Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

Digital Forensics Readiness - CommSec

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Chargement dans…3
×

Consultez-les par la suite

1 sur 17 Publicité
Publicité

Plus De Contenu Connexe

Plus récents (20)

Publicité

Digital Forensics Readiness - CommSec

  1. 1. Digital Forensics Incident Readiness Maximising the ability to gather relevant digital evidence while minimising cost and disruption to normal operations. Presented by Colm Gallagher MSc FCCI, CFCE, Forensics Director, CommSec IRISSCON 2022
  2. 2. Colm Gallagher Current Forensic Director at CommSec Communications and Security (2020 - present) Former Detective at Garda National Cyber Crime Bureau (2007-2020) Former Systems Administrator at Garda IT Division (1997- 2007) Former Irish Representative on Europol CGNAT Expert Group Rubbish at making PowerPoints look good (1987-Present) www.linkedin.com/in/colm-gallagher/
  3. 3. Digital Forensics use cases • Criminal investigations • Civil litigation • Compliance • Incident response • HR investigations • Data Breaches • Insider threats
  4. 4. Digital Forensics tools – a sprawling array • Digital Forensics suites • Specific-use tools (e.g. Shellbag examination tools) • Mobile Forensic tools • Blockchain analysis tools • Incident response triage tools • Remote acquisition tools • Log analysis tools • Search and visualisation tools • Case Management tools • OSINT tools • Scripts • Dual use tools – living off the land An ever-growing array of tools designed to process an ever-growing variety of information sources.
  5. 5. Digital Forensics simplified workflow INCIDENT!!! Preserve & Collect Examination Analysis Reporting
  6. 6. Forensics issues – Law Enforcement • Larger datasets consume finite processing power • Storage requirements • Staff retention is an issue • Under investment/Budgetary constraints • Longer procurement processes • Requirement to find best evidence • Privacy legislation and regulations may hamper evidence acquisition • Lack of access to evidence • Global evidence sources in various jurisdictions • However, capability and methodologies largely already in place – and incidents investigated are usually external (and known of in advance)
  7. 7. Forensics issues – Industry • Large datasets • Cloud usage is widespread • Varying levels of control over evidence sources • Lack of evidence sources? • Qualified personnel not always in-house • eDiscovery needs • Dual use devices (BYOD) • Legal issues • Incidents may arise suddenly
  8. 8. Forensics time sinks • Identification of evidence sources • Gaining access to evidence sources • Obtaining a supply of storage • Setting up and verifying required tools • Allocation of roles • Copying data/Forensic imaging • Processing of gathered evidence • Analysis of relevant evidence
  9. 9. Forensics Readiness ISO27002:2022 To ensure consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions, the organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
  10. 10. Forensics Readiness ISACA The achievement of an appropriate level of capability by an organization in order for it to be able to collect, preserve, protect and analyse digital evidence so that this evidence can be effectively used in any legal matters, in disciplinary matters, in an employment tribunal or court of law.
  11. 11. Forensics Readiness UK Ministry of Justice It is necessary, as part of incident management, to have the ability to collect and analyse data held on a variety of electronic devices or storage media that may be used as evidence in some future investigation. UK MoJ have published policies requiring forensic readiness and planning.
  12. 12. Pre-investigation questions • Where’s our evidential data? • Who has access to it? • Are we discarding useful evidence sources? • Where might the evidence be for given scenarios? • What are our retention periods? • How should we get at potential evidence? • Who’s going to do it? • Where will we put it?
  13. 13. Tasks you may not want to leave until your busiest time • Identify evidence • Prioritise evidence sources and their retention times • Allocate roles • Gain access • Establish roles and communication channels • Identify and contact 3rd Party support • Identify, obtain and verify required tools and hardware • Create document templates such as receipts, chain of custody records, incident logs • Create case file environment • Obtain secure storage • And so on…
  14. 14. Forensics Readiness Planning – some practical measures • Information asset register • Location of information • Ownership of assets • Retention times for information • Importance of each asset to the organisation • Are logs retained in relation to the asset? • Incident response plan • Include potential forensic actions • How should we get at evidence • Roles and responsibilities • Establish communication channels • Where will we store evidence? • How long will should it typically take to extract evidence? • What tools do we have available to us? • What labelling conventions will we use? • Document preparation • Chain of custody templates • Procedural documents • Labelling • Communication templates • Prepared incident logs • Report templates • Incident Response exercising • Gain familiarity with roles and processes • Establish probable timescales • Test communications • Identify gaps • Test efficacy of chosen tools
  15. 15. Digital Forensics with Readiness Readiness INCIDENT!!! Preserve & Collect Examination Analysis Reporting
  16. 16. Forensics Readiness benefits • Quicker and more efficient response • Quickly identify attack vectors • Less likelihood of inadvertently damaging evidence during early part of response • Lower cost – maintaining evidence sources can cost significantly less than trying to make up for their absence • Lower cost – IR costs can be enormous and completing as much as possible removes that cost during events • Less disruption to normal business during investigations • Detect threats earlier • Deter insider threats • Demonstrate high standards for compliance
  17. 17. Thank you! colm.gallagher@commsec.ie

×