Upload
lauren-daley
View
232
Download
4
Tags:
Embed Size (px)
Citation preview
Practical Application of Practical Application of Computer Forensics Computer Forensics
Lisa Outlaw, CISA, CISSP, ITIL CertifiedLisa Outlaw, CISA, CISSP, ITIL Certified
OverviewOverview Definition of Computer ForensicsDefinition of Computer Forensics Computer Forensics & IT AuditingComputer Forensics & IT Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Do’s & Don’ts)The Process (Do’s & Don’ts)
IdentificationIdentification Collection of EvidenceCollection of Evidence Required DocumentationRequired Documentation ImagingImaging ExaminationExamination Report PreparationReport Preparation Returning of EvidenceReturning of Evidence
Definition of Computer ForensicsDefinition of Computer Forensics
Computer forensics involves the: Computer forensics involves the: IdentificationIdentification CollectionCollection PreservationPreservation Examination, and Examination, and Analysis of digital informationAnalysis of digital information
Digital Information becomes Digital EvidenceDigital Information becomes Digital Evidence
What is Digital Evidence?What is Digital Evidence?
Digital evidence is any information of value Digital evidence is any information of value that is either stored or transmitted in a that is either stored or transmitted in a binary form, including digital audio, image, binary form, including digital audio, image, and video.and video.
Computer Forensic ExaminationComputer Forensic Examination
The Computer forensic examination The Computer forensic examination is:is:
Locating digital evidence Locating digital evidence Evidence can withstand close Evidence can withstand close
scrutiny or a legal challenge. scrutiny or a legal challenge.
Computer Forensics & IT AuditComputer Forensics & IT Audit Incorporate computer forensic services Incorporate computer forensic services Cases are requiring computer forensicsCases are requiring computer forensics IT Auditors have:IT Auditors have:
authority authority technical know howtechnical know how
Reasons for Reasons for Computer Forensic ServicesComputer Forensic Services
Inappropriate Use of State SystemsInappropriate Use of State Systems Determining a Security BreachDetermining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed DismissalsEvidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information AssetsTheft of Information Assets Forgeries of DocumentsForgeries of Documents
The ProcessThe Process
(1)(1)IdentificationIdentification
(2)(2)Collection of EvidenceCollection of Evidence
(3)(3)Required DocumentationRequired Documentation
(4)(4)ImagingImaging
(5)(5)ExaminationExamination
(6)(6)Report PreparationReport Preparation
(7)(7)Returning of EvidenceReturning of Evidence
IdentificationIdentification
IT AUDITOR’S ROLEIT AUDITOR’S ROLE
(Forensic Specialist)1. Determine if reason for
computer forensics is appropriate.
2. Identify where additional digital evidence may reside.
CLIENT’S ROLECLIENT’S ROLE
(ex. State University)1. Determine when to use
Computer Forensic Services:
2. Identify where digital evidence may reside.
Collection of EvidenceCollection of Evidence
• IT AUDITOR’S ROLE– Help Client Secure the
computer to be examined
– Require and Complete Necessary Forms
– Securely Collect Computer from Client
• CLIENT’S ROLE– Ensure that computer
to be examined remains secure until collected
– Notify Appropriate Personnel
– Complete Chain of Custody Form
Collection of Evidence – Collection of Evidence – (Do's & Don'ts)(Do's & Don'ts)
Do not disturb the computer in question. Do not disturb the computer in question.
Computer is off, Leave it offComputer is off, Leave it off
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Computer is on, Leave it onComputer is on, Leave it on
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Do not run any programs on the Do not run any programs on the computer.computer.
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Do not make any changesDo not make any changes
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Do Not Insert Anything Into The Do Not Insert Anything Into The ComputerComputer
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Secure the computerSecure the computer
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Required DocumentationRequired Documentation
Computer Forensic Request Form Computer Forensic Request Form
Chain of Custody FormChain of Custody Form
Signatures Signatures
Disclosures and Disclaimers Disclosures and Disclaimers
Required DocumentationRequired Documentation
Required DocumentationRequired Documentation
IT Auditor’s Role Assign a Case Number
Assign A Team Date & Time When
device was secured
Client’s Role Document Date & Time
of Request Name of Requestor Date & Time Client
secured the device Agency Name Head of the Agency
Name
Required DocumentationRequired DocumentationIT Auditor’s Role Document Hard Drive
Serial Numbers
Client’s RoleDocument computers: Mac Address -Static IP
Address Serial Number -Make &
Model Reason For Request Desired Objectives
Approval From OSA ISA Director & Approval From OSA ISA Director & Legal CounselLegal Counsel
We also obtain approval from both the ISA We also obtain approval from both the ISA director and legal counsel before director and legal counsel before commencing Computer Forensic services. commencing Computer Forensic services.
This approval will be documented on the This approval will be documented on the requisition forms and filed with the case requisition forms and filed with the case evidence as well.evidence as well.
IT Auditor’s Role Sign and Date form Obtain Director and
Legal Counsel approval
Client’s Role Sign and Date form Obtain Agency Head
Approval
Required DocumentationRequired Documentation
Additional Chain of Custody Form
Chain of Custody form continued on the reverse side of the computer forensic request form.
Device Serial#
FAS
Make Model
Signature Print Name
Reason Date Time
Relinquished By:
Received By:
Why Are These Documents Why Are These Documents Necessary?Necessary?
Collect important informationCollect important information Legal AspectsLegal Aspects
Get out of jail free cardGet out of jail free card
ImagingImaging
• IT AUDITORS ROLE– Determine where to
perform the image:– Onsite
– In the Lab
• CLIENTS ROLE– escort our staff to
physically collect the computer from the computer’s secure location.
Hardware Imaging
ImagingImaging Here are some of the procedures we use Here are some of the procedures we use
during imaging to ensure that evidence during imaging to ensure that evidence collected is clearly identified and preserved:collected is clearly identified and preserved:
Scan HardcopiesScan Hardcopies
We scan all hardcopy forms to PDF and this electronic We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.copy is kept with the images of the evidence.
Tag EvidenceTag Evidence
We manually tag all evidence items with an We manually tag all evidence items with an assigned case number using the following naming assigned case number using the following naming convention:convention:
Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., 01-2008-04-Agency Name – HDD Serial#)(Ex., 01-2008-04-Agency Name – HDD Serial#)
Connect Suspect Drive to Write BlockerConnect Suspect Drive to Write Blocker
Connect Write Blocker to Connect Write Blocker to the suspects hard drivethe suspects hard drive
Imaging Regular Hard DriveImaging Regular Hard Drive
To image a regular sized To image a regular sized hard drive, implement hard drive, implement the following procedures:the following procedures: Request the client to Request the client to
purchase a storage device. purchase a storage device. Reduces CostReduces Cost Ensure enough space is Ensure enough space is
available to process the available to process the evidence. evidence.
Easy transfer of images to Easy transfer of images to clientclient
Storage DeviceStorage Device
•
Organize Evidence InformationOrganize Evidence Information Create the following folders on the Create the following folders on the
destination drive for every case:destination drive for every case: Case Name-Evidence Item Number (Folder)Case Name-Evidence Item Number (Folder)
1.1. Evidence (sub-folder)Evidence (sub-folder)1.1. HDD1 (sub-folder)HDD1 (sub-folder)2.2. HDD2 (sub-folder)HDD2 (sub-folder)
2.2. Export (sub-folder)Export (sub-folder)3.3. Temp (sub-folder)Temp (sub-folder)4.4. Index (sub-folder)Index (sub-folder)5.5. Drive Geometry (sub-folder)Drive Geometry (sub-folder)6.6. Report (sub-folder)Report (sub-folder)7.7. Case Back-up (sub-folder)Case Back-up (sub-folder)
Place all images produced in the Evidence Folder
Use FTK Imager Use FTK Imager Create the image using FTK imagerCreate the image using FTK imager
Through experience, we have found this to be one of the Through experience, we have found this to be one of the easiest and most portable software to create images. easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Also, this image can be used in both FTK and Encase.
Image Physical DriveImage Physical Drive
Always image the Physical drive.Always image the Physical drive.
Imaging A Raid ServerImaging A Raid Server Redundant Array of Inexpensive Disks Have the systems administrator to help Have the systems administrator to help
you review the RAID information. you review the RAID information. You need to gather the following You need to gather the following
information: information: Stripe SizeStripe Size Element Order (Disk Order)Element Order (Disk Order) Element Size, whether it is a RAID 1, 5, etc. Element Size, whether it is a RAID 1, 5, etc. Right hand, left hand, forward, back, or Right hand, left hand, forward, back, or
dynamic disk.dynamic disk.
Imaging A Raid Server (con’t)Imaging A Raid Server (con’t) RAID RecontructorRAID Recontructor
Examination/AnalysisExamination/Analysis
Remove hard drive from the Write Remove hard drive from the Write Block device. Block device.
Reassemble the computerReassemble the computer Ensure evidence remains tagged.Ensure evidence remains tagged.
Examination/Analysis (con’t)Examination/Analysis (con’t)
FTKFTK
Examination/Analysis (con’t)Examination/Analysis (con’t)
FTK can take a few days to process FTK can take a few days to process your image.your image.
During this time, we return to our During this time, we return to our normal audit work normal audit work
Examination/Analysis (con’t)Examination/Analysis (con’t)
Run Keyword SearchesRun Keyword Searches Obtain from ClientObtain from Client
Review Corroborating Review Corroborating EvidenceEvidence EmailsEmails Surveillance VideoSurveillance Video DVD & CDsDVD & CDs
Examination/Analysis (con’t)Examination/Analysis (con’t) EncaseEncase
Examination/Analysis (con’t)Examination/Analysis (con’t) Do not answer orDo not answer or Provide additional information to Provide additional information to
agency personnel. agency personnel. Agency personnel can accidentally Agency personnel can accidentally
leak information.leak information.
Forensic ReportForensic Report
The IT Auditor will issue a report to The IT Auditor will issue a report to appropriate personnel once the appropriate personnel once the examination is completed.examination is completed.
If court action is anticipated, inform If court action is anticipated, inform Agency Head to preserve the original Agency Head to preserve the original evidence if possible.evidence if possible.
If original evidence cannot be preserved, If original evidence cannot be preserved, NC Court Rules of evidence allow for the NC Court Rules of evidence allow for the image to be admitted as evidence. image to be admitted as evidence.
Questions????Questions????