobile
malware from their PC.
Scenario
During online banking session, a screen pop up inviting user to
download a mobile app (masquerading as a security feature), which
is actually SMS sniffer.
When the user's bank detects unusual activity, such as high-value
wire transfer, and sends an out-of-band one-time password to user's
mobile that must be entered to authorize the transaction, the criminal
can intercept it and complete the transfer to their own account.
September 2016
68
[1] IDC Worldwide Smart Phone 2015-2019 Forecast and Analysis
[2] IDC Worldwide Quarterly Mobile Phone Tracker
Digital Forensics
70. Ransomware Continues
In mobile devices, such as Police Locker
capitalizing typical user behavior during
installation.
Gain privileges needed to lock the device.
Give instruction to pay a ransom to unlock their
files (or to 'pay a fine' because the phone
supposedly contains 'illegal content').
Ransoms generally have to be paid via an online
payment system, such as Bitcoin, or prepaid cash
cards (untraceable and non-reversible).
September 2016
70
Digital Forensics
71. Larger Retail and Financial Attacks
Shift from attacks on individuals to mass attacks on
retailers and financial institutions.
Banking botnets becoming more resilient and harder to
take down.
Utilized deep web and untraceable peer-to-peer
networks, (TOR and I2P), to increase resilience and
anonymity, and hide their infrastructure from law
enforcement agencies.
Private botnets – written specifically for individual gang
(harder to trace and analyze).
Point of Sale (POS) malware used and RAM scrapers.
September 2016
71
Digital Forensics
73. Larger Retail and Financial Attacks (cont’d)
Transferring cash from a bank's
system to criminals' own accounts.
ATM attacks: directly cashing out an
ATM.
Ransom requests: extorting money
based on locking private information
about a bank's customers.
September 2016
73
Digital Forensics
75. Phases and Activities
September 2016Digital Forensics
75
Phase 1: Identification of
storage media for potential evidence
Phase 2: Acquisition of the storage
media
Phase 3: Examine and Analyze of the
acquired media
Phase 4: Documentation & Reporting
76. Phases and Activities (cont’d)
September 2016Digital Forensics
76
Analyzing
digital information
Identifying traces of
network / computer intrusion
Identifying & examining
malicious files.
Employing techniques to
crack file & system passwords.
Detecting
steganography
Recovering deleted,
fragmented & corrupted data
Maintaining evidence
custody procedures
Courtroom PresentationAnalyzing Online Activities
77. Activities Involved
September 2016Digital Forensics
77
Identifying 5W 1H
Identifying and Understanding the Scenario
Identifying the Approach
Identifying Techniques and Tools
Acquiring Data and Information Needed
Analyzing Data and Information
Identifying Evidence
Drawing the Conclusion (based on facts)
78. 5W1H
September 2016Digital Forensics
78
• What was hacked, compromised, stolen, accessed,
looked at etc.
• By whom (caution: attribution is hard!)
• When
• How
• Impact (technical and business)
• Likely motives
• Capabilities
• Remediation steps
• Future mitigation to avoid repeats
• Liability
80. Scenarios
September 2016Digital Forensics
80
Internal such as Employees or Contractors:
• Employee accessed inappropriate but not illegal internet
material
• Employee accessed internal data they were not authorised to
• Employee committed an internally focused financial crime
• Employee disclosed intellectual property to an unauthorised
third party
• Employee is soon to depart and stole intellectual property for
personal benefit
• Employee used work resources
for personal enterprise
• Other disciplinary issue…
81. Scenarios (cont’d)
September 2016Digital Forensics
81
External:
• Malicious phishing/spear phishing e-mails sent into an
organization
• Malicious code present on a system
• Credentials compromised
• Host, System, Network was compromised
• Data was stolen/exfiltrated (taken out)
• Data was changed
• Data was added
• Theft/fraud
• Mobile devices tampered with (evil maid)
82. Scenarios (cont’d)
September 2016Digital Forensics
82
This sounds scary scale right?
But it happens every day
In most organizations of a moderate size you’d
expect at least one such incident a day/week
(you pick) if you could detect them all.
83. Approach
September 2016Digital Forensics
83
We normally start with a suspicion
or indicator of compromise
Knowing there is something to be found versus
aimlessly looking for something that might not be
there leads to a more focused approach
84. Approach (cont’d)
September 2016Digital Forensics
84
• Doing bit by bit copies of multi terabyte
systems are slow and challenging in a lot of
cases.
• We don’t need to in a lot of cases as we
know where we want to look to confirm
suspicions (generally).
• We are interested a lot of the time in rich
data sources rather than looking for one
elusive deleted file
• Attacks/threat actors are often sloppy
86. It is basically the acquisition of data.
Recording and labeling the data of the
computers.
Two ways of collecting data:
Volatile
Non-volatile
Data is also collected from other sources like
offline and online.
Data Collection
September 2016Digital Forensics
86
87. Data required power to maintain
Examples
RAM
Page Files
Swap
Caches
Tools are:
Belkasoft Live RAM Capturer
Memory DD
MANDIANT Memoryze
Volatile Data
September 2016Digital Forensics
87
88. Presented in permanent storage of the computing
device.
Copying this type of data is known as forensic imaging.
Data is collected from storage devices like hard disk,
CD, DVD, etc.
Data should be preserved without any modifications or
alteration.
Tools: EnCase, ProDiscover, Winhex, Seluth kit and FTK.
Non-volatile Data
September 2016Digital Forensics
88
90. File system assessment through NTFS.
Windows registry assessment:
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CURRENT_CONFIG
HKEY_LOCAL_MACHINE
Database forensic assessment: DDL, DCL, DML transactions in
the database is assessed.
Network forensic assessment: Browsing data, mails, IP address
are assessed.
Data Examination
September 2016Digital Forensics
90
91. Don’t Forget Hashing
September 2016Digital Forensics
91
After a clone/image is made.
After complete analysis of disk/image, do calculate
the hash.
Need to prove in the court the evidence has not
been tampered.
Tools for calculating hashes:
Winhex
Sleuthkit
ENCase
92. In Windows Environment
Ipconfig is used for the collection of subject
system details.
Netusers and qusers can identify logged in user
information
Doskey or history for collecting command
history
Netfile is used to identify the services and
drivers
Typical Tools
September 2016Digital Forensics
93
94. SANS Investigative Forensic Toolkit (SIFT)
Linux based VM with a huge collection of
tools for acquisition and analysis
http://digital-forensics.sans.org/community/downloads
September 2016Digital Forensics
96
Open Source and Free Tools
95. The Sleuth Kit & Autopsy
http://www.sleuthkit.org/ September 2016Digital Forensics
97
Open Source and Free Tools (cont’d)
97. National Software Reference Library
Known good hashes for software so
they can be excluded from analysis
http://www.nsrl.nist.gov/
September 2016Digital Forensics
99
Open Source and Free Tools (cont’d)
98. Volatility
De-facto open source memory
forensics tool
Windows, Mac and Linux support
http://www.volatilityfoundation.org/
September 2016Digital Forensics
100
Open Source and Free Tools (cont’d)
105. Microsoft Sysinternals
Some highlights
• Process Explorer
• Process Monitor
https://technet.microsoft.com/en-gb/sysinternals/bb545021.aspx
September 2016Digital Forensics
108
Open Source and Free Tools (cont’d)
109. What is memory forensics?
In short the reconstruction from typically a physical RAM
dump a representation of the system that was running at
the time that can be queried and otherwise interrogated as
part of a forensics exercise.
It allows us to capture transient or ephemeral aspects
such as some aspects of screen layout or connections and
other non persisting malware / exploits
September 2016Digital Forensics
112
Open Source and Free Tools (cont’d)
110. How does it work?
Dump physical contiguous RAM
OR get hibernation file
Then:
1. Parse the physical image for key structures for OS
version
2. Rebuild kernel and user space virtual memory layout
3. Overlay OS concepts
Sounds easy.. It isn’t look at the Volatility source
September 2016Digital Forensics
113
Open Source and Free Tools (cont’d)
111. What tool?
VOLATILITY
Python but binary distributions available
Open source
Plugin architecture (we wrote one – it was easy)
Awesome
September 2016Digital Forensics
114
Open Source and Free Tools (cont’d)
116. Live Digital Forensics
ProDiscover IR
Helix
Sleuth Kit & Autopsy
Caine
FTK/EnCase making them live?
Both newer offerings have live capabilities
September 2016Digital Forensics
119
132. Thumbs.DB
Pictures opened in Windows OS
Filmstrip
Thumbnails
Thumbs.DB Viewer
September 2016Digital Forensics
135
133. Index.DAT
Contains all of the Web sites
Every URL
Every Web page
All email sent or received through Outlook or
Outlook Express
All internet temp files
All pictures viewed
September 2016Digital Forensics
136
134. Commands
Dir: Lists all files and directories in the directory that
you are currently in.
Ls: List the contents of your home directory by
adding a tilde after the ls command.
Ps: Displays the currently-running processes.
Fdisk: A utility that provides disk partitioning
functions, and information.
September 2016Digital Forensics
137
135. Locations of Index.DAT files
Users<Username>AppDataRoamingMicrosof
tWindowsCookiesindex.dat
Users<Username>AppDataRoamingMicrosof
tWindowsCookieslowindex.dat
Users<Username>AppDataLocalMicrosoftWi
ndowsTemporary Internet
FilesContent.IE5index.dat
C:Users<UserName>AppDataLocalMicrosoft
WindowsHistoryContent.IE5index.dat
September 2016Digital Forensics
138
145. • A financial institution contacted an audit and
investigation firm for conducting yearly Financial and
Accounting Audit.
• It is alleged that the company charged customer
‘hidden fees’ to customers accounts.
• The problem one party faced included going through
over 10 million transaction records to find evidence to
calculate the amount to be paid by the company.
Case Study
September 2016Digital Forensics
148
146. The firm utilizing IT General Controls and Application
Controls to test several key controls related to the
Financial and Accounting systems.
Upon conducting Application Controls to test key
controls, the firm found amount of fees charged by
the institution to their customers.
Data and information are obtained and treated as
proof of evidence on suspected abnormal activities.
The finding is communicated to the institution’s
management.
Case Study (cont’d)
September 2016Digital Forensics
149
148. Organization’s Prerequisites
Dedicated I(T) Security Personnel
IT Security Risk Management
Security Incidents Plan (Policies and Procedures)
Security Incidents Logs or Documentations
Security Incidents Review Activity
User Access Rights Policies and Procedures
User Access Rights Documentation
User Access Rights Review Activity
Anti Virus and Firewall
September 2016
151
Digital Forensics
149. Organization’s Prerequisites (cont’d)
Intrusion Prevention Systems
Intrusion Detection Systems
Physical Security
Data Security
Information Security
Software/Application Security
Database Security
Vulnerability Assessment
Penetration Testing
September 2016
152
Digital Forensics
150. How to Prevent?
Information Security Strategic Plan (including Cyber
Security domain).
Information Security Policies, Procedures, Guidelines,
Framework and Standards.
IT/Information Security personnel (the higher the better)
who reports directly to organizational leadership.
Regular monitoring and controlling activities through
measurement and review process.
Understanding past security and planning for future
security events.
Governance, Risk, Legal and Compliance (no longer
Ops-focused).
September 2016
153
Digital Forensics
151. CCSO on the Rise?
September 2016
154
Image courtesy of Mark E. S. Bernard
Digital Forensics
152. How to Do?
A flexible organization with a centralized core
Security Oversight
Information Risk
(Cyber) Security Risk
Security Architecture and Engineering
Security Operations
September 2016
155
Digital Forensics
153. Organization Culture
What do your executives expect from security?
If not GRLC, then focus on operations
Build trust and demonstrate value
Reporting Inside or Outside IT?
Centralized or Decentralized?
September 2016
156
Digital Forensics
154. Controls to Enforce Policies
Log access to data, information and transaction by
unique identifier” as it requires log management or
SIEM.
Limit access to specific data to specific individuals as
it required unique system username and password.
Sensitive data shall not be emailed outside the
organization with DLP or email encryption system.
September 2016
157
Digital Forensics
155. Deploy and Test Controls
A phased approach
– DLP
– Email Encryption
Test not only if the solution works technically
but also that it does not impose too great a
burden on employees or processes.
September 2016
158
Digital Forensics
156. Educate, Educate, Educate
Our security stakeholders: employees,
executives, partners, suppliers, vendors
What are our policies?
How to comply?
Consequences of failure to comply
September 2016
159
Digital Forensics
157. Monitoring and Controlling
Assessment
Review
Audit
Monitor change control
New vendor relationships
Marketing initiatives
Employee terminations
September 2016
160
Digital Forensics
159. NIST’s Policies and Procedures
September 2016Digital Forensics
162
Organizations should ensure their policies contain
clear statements addressing all major forensic
considerations:
Contacting law enforcement
Performing monitoring
Conducting regular reviews of forensic policies and
procedures
Organizations should create and maintain
procedures and guidelines for performing forensic
tasks, based on organization’s policies and all
applicable laws and regulations.
160. NIST’s Policies and Procedures (cont’d)
September 2016Digital Forensics
163
Organizations should ensure their policies and
procedures support reasonable and
appropriate use of forensic tools.
Policies and procedures should clearly explain
what forensic actions should and should not be
performed under various circumstances, as well
as describing the necessary safeguards for
sensitive information recorded by forensic tools
(passwords, personal data, and e-mails).
161. NIST’s Policies and Procedures (cont’d)
September 2016Digital Forensics
164
Legal advisors should carefully review all forensic
policy and high-level procedures.
Organizations should ensure their IT professionals
are prepared to participate in forensic activities.
Incident handlers and other first responders to
incidents, should understand their roles and
responsibilities for forensics, receive training and
education on forensics-related policies and
procedures.
164. Standards and Frameworks (cont’d)
According to Information Systems Security
Certification Consortium (ISC2) CBK, the
principles are:
A. Support the business
Focus on the business functions and processes
Deliver quality and value to stakeholders
Comply to law and regulation requirements
Provide timely and accurate information
Evaluate existing and future information
threats
Improve information security continuously
September 2016
167
Digital Forensics
165. B. Secure the organization
Adopt a risk-based approach
Protect classified information
Focus on critical business processes
Develop systems securely
C. Promote information security
Attain responsible behavior
Act in professional and ethical manner
Foster information security positive culture
September 2016
168
Digital Forensics
Standards and Frameworks (cont’d)
166. ISACA Framework on Information Security
September 2016
169
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed Credit: ISACA
Digital Forensics
167. NIST Cybersecurity Framework
Critical Infrastructure
- Vital infrastructure - private and public operators
- Lack of availability would have “debilitating
impact” on the nation’s security, economy, public
health, safety…
Executive Order 13636; February 12, 2013
Threat information sharing
NIST: Baseline Framework to reduce cyber risk
“Standards, methodologies, procedures and processes that
align policy, business, and technological approaches…”
September 2016
170
Digital Forensics
171. ISO 27001 Standards (cont’d)
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
Risk Assessment
Security Policy
Asset Management
Physical/Environmental Security
Access Control
And many others
September 2016
174
Digital Forensics
173. Numerous Regulations
Telecommunication Act No. 36/1999 focused on
Telecommunications Infrastructure briefly; Not internet
in particular.
Information and Transaction Electronic Act No.
11/2008 for legal enforcements against cyber crime.
Copyright Act No. 19/2002.
Pornography Act No. 44/2008.
Electronic System Provider and Electronic
Transaction Regulation No. 82/2012.
September 2016
176
Digital Forensics
175. Future of Digital Forensics
September 2016Digital Forensics
178
Data Centric Analysis –>
Conduct Centric Analysis
Forensic Tools –> Forensic
Services
176. Future of Digital Forensics (cont’d)
September 2016Digital Forensics
179
Conduct Centric Analysis
Multi-source Evidence Acquisition
Relationship Analysis
Intuitive Analysis
Automatic Analysis Based on the
Profile
177. Future of Digital Forensics (cont’d)
September 2016Digital Forensics
180
Forensic Services
Parallel/Distributed Platform for
Large Data Handling
Adapting Fast Changing Device/Tools
User Mobility & Connectivity
178. Future of Digital Forensics (cont’d)
September 2016Digital Forensics
181
Forensic as a Service
179. Future of Digital Forensics (cont’d)
September 2016Digital Forensics
182
Forensic as a Service
180. Future of Digital Forensics (cont’d)
September 2016Digital Forensics
183
Forensic as a Service
181. Future of Digital Forensics (cont’d)
September 2016Digital Forensics
184