Evidentiary Methods IIncident Response

Computer ForensicsBACS 371

The Nature of Computer Evidence

“Evidence is what distinguishes a hypothesis from a groundless assertion.”

Determining what is actually the crime Too many potential suspects Too much potential evidence Evidence is easily contaminated Contaminating some evidence may ruin all

evidence

Computer Forensics…

is the discipline of acquiring, preserving, retrieving, and presenting electronic data.

Three C’s of evidence: Care Control Chain of Custody

Computer Forensics Investigation Process

1. Intelligence Basic understanding of issues surrounding

incident

2. Hypothesis Formulation Formulated with regard to “5 Ws”

3. Evidence Collection Supporting and non supporting

4. Testing Support or refute hypothesis

5. Conclusion

Computer Security Incident

Any unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network. Theft of trade secrets Email spam or harassment Unlawful or unauthorized intrusion into computing

systems Embezzlement Possession or dissemination of child pornography Denial-of-service (DoS) attacks Tortuous interference of business relations Extortion Any unlawful action when the evidence of such action

may be stored on computer media such as fraud, threats, and traditional crimes

Events may include…

Violations of public law Actionable in criminal or civil

proceedings Grave impact on an organization’s

reputation and its business operations Intense pressure, time, and resource

constraints

Goals of Incident Response

Prevent disjointed, non-cohesive response Confirms or dispels whether incident occurred Promotes accumulation of accurate information Establishes controls for handling evidence Protects privacy rights Minimizes disruptions to business Allows for criminal and civil action Provides reports and recommendations Provides rapid detection and containment Minimizes compromise of proprietary data Protects organizations reputation and assets Educates senior management Promotes rapid detection and/or prevention of future

incidents

Components of Incident Response

Seven Major Components of Incident Response

Pre-incident preparation Detection of incidents Initial response Formulate response strategy Investigate the incident Reporting Resolution

Components of Incident Response Pre-incident preparation

Proactive measures before incident to ensure assets and information are protected

Detection of incidents Report by end user Report by system administrator Internal Detection System Incident response checklist

Incident Response Checklist

Incident Number:____________________ Date: _______________

Initial Response Checklist

Contact Information

Your Contact Information Name Department Telephone Other Telephone Email

Individual Reporting Incident * Name Department Telephone Other Telephone Email *if the contact information is the same as the individual above, please leave blank

Incident Detection Type of incident Denial of Service Virus Hoax Unauthorized Access Unauthorized Use of Computer Resources Theft of Intellectual Property

Other (describe):

Location of Incident Describe the Physical Security

At the Site: Are there Locks? Alarm systems?

Who is in charge of the physical security at the site?

How the Incident was detected

Is the information concerning the incident stored in a protected, tamper-proof manner?

System Details System Information Make/Model of System Operating System

Components of Incident Response Initial Response

Interviewing System administrator Personnel Suspect

Review Internal Detection System report Network logs Access control

Formulate a Response Strategy

Investigate the Incident

Data Collection Sound forensic methods

Host-Based Information System date/time Applications currently running Open network connections and ports Applications listening on ports

Initial live response – volatile data In-depth response – log files Full live response – live forensic analysis

Request for Forensic Examination

http://www.rmrcfl.org/Downloads/Documents/Shaded%20PDF.pdf

Performing Forensic Analysis

Forensic Analysis

Reviewing all data collected Log files System configuration files Trust relationships Web browser history files Email messages Installed applications Graphics files

Techniques include Software analysis Review time/date stamps Keyword searches Review free space, deleted files, slack space

Components of Incident Response Reporting

Document immediately Write concisely and clearly Use a standard format Employ technical editors

Resolution Prevent further damage Return to secure, healthy operational status Apply countermeasures and update security

standards

The Five Mistakes of Incident Response Not having a plan Failing to increase monitoring and

surveillance Being unprepared for a court battle Putting it back the way it was Not learning from mistakes

Basic Forensic Methodology

Acquire the evidence – maintain chain of custody

Authenticate that it is the same as the original

Analyze the data without modifying it

Evidence Handling Process

E-Evidence Acquisition and Authentication Objectives†

Document the scene, evidence, activities, and findings

Acquire the evidence Authenticate the copy Analyze and filter evidence Be objective and unbiased Present the evidence and an evaluation of

the findings in an understandable and legally acceptable manner

†Volonino, p. 85

NYS Police Forensic Procedures

Stage Tools Discussion

Seizing the computer

None Computer and technology are seized under the rules, evidence, and the warrant that they hold. Evidence is transported and secured at the Forensic Investigation Center (FIC).

Backup Safeback, Expert Witness, Snapback

Backup is done using one of the listed tools. A case file is created on an optical disk (CD).

Evidence extraction

Expert Witness The FIC is moving much of the investigative process to Expert Witness. Traditional searches are done currently to find and extract evidence. (Continued)

NYS Police Forensic Procedures (Cont.)

Stage Tools Discussion

Case creation Expert Witness The case creation process allows the extracted information to be placed in a case file, on a floppy disk, hard disk, or removable media.

Case analysis None Investigators use experience and training to search the computer evidence for documents, deleted files, images, e-mail, slack space, etc., that will help in the case.

Correlation of computer events

None Timeline, order of events, related activities, and contradictory evidence are the components of this stage. (Continued)

NYS Police Forensic Procedures (Cont.)

Stage Tools Discussion

Correlation of noncomputer events

None Phone records, credit card receipts, eyewitness testimony, etc. are manually sorted and correlated.

Case presentation

Standard Office

Finally, the information that has been extracted, analyzed, and correlated is put together in a form ready for presentation to a judge or jury.

Computer Evidence Worksheet

Digital Photos

Evidence Tag

• Place or person from whom item was received

• If item requires consent for search

• Description of items taken

• Information contained on storage device

• Data and time item was taken

• Full name and signature of individual initially receiving evidence

• Case and tag number

Case Number and Evidence Tag Number Date and Time the evidence was collected Brief Description of items in envelope

Evidence Label

Evidence Log

Tag # Date Action Taken By

Location

1 13 Jan 01 Initial Submission Matt Pepe Maxtor 60GB (593843420)

1 15 Mar 01 Moved evidence to tape Matt Pepe 4mm tape #01101

1 15 Mar 01 Examined Evidence using EnCase

Matt Pepe FRED #7

• Evidence Tag Number• Date• Action Taken• Person performing action• Identifying information

Case Number: 123412

Documentary Evidence1

Chain of custody of documents Marking of evidence Organization of documentary evidence Rules concerning original versus copies

of documents

1Albrecht, Albrecht, Albrecht, Fraud Examination 2e, Thompson South-Western, 2006, p. 226

Chain of Custody Procedures Record or Evidence Lot Release Dates recorded Access to Evidence restricted Original Hard Drive placed in Locker All forensics performed on bit stream

copies

Chain of Custody Document

Admissibility of Computer Forensic Evidence

A forensic examiner’s qualifications can be challenged or the tools or methodologies used in a forensic investigation can be objected to.

Whether the theory or technique has been tested Whether it has been subjected to peer review and

publication The known or potential error The general acceptance of the theory in the

scientific community Whether the proffered testimony is based upon

the expert’s special skill

Maintaining a Defensible Approach Performed in accordance with forensic

science principles Based on standards or current best

practices Conducted with verified tools Conducted by individuals who are

certified Documented thoroughly

Problems with Poorly Collected Evidence1

If evidence is not collected and handled according to the proper standards, the judge may deem the evidence inadmissible when it is presented.

If the evidence is admitted, the opposing attorney will attack its credibility during questioning of the witnesses who testify regarding it. Such an attack can create doubt in the jury members’ mind.

1Scene of the Cybercrime, Shinder & Tittel, p.546

Evidence Disposition

Initial Disposition After final report completed Dispose of working copies Maintain “best evidence”

Final Disposition 5 years from date case was opened Unless…