`

Forensic readiness: Forensic readiness: Preparing for the worst, Preparing for the worst,

and how to contain it.and how to contain it.

Campbell MurrayTechnical Director, Encription Limited09 July 2014

Who?Who?

• Campbell Murray

• Technical Director @ Encription

• > 16 years IT security experience• Offensive and Defensive

• CESG CHECK Team Leader

• Expert Witness

09/07/2014

Forensic ReadinessForensic Readiness

• “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.”

• Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation.

09/07/2014

Forensic ReadinessForensic Readiness

• Events vs. Incidents

• An “event” is a noticeable change to a system, environment, process, workflow or person.

• An “incident” is an event that has a root human cause.

• Therefore, all incidents are events, but not all events are incidents.

09/07/2014

Forensic ReadinessForensic Readiness

• All DF investigations start with an incident• Crime e.g. Murder• Malware attack• Loss of data• Misconduct• Confidential information breach• Loss of money • Other digital incident

09/07/2014

Forensic ReadinessForensic Readiness

• Early actions are critical

• DF is dynamic and situation dependant

• As an investigation progresses, often further information/evidence comes to attention which may alter focus.

• e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation

09/07/2014

Forensic ReadinessForensic Readiness

• Lots to consider when planning each case.

• Hard to define which is most important >

• Right people?

• Who can you trust?

• Confidentiality?

• Initial assessment?

• Risk?

09/07/2014

Forensic ReadinessForensic Readiness

• DFS• Digital Forensics Strategy

• What, how, who, why, where?

• Form an hypothesis• Formulate all the possible scenarios

• The hypothesis defines the strategy• What/Who to investigate

• Must be flexible - escalation• Document the strategy!

09/07/2014

Forensic ReadinessForensic Readiness

• Steps of the strategy

• What is ‘ideal’ evidence

• A document, an email, an image

• What supports your hypothesis

• Is it financially viable?• Does the investigation cost outweigh the

incident?

09/07/2014

Forensic ReadinessForensic Readiness

• Where would ideal evidence be found in each case?

• Phone?

• Email trail?

• Presence/Absence from premises?

• etc.

• Focus investigation in these areas first.

09/07/2014

Forensic ReadinessForensic Readiness

• Define the ‘Window of Opportunity’

• Narrow down the investigation to a time frame

• Speed

• Accuracy

• Strategy

09/07/2014

Forensic ReadinessForensic Readiness

• Strategy defines the scope• Where/what is the crime scene?

• Has this incident concluded, or ongoing?

• Observe and document• Written notes / Photographs / Statements

• Gather evidence• Chain of custody

09/07/2014

Forensic ReadinessForensic Readiness

09/07/2014

Forensic ReadinessForensic Readiness

• Chain of Custody case study• Employee suspected of exfiltrating data• Put on suspension pending investigation

• Laptop / Phone seized

• IT department all ‘have a look’• No record of who did what• No legal case could be built, despite

evidence• Employee compensated!!!!

09/07/2014

Forensic ReadinessForensic Readiness

• But … there is more to it than that!

• FR and the DDPRR model

• Deter

• Detect

• Prevent

• React

• Recover

09/07/2014

Forensic ReadinessForensic Readiness

• Raises some questions

• How do you react without DDP?

• Does the absence of deterrent change the scope / strategy / consequences?

• Should you use a first responder?• Is investigation required at all?

• Forensic readiness (eagerness) itself could cause an incident!

09/07/2014

Forensic ReadinessForensic Readiness

• Triage

• Follows strategy!

• An enduring question is always …

• Should you turn it off?

• Case dependent. • Output of strategy led triage is the deciding

factor.

09/07/2014

Forensic ReadinessForensic Readiness

• Off / On decision primarily based on on-going damage and risks of causing a further incident.

• Has the incident concluded?

• Where is the ‘ideal’ evidence?

• All factors that answer the Off/On question

09/07/2014

Forensic ReadinessForensic Readiness

• What do you need for a readiness team?

• Training!• Technical / Legal / Method / Custody of

evidence

• Equipment• Evidence bags / Digital camera / Screwdrivers

/ Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc.

09/07/2014

Forensic ReadinessForensic Readiness

• An FR team should always contain:

• Top level management

• Non-IT department technical capability• Confidentiality

• Well defined role descriptions

• Third party support where necessary• Legal / Technical / HR

09/07/2014

Forensic ReadinessForensic Readiness

• Key factors

• Know your limits!• Do not attempt investigation you are not

100% comfortable with

• Beware of witch hunting!

09/07/2014

`Any questions?Any questions?

Thank YouThank You

Campbell Murray

Encription Limited

www.encription.co.uk

0330 100 2345

09/07/2014