Digital Evidence Incident Response and Computer ForensicsWhat do you see?ForensicDigital EvidenceSources of Digital EvidenceProblems with Digital EvidenceSlide 7Reasonable Doubt - ExamplesSlide 9CSI/FBI Survey 2005Incident ResponseIncident TypesIncident Response LifecycleForensic ScienceDigital Forensic ScienceDigital Forensic ScienceIs it time for a break yet?Origins of Forensic ScienceEugène François VidocqBertillonEdmond LocardLocard’s Exchange PrincipleSlide 23Attributes affecting data fidelityBasic Methodology - APIEPMethodology - SafersteinInvestigative Process Model - CaseyIR Methodology - Mandia & ProsisePre-Incident PreparationIncident DetectionInitial ResponseFormulate Response StrategyTaking ActionHandling Internal EmployeesData CollectionAnalysis and ReportingIncident TimelineSummary – Incident ResponseDigital EvidenceIncident Response and Computer ForensicsThe search for truth is in one way hard and in another easy - for it is evident that no one of us can master it fully, nor miss it wholly. Each one if us adds a little to our knowledge of nature, and from all the factsassembled arises a certain grandeur.AristotleWhat do you see?ForensicAdj. - “of, relating to, or used in courts of law or public debate or argument" From the Latin term forensis (forum)Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective foren sic as a noun“Forensic Analysis of Digital Evidence”Digital Evidence“Information of probative value stored or transmitted in digital form” Federal Crime Laboratory Directors - Scientific Working Group on Digital Evidence (SWGDE)Sources of Digital EvidenceOpen Computer SystemsPC’s, Servers, EtcCommunication Systems Telecommunications SystemsTransient Network (content) Data Non-transient (log) DataEmbedded Computer Systems PDAs, Cell Phones, iPods, EtcProblems with Digital EvidenceDigital data are trivial to falsifyDigital data are fundamentally arbitrary Digital data are fundamentally abstractMultiple Layers of Abstraction Most analysis is performed on a digital copy The form of digital data subjected to analysis is nearly always transformed in some wayProblems with Digital EvidenceStorage capacity is growing rapidly - 500 byte email = needle in a 750 GB “hay stack”Low technical literacy of the public & judiciary means that explanations of analytic methods can be misunderstood and cause confusionReasonable doubt is easy to establishReasonable Doubt - ExamplesThe Trojan Defense - Karl Schofield of Reading UK - Charged with possessing 14 depraved images Defense Expert Witness – Pictures could possibly be downloaded by a self-deleting trojan Prosecutor - "The Crown would not be able to say he is the only person who knew of these images on his computer."Reasonable Doubt - ExamplesAaron Caffrey - when his PC took part in a DDoS attack on the Port of Houston said a Trojan did itJulian Green – Similar to Schofield case - 172 indecent pictures – 11 Trojan applications found on PC - "I had never been in trouble before. In cases like this it is not innocent until proved guilty, but the other way around."CSI/FBI Survey 200580% of Incidents are never reported“The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity”Trends show this percentage increasingIncident ResponseThe practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference80% of organizations may not report incidents but they all must respondOrganizations need internal investigators to triage events using established practicesIncident Types Theft of Trade SecretsRights InfringementHarassment Intrusion EventsTortious InterferenceMalicious CodeEmbezzlementChild PornographyDenial of ServiceExtortionInappropriate UseEvidence of other crimesIncident Response LifecyclePreparationDetection and Analysis Containment, Eradication and RecoveryPost Incident ActivityForensic ScienceBelonging to courts of judicature or to public discussion and debate; used in legal proceedings or public discussions; argumentative; rhetorical; as, forensic eloquence or disputesRelating to or dealing with the application of scientific knowledge to legal problemsDigital Forensic Science “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”- Digital Forensic Research Workshop (2001)Digital Forensic ScienceAnalysis of Computer Generated EvidenceIdentification of Sources of EvidencePreservation of Evidence Analysis of EvidencePresentation of FindingsMethodology must be secure, controlled, repeatable and auditable More on methodology laterIs it time for a break yet?Origins of Forensic Science700 AD Chinese Use Fingerprints for ID1248 AD First recorded application of medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulationEugène François VidocqOutlaw son of a BakerIn return for a suspension of arrest and a jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)Introduced record keeping, ballistics, plaster casts for footprint analysis, etcFounded the first modern detective agency and credit bureauBertillon French Law OfficerAnthropometry/Bertillonage - Early system of biometrics using measurements of body parts to ID perpetrators / victimsIntroduced use of crime scene photography and mug shotsEdmond LocardStudent of Bertillon Professor of forensic medicine at the University of LyonsEstablished the First Crime Laboratory Developed Edgeoscopy and PoreoscopyStandard 12 Points to ID a fingerprintDeveloped Forensic MicroscopyLocard's Exchange PrincipleLocard’s Exchange PrincipleWhenever two objects come into contact, a transfer of