© Peter Sommer, 2005 Workshop 21 September 2005 Digital Investigations and Evidence Workshop 21 September 2005 Digital Investigations and Evidence Peter

© Peter Sommer, 2005

Workshop 21 September 2005Workshop 21 September 2005

Digital Investigations and Digital Investigations and Evidence Evidence

Peter SommerPeter SommerLondon School of EconomicsLondon School of Economics

[email protected]@pmsommer.com

[email protected]@lse.ac.uk

http://www.first.org/conference/2005/


Guide has been prepared:Guide has been prepared:

• In the light of experience of :In the light of experience of : post-incident investigationspost-incident investigations work for insurers and loss adjusterswork for insurers and loss adjusters instructions as an expert in courtinstructions as an expert in court

• Surprise at the poor level of preparedness Surprise at the poor level of preparedness to produce evidence, or understand what to produce evidence, or understand what is involvedis involved

• To lift “digital forensics” from its “the To lift “digital forensics” from its “the techies will solve everything” mythtechies will solve everything” myth


Evidence in the Corporate Evidence in the Corporate AgendaAgenda

• Role in Information Assurance / Role in Information Assurance / Information SecurityInformation Security Low Frequency / High Impact EventsLow Frequency / High Impact Events

• Role in semi-routine operationsRole in semi-routine operations Higher Frequency / Lower Impact EventsHigher Frequency / Lower Impact Events

• Records to demonstrate ComplianceRecords to demonstrate Compliance• Forensic Readiness ProgramsForensic Readiness Programs

HMG Infosec Standard No 2HMG Infosec Standard No 2


““Traditional” Information Traditional” Information Assurance AgendaAssurance Agenda

• Risk AnalysisRisk Analysis• PreventionPrevention

TechnologyTechnology ManagementManagement

• Incident ManagementIncident Management Loss MitigationLoss Mitigation Contingency PlansContingency Plans InsuranceInsurance


Incident Management: AimsIncident Management: Aims

Corporate interest: Corporate interest: • organisation continuanceorganisation continuance• rapid recovery to full operationrapid recovery to full operation• recovery of assetsrecovery of assets• successful insurance claimssuccessful insurance claims• successful 3rd party legal claimssuccessful 3rd party legal claims• largest possible number of options for largest possible number of options for

future action future action


Life-cycle of incidentsLife-cycle of incidentsDetection

Reporting

Diagnosis -Initial

InitialManagementActions

EvidenceCollection

Diagnosis -Mature

MatureManagementActions

BusinessRecoveryActivity

Legal Activity

RemedialActivity

Computer Incident ManagementLife Cycle

Time


Importance of EvidenceImportance of Evidence

• Post Disaster RecoveryPost Disaster Recovery To mitigate and control lossesTo mitigate and control losses To make insurance claims – direct and To make insurance claims – direct and

consequential lossconsequential loss To sue third partiesTo sue third parties To resist claims from third partiesTo resist claims from third parties To assist law enforcementTo assist law enforcement


Evidence CollectionEvidence Collection

In a disaster:In a disaster:• How would you make the choice between How would you make the choice between

stopping a system in order to preserve stopping a system in order to preserve “reliable” evidence – and keeping your “reliable” evidence – and keeping your business going?business going?

• What managerial and technical structures What managerial and technical structures do you need to have indo you need to have in place?place?

• How does this fit in with existing DR/BC How does this fit in with existing DR/BC Plans?Plans?


ConflictsConflicts

There are many internal conflicts, eg :There are many internal conflicts, eg :• rapid return to normal working = rapid return to normal working = keep the keep the

computers goingcomputers going• evidence collection = evidence collection = stop the computers to stop the computers to

avoid contaminationavoid contamination• network surveillance causes:network surveillance causes:

threats to employee trust, privacythreats to employee trust, privacy use of network resources / slow-down of system use of network resources / slow-down of system

response response possible compromise of integrity of transactions & possible compromise of integrity of transactions &

recordsrecords


““Lesser” IncidentsLesser” Incidents

• Frauds by employees and 3Frauds by employees and 3rdrd parties parties• Contractual disputesContractual disputes• Allegations of failure of duty of careAllegations of failure of duty of care• E-mail and Internet abuseE-mail and Internet abuse• Breach of confidentialityBreach of confidentiality• Online defamationOnline defamation• Employee / HR disputesEmployee / HR disputes• Sexual harassmentSexual harassment• Acquisition and storage of child abuse imagesAcquisition and storage of child abuse images• Datatheft / Industrial EspionageDatatheft / Industrial Espionage• Software piracySoftware piracy• Theft of source codeTheft of source code


““Lesser” IncidentsLesser” Incidents

• Unauthorised access by employeesUnauthorised access by employees• Unauthorised access by 3Unauthorised access by 3rdrd parties – “hacking” parties – “hacking”• Unauthorised data modification – incl viruses and trojansUnauthorised data modification – incl viruses and trojans• Abuse of corporate IT resources for private gainAbuse of corporate IT resources for private gain• Use of corporate IT resources as one stage in a complex Use of corporate IT resources as one stage in a complex

criminal act and where a 3criminal act and where a 3rdrd party is victimised party is victimised• Use of corporate IT resources for illegal file-sharingUse of corporate IT resources for illegal file-sharing• DoS and DdoS attacksDoS and DdoS attacks• ““Phishing” and “Pharming” attemptsPhishing” and “Pharming” attempts• Etc etcEtc etc

• Requirements of disclosure in civil litigationRequirements of disclosure in civil litigation


Cybercrime PolicingCybercrime Policing

• Prosecutions are impossible without Prosecutions are impossible without evidenceevidence

• There will never be enough cybercopsThere will never be enough cybercops• If you let in the cybercops to locate If you let in the cybercops to locate

evidence after the crime, they will evidence after the crime, they will inevitably be more disruptive and less inevitably be more disruptive and less successful than if you had planned ahead successful than if you had planned ahead and are able to produce evidence yourself and are able to produce evidence yourself


Reliable record keeping Reliable record keeping regulatory complianceregulatory compliance

• Sarbanes-OxleySarbanes-Oxley• Basel IIBasel II• International Standard on Records Management - International Standard on Records Management -

ISO 15489 ISO 15489 • UK Combined Code of Corporate GovernanceUK Combined Code of Corporate Governance • Freedom of Information legislationFreedom of Information legislation• Forensic Compliance ServicesForensic Compliance Services


PracticalitiesPracticalities

• What is “evidence”?What is “evidence”?

• Admissibility / ReliabilityAdmissibility / Reliability

• Brief History of Computer EvidenceBrief History of Computer Evidence

• How do produce a Forensic How do produce a Forensic Readiness Plan?Readiness Plan?


Computer Evidence...Computer Evidence...

...is like any other evidence, it must be:...is like any other evidence, it must be:

• admissibleadmissible

• authenticauthentic

• accurateaccurate

• completecomplete

• convincing to juriesconvincing to juries



admissibleadmissible

• common / civil code traditionscommon / civil code traditions

• adversarial / inquisitorial trialsadversarial / inquisitorial trials

• ““proving” documents, copiesproving” documents, copies• US: US: 4th amendment rights / Federal Rules of Evidence4th amendment rights / Federal Rules of Evidence

• UK: UK: PACE, 1984; “business records” (s 24 CJA, 1988) PACE, 1984; “business records” (s 24 CJA, 1988) etc etc; Human Rights, Data Protection, problems of etc etc; Human Rights, Data Protection, problems of “interception”“interception”



authenticauthentic

• can we explicitly link files, data to can we explicitly link files, data to specific individuals and events?specific individuals and events? access controlaccess control logging, audit logslogging, audit logs collateral evidencecollateral evidence crypto-based authenticationcrypto-based authentication



accurateaccurate• reliability of computer process reliability of computer process notnot data data

contentcontent• can we explain how an exhibit came into can we explain how an exhibit came into

being? being? what does the computer system do?what does the computer system do? what are its inputs?what are its inputs? what are the internal processes?what are the internal processes? what are the controls?what are the controls?



completecomplete

• tells within its own terms a complete tells within its own terms a complete story of particular circumstancesstory of particular circumstances



convincing to juriesconvincing to juries

• have probative valuehave probative value

• a subjective, practical test of a subjective, practical test of presentationpresentation



...is different from other evidence - ...is different from other evidence - computer data: computer data:

• can change from moment to moment can change from moment to moment within a computer and along a within a computer and along a transmission linetransmission line

• can be easily altered without tracecan be easily altered without trace• can be changed during evidence can be changed during evidence

collectioncollection



...is different from other evidence:...is different from other evidence:• much immediate computer evidence much immediate computer evidence

cannot be read by humanscannot be read by humans many exhibits are print-out derived from many exhibits are print-out derived from

primary electronic materialprimary electronic material • computers create evidence as well as computers create evidence as well as

record itrecord it• rate of change of technologyrate of change of technology



...creates as many opportunities as it ...creates as many opportunities as it provides threats:provides threats:

• many more commercial transactions are recordedmany more commercial transactions are recorded• data, once recorded, is very persistent and many data, once recorded, is very persistent and many

copies may existcopies may exist• it is much easier to trace a person’s history and it is much easier to trace a person’s history and

activitiesactivities• computer-assisted investigation methods computer-assisted investigation methods

become possible...become possible...


Brief History of Computer EvidenceBrief History of Computer Evidence

• MainframesMainframes• PCsPCs• LANsLANs• InternetInternet



• MainframesMainframes • Controlled print-Controlled print-outout

• Early problem of Early problem of admissibilityadmissibility

• How do we test How do we test reliability?reliability?



• PCsPCs • Can be seized Can be seized • Disks can be Disks can be

“imaged” and then “imaged” and then analysedanalysed

• ““Real” evidenceReal” evidence• can we trust the can we trust the

“imaging”?“imaging”?• Quality of Quality of

inferencesinferences



• LANs / Complex LANs / Complex SystemsSystems

• Too complex to Too complex to seizeseize

• How do we ensure How do we ensure completeness?completeness?

• How do we ensure How do we ensure reliability?reliability?



• InternetInternet • We can seize We can seize individual PCs, individual PCs, but but we may also rely on:we may also rely on:

• evidence from evidence from remote computersremote computers

• evidence from evidence from investigators’ investigators’ computerscomputers

• interceptsintercepts


Forensic procedures..Forensic procedures..

• Freezing the sceneFreezing the scene a formal processa formal process imagingimaging

• Maintaining continuity of evidenceMaintaining continuity of evidence controlled copyingcontrolled copying controlled print-outcontrolled print-out

• Contemporaneous notes > witness Contemporaneous notes > witness statementsstatements


Forensic procedures..Forensic procedures..

authenticity, accuracy, completeness, authenticity, accuracy, completeness, admissibilityadmissibility

• repeatability repeatability • independent checking / auditingindependent checking / auditing• well-defined procedureswell-defined procedures• check-listscheck-lists• novel scientific methods / juridicial qualitynovel scientific methods / juridicial quality• anticipation of criticismanticipation of criticism


Corporate PlanCorporate Plan

How to plan for evidence collectionHow to plan for evidence collection• Identification of risk scenariosIdentification of risk scenarios• Analysis and identification of likely Analysis and identification of likely

evidence requirementsevidence requirements• Procedures and resources for collecting Procedures and resources for collecting

and preserving evidenceand preserving evidence• Integration with existing BCP, HR and Integration with existing BCP, HR and

legal management structureslegal management structures


Preservation of EvidencePreservation of Evidence

• Forensic imaging for single hard-disksForensic imaging for single hard-disks Now well-establishedNow well-established

• Digital fingerprinting for log filesDigital fingerprinting for log files• How do you make a proper “selection” How do you make a proper “selection”

from larger, more complex systems?from larger, more complex systems?• How do you “prove” the reliability of data How do you “prove” the reliability of data

captured in transmission?captured in transmission?


Selection of EvidenceSelection of Evidence

In a large complex system – how much In a large complex system – how much is enough?is enough?

No simple one-size-fits-all answer… No simple one-size-fits-all answer… but if you have thought things but if you have thought things through, you have a better chance of through, you have a better chance of justifying your decision in courtjustifying your decision in court



AnticipatoryAnticipatory• Risk Analysis /Scenario IdentificationRisk Analysis /Scenario Identification• Desirable Evidence AnalysisDesirable Evidence Analysis• Available Evidence ReviewAvailable Evidence Review• Assembly of Key System DocumentationAssembly of Key System Documentation• Review of Back-up and Archiving FacilitiesReview of Back-up and Archiving Facilities• Produce Evidence Collection & Preservation Policy Produce Evidence Collection & Preservation Policy

& Specific Guide& Specific Guide• Incident Management TeamIncident Management Team• Review Employment ContractsReview Employment Contracts• Identify 3Identify 3rdrd party specialists party specialists



Incident ManagementIncident Management• Reporting Point / First ResponderReporting Point / First Responder• Incident Management TeamIncident Management Team• Role of Top ManagementRole of Top Management• Resourcing – internalResourcing – internal• Resourcing – externalResourcing – external• Asset recovery, loss mitigationAsset recovery, loss mitigation• Legal and law enforcement liaisonLegal and law enforcement liaison



Longer Term MeasuresLonger Term Measures• Program to address gaps in available evidenceProgram to address gaps in available evidence• Improvements in overall system specification to Improvements in overall system specification to

ensure more useful evidence is captured – or ensure more useful evidence is captured – or available for captureavailable for capture

• Improved local trainingImproved local training



• Forensic Readiness PlanForensic Readiness Plan: : • HMG Infosec Standard No 2HMG Infosec Standard No 2• Needs to be Needs to be

prepared as a consensual corporate exerciseprepared as a consensual corporate exercise documenteddocumented auditedaudited subject to revisionsubject to revision

• as the organisation changesas the organisation changes• as IT infrastructure changesas IT infrastructure changes• in the light of experiencein the light of experience



• A great deal of this activity sits A great deal of this activity sits naturally with existing Information naturally with existing Information Assurance /Emergency Response / Assurance /Emergency Response / Disaster Recovery activity.Disaster Recovery activity.

• Much of what can be achieved Much of what can be achieved requires pre-planning, not just an requires pre-planning, not just an emergency response.emergency response.


The detail is in the Report!The detail is in the Report!


Workshop 21 September 2005Workshop 21 September 2005

Digital Investigations and Digital Investigations and Evidence Evidence

Peter SommerPeter SommerLondon School of EconomicsLondon School of Economics

[email protected]@pmsommer.com

[email protected]@lse.ac.uk

http://www.first.org/conference/2005/

Documents

© Peter Sommer, 2005 Workshop 21 September 2005 Digital Investigations and Evidence Workshop 21 September 2005 Digital Investigations and Evidence Peter