COEN 252Ethical and Legal Requirements for Collecting EvidenceSlide 3Slide 4EvidenceLoggingVolatilitySlide 8Reacting to VolatilitySlide 10Slide 11Slide 12Slide 13Slide 14Documentation and Chain of CustodyDo Not Alter EvidenceThomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004COEN 252COEN 252Collection of EvidenceCollection of EvidenceThomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Ethical and Legal RequirementsEthical and Legal Requirementsfor Collecting Evidencefor Collecting Evidence•Expectations of Privacy–Stems from the customs of the society.–Is an ethical right.–Is legally protected.–Can be modified or removed by company policy.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Ethical and Legal RequirementsEthical and Legal Requirementsfor Collecting Evidencefor Collecting EvidenceStated monitoring policy–Removes most legal and ethical problems.–Can explain the reasons behind the policy.–Can be formulated and discuss instead of a reaction in the heat of the moment.–Can be (or its existence can be) advertised on login banners that apply even to intruders through the indirect consent doctrine.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Ethical and Legal RequirementsEthical and Legal Requirementsfor Collecting Evidencefor Collecting Evidence•Monitoring and logging:–Results in computer records that are probably business records, which makes it easy to admit them directly into evidence.–If we only log during the incident, the records themselves might not be admissible, however, system administrators could testify based on them.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004EvidenceEvidenceComputer Evidence must be•Admissible.•Authentic.•Complete.•Reliable.•Believable and Understandable.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004LoggingLogging•Its cheap and easy.•Intruders are not always successful in erasing their traces.•Log records become business records and are easier admitted into evidence.•Ideally, logs are on write once, read many devices.•In reality, one can come close to WORM.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004VolatilityVolatility•Volatility: evidence can degrade •Example: Evidence in RAM does not survive a power-off.•Example: network status changes when connections are closed and new ones opened.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004VolatilityVolatilityDegrees of Volatility1. Memory2. Running processes3. Network state4. Permanent Storage DevicesThomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Reacting to VolatilityReacting to Volatility•Plan –What evidence are you looking for.–Where can it be found.–How do you get it.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Reacting to VolatilityReacting to Volatility•Unplug the power-plug (battery)–Destroys volatile evidence.–Preserves completely stored evidence at the point of seizure.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Reacting to VolatilityReacting to Volatility•Graceful shutdown–Destroys volatile evidence.–Alters system files.–Allows for clean-up software to run.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Reacting to VolatilityReacting to Volatility•Unplug Network Cable–Removes access of an intruder to a system.–Alerts the intruder.–Dead Man Switch programs can destroy evidence.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Reacting to VolatilityReacting to Volatility•Life Examination–Intruder with root privileges can watch.–System tools can be trojaned incl. booby-trapped–Use forensics tools on floppy / CD.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Reacting to VolatilityReacting to Volatility•Know the trade-offs.•No good reasons for a graceful shutdown.•If life-investigation, then monitor network first.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Documentation and Chain of Documentation and Chain of CustodyCustody•Document each step in a forensics procedure.–Best, if automatically generated.•Use forensically sound tools.•“Two Pair of Eyes” integrity rule for data gathering.•Best: Clear Procedural Policy.Thomas Schwarz, S.J. SCU Comp. Eng.Thomas Schwarz, S.J. SCU Comp. Eng. 2004 2004Do Not Alter EvidenceDo Not Alter EvidenceEvidence can be easily and inadvertently altered by the forensics procedure:•Use of improper tools like tar that alter file access times.•Trojaned system utilities.•Dead Man Switch •an intruder tool that changes files when the computer is no longer connected to the internet•System Shutdown and
View Full Document