Digital Evidence Incident Response and Computer ForensicsWhat do you see?ForensicDigital EvidenceSources of Digital EvidenceProblems with Digital EvidenceSlide 7Reasonable Doubt - ExamplesSlide 9CSI/FBI Survey 2005Incident ResponseIncident TypesIncident Response LifecycleForensic ScienceDigital Forensic ScienceDigital Forensic ScienceIs it time for a break yet?Origins of Forensic ScienceEugène François VidocqBertillonEdmond LocardLocard’s Exchange PrincipleSlide 23Attributes affecting data fidelityBasic Methodology - APIEPMethodology - SafersteinInvestigative Process Model - CaseyIR Methodology - Mandia & ProsisePre-Incident PreparationIncident DetectionInitial ResponseFormulate Response StrategyTaking ActionHandling Internal EmployeesData CollectionAnalysis and ReportingIncident TimelineSummary – Incident ResponseDigital EvidenceIncident Response and Computer ForensicsThe search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the factsassembled arises a certain grandeur.AristotleWhat do you see?ForensicAdj. - “of, relating to, or used in courts of law or public debate or argument" From the Latin term forensis (forum)Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective foren sic as a noun“Forensic Analysis of Digital Evidence”Digital Evidence“Information of probative value stored or transmitted in digital form” Federal Crime Laboratory Directors - Scientific Working Group on Digital Evidence (SWGDE)Sources of Digital EvidenceOpen Computer SystemsPC’s, Servers, EtcCommunication Systems Telecommunications SystemsTransient Network (content) Data Non-transient (log) DataEmbedded Computer Systems PDAs, Cell Phones, iPods, EtcProblems with Digital EvidenceDigital data are trivial to falsifyDigital data are fundamentally arbitrary Digital data are fundamentally abstractMultiple Layers of Abstraction Most analysis is performed on a digital copy The form of digital data subjected to analysis is nearly always transformed in some wayProblems with Digital EvidenceStorage capacity is growing rapidly - 500 byte email = needle in a 750 GB “hay stack”Low technical literacy of the public & judiciary means that explanations of analytic methods can be misunderstood and cause confusionReasonable doubt is easy to establishReasonable Doubt - ExamplesThe Trojan Defense - Karl Schofield of Reading UK - Charged with possessing 14 depraved images Defense Expert Witness – Pictures could possibly be downloaded by a self-deleting trojan Prosecutor - "The Crown would not be able to say he is the only person who knew of these images on his computer."Reasonable Doubt - ExamplesAaron Caffrey - when his PC took part in a DDoS attack on the Port of Houston said a Trojan did itJulian Green – Similar to Schofield case - 172 indecent pictures – 11 Trojan applications found on PC - "I had never been in trouble before. In cases like this it is not innocent until proved guilty, but the other way around."CSI/FBI Survey 200580% of Incidents are never reported“The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity”Trends show this percentage increasingIncident ResponseThe practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference80% of organizations may not report incidents but they all must respondOrganizations need internal investigators to triage events using established practicesIncident Types Theft of Trade SecretsRights InfringementHarassment Intrusion EventsTortious InterferenceMalicious CodeEmbezzlementChild PornographyDenial of ServiceExtortionInappropriate UseEvidence of other crimesIncident Response LifecyclePreparationDetection and Analysis Containment, Eradication and RecoveryPost Incident ActivityForensic ScienceBelonging to courts of judicature or to public discussion and debate; used in legal proceedings or public discussions; argumentative; rhetorical; as, forensic eloquence or disputesRelating to or dealing with the application of scientific knowledge to legal problemsDigital Forensic Science “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”- Digital Forensic Research Workshop (2001)Digital Forensic ScienceAnalysis of Computer Generated EvidenceIdentification of Sources of EvidencePreservation of Evidence Analysis of EvidencePresentation of FindingsMethodology must be secure, controlled, repeatable and auditable More on methodology laterIs it time for a break yet?Origins of Forensic Science700 AD Chinese Use Fingerprints for ID1248 AD First recorded application of medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulationEugène François VidocqOutlaw son of a BakerIn return for a suspension of arrest and a jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)Introduced record keeping, ballistics, plaster casts for footprint analysis, etcFounded the first modern detective agency and credit bureauBertillon French Law OfficerAnthropometry/Bertillonage - Early system of biometrics using measurements of body parts to ID perpetrators / victimsIntroduced use of crime scene photography and mug shotsEdmond LocardStudent of Bertillon Professor of forensic medicine at the University of LyonsEstablished the First Crime Laboratory Developed Edgeoscopy and PoreoscopyStandard 12 Points to ID a fingerprintDeveloped Forensic MicroscopyLocard's Exchange PrincipleLocard’s Exchange PrincipleWhenever two objects come into contact, a transfer of
View Full Document