Embed Size (px)
Citation preview
CERTIFIED INSPECTOR GENERAL
DIGITAL EVIDENCE & INCIDENT RESPONSE
ADAM SCOTT WANDT, J.D., M.P.A.ASSISTANT PROFESSOR OF PUBLIC POLICYJOHN JAY COLLEGE OF CRIMINAL JUSTICE
[email protected] http://wandt.us
ADAM SCOTT WANDT• JOHN JAY COLLEGE OF
CRIMINAL JUSTICE: ASSISTANT PROFESSOR OF PUBLIC POLICY
• ATTORNEY (NYS)
• FORMER SWORN LAW ENFORCEMENT OFFICER
• INSTRUCTOR: ASSOCIATION OF INSPECTORS’ GENERAL
• MASTER SCUBA DIVER UNDERWATER PHOTOGRAPHER @Prof_Wandt
3
The materials discussed in this presentation are for informational and training purposes only and not for the purpose of providing legal advice.
You should contact your agency attorney to obtain advice with respect to any particular issue or problem.
4
wandt.us/aig
5
SUPERVISORY CONSIDERATIONS
RELATING TO DIGITAL EVIDENCE AND DIGITAL INVESTIGATIONS
11
SUPERVISORY CONSIDERATIONS (Let’s Look in Detail)
• Identifying Available Resources • The Need for Digital Forensic Examination • Ongoing training and legal updates* • Digital Evidence Collection • Evidence Preservation • Evidence Processing and Analysis • Expert Evidence Testimony
12
SECURE INTERNET ACCESS IS REQUIRED FOR INVESTIGATORS
13
RESOURCES AND REQUIREMENTS• Case Sensitivity
• National Security; vs • Homicide; vs • Drug Dealing; vs • Time Sheet Fraud
• Case Load • 10 / YEAR • 1,000 / YEAR • 10,000 / YEAR
• In-House vs Outsource14
IDENTIFYING THE NEED FOR DIGITAL FORENSIC EXAMINATION• What Resources??
• Threshold?? vs • Part of Every Investigative Workflow??
(100% Model) • Protocols Established in Advance • Standard Operating Procedures Following
Best Practices / Types of Cases • Training and Operational Drills
15
EVIDENCE COLLECTION
• Capturing and short-term preservation of digital evidence is the easy part!!!
• That is…. if you can find it. • Preserving long term vs short term
evidence • Analyzing Physical Memory is much more
difficult
16
NATIONAL INSTITUTE OF JUSTICE: DIGITAL EVIDENCE AND FORENSICS
• Digital Forensic Investigative Tools: Enhancing "At-the-Scene" Digital Analysis Capabilities of First Responders
• Mobile and Cellular Device Forensics Tools • Digital Evidence Investigative Tools • Digital Evidence Analysis Tools • Digital Forensic Training • Digital Forensics Standards http://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx 17
COLLECTION AND PRESERVATION
• FREE: • FASTDUMP • FTK IMAGER • WINEN
• Commercial • KnTTools • WinHex • Encase
• Mobile Forensics • Cellebrite UFED • Access Data MPE+ 18
EVIDENCE PRESERVATION (EASY??)
19
EVIDENCE PRESERVATION
20
EVIDENCE PRESERVATION
21
EVIDENCE PROCESSING EVIDENCE ANALYSIS
• As Collected? Storage Until Needed? • 1% vs 100% • High Skill Set Individuals • Computer Assisted Analysis • Data Mining / Big Data
22
Mobile Forensic Products• EnCase Mobile Investigator: $??? • AccessData MPE+: $5,000 • Cellebrite UFED Ultimate: $15,000 • Lantern 3: $600 • Oxygen Forensic: $3,000 • Magnet AXIOM: $1700 + Annual Maintenance
• Cellebrite Advanced Services: $1000 / Phone • Berla.co: Cars & GPS Units
Forensic Recovery of Evidence Device (FRED UNIT)
24
How Trained is Your Team?
• Obtaining and Using Service Provider Data / Cellular Records
• Including Social Media in Investigations • Obtaining and analyzing email and text
message communications? • Looking at “Big Data” • Up to date on Legal Issues (ie: Jones,
Riley).? • Who has this job in your agency?
25
MOORE’S LAW
A DECADE OF PROGRESS in SEMINOLE COUNTY, FL
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
The Digital Forensic Examiner
43
Building a Forensics Shop
Cost Effective - Need Based Assessment
• In-House Need?
• Local Collaboration
• State / Federal Resources
• Outsourcing
• Public
• Private 44
45
The Digital Forensic Examiner
1. Evidence Handling
2. Acquisitions
3. Analysis
4. Expert Witness
5. Ethics
(1) Evidence Handling
• Chain of custody forms have to be filled out showing how data was seized, gathered, transported, stored, copied, analyzed, preserved and secured for production.
• Chain-of-custody documentation must be maintained for all evidence
(2) Acquisitions
• All new and re-used media wiped & verified before use.
• Commercial Off the Shelf (COTS) computer forensic tools will be used.
• The use of open source, freeware, shareware or in-house developed software is limited to support small specialized tasks and to fill gaps the COTS products lack.
(3) Analysis
• Forensic copy is used (not original media).
• Document process (all HW, SW & Media).
• All deleted files are recovered.
• Unallocated space examined.
• Slack space examined for lost/hidden data.
• Password protected and encrypted files are unlocked, decrypted and examined.
(4) Expert Witness
• A skilled, qualified, and experienced practitioner that has been qualified by the court.
• Ability to simplify technical concepts using facts.
• May express an opinion deduced from evidence.
• Knowledge of standardized and specific procedures.
• Adhere to an established code of ethics.
(5) Ethics
• How a specialized skill set is used to address moral and professional issues that are encountered daily.
• Follow a code that includes characteristics such as honesty, integrity, objectivity, transparency, accuracy, accountability and confidentiality.
• Practice due diligence, i.e., thoroughly analyze evidence based upon established and validated principles and only present facts.
Incident Responce
52
Cyber Threat Models
53
Unified Kill-Chain
Special Concerns
• Ransomware
• Phishing - Speer Phishing
• Multi-Factor Authentication
• Continuous Legal Training
• Pandemic Related Activity
54
Pandemic Effects
• Increase in Phishing and Spear-Phishing • Ransomeware • SolarWinds • Illegal Sales of PPE • Fraudulent Unemployment Claims • Small Business (SBA) Loan Scams • Increased Child Predator Activity • Cryptocurrency Theft and Manipulation
55
Additional Resources
• www.iacpsocialmedia.org • www.zdziarski.com/blog/ • www.cellebrite.com • www.Swgde.org
CERTIFIED INSPECTOR GENERAL
DIGITAL EVIDENCE, SOCIAL MEDIA, & CLOUD COMPUTING
ADAM SCOTT WANDT, J.D., M.P.A.ASSISTANT PROFESSOR OF PUBLIC POLICYJOHN JAY COLLEGE OF CRIMINAL JUSTICE
[email protected] http://wandt.us
