1. Digital Evidence and the Information Security Manager Dr. Bradley Schatz

2. About me Dr. Bradley Schatz | Forensic computer scientist Director, Schatz Forensic Adjunct Associate Professor, Information Security Institute (QUT) Ph.D. (Digital forensics), QUT, 2007 B.Sc. (Computer science), UQ, 1995

3. Agenda Characteristics of digital evidence Why prepare for digital evidence? Forensic readiness – the good, bad, & ugly Planning for forensic readiness Current and future challenges

4. What is digital evidence?

5. “Deleted” information is often retrievable Copy to other HDD Key points Exact copy – Inculpatory & Exculpatory Authentication – hash Timing

6. Computers are littered with evidence of the user’s behaviour

7. Ex-computer consultant convicted in “Google Murder” trial http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=174403074

8. “Deleted” information is often retrievable Computer evidence is fragile Deleted: outlook/recycle bin Unallocated space Temporary files Backups Snapshots Synchronization

9. Why prepare for producing digital evidence?

10. Digital evidence is required when businesses face a threat that requires substantiation Controls fail Controls work Risks outside sphere of IS Assuring controls are effective

11. Common realised risks requiring digital evidence Information theft Departing employees Data breach White collar crime/Workplace misconduct Fraud, Illicit content, Sexual harassment, Cause for termination General litigation Production of information Transaction records

12. How do I increase my forensic readiness?

13. IS policy & procedure should seek to maximise historical visibility

14. IS policy & procedure should seek to maximise historical visibility Clock skew, Shared logins, Evidence handling, Quantity

15. IS policy & procedure should seek to maximise historical visibility Clock skew, Shared logins, Evidence handling issues, Quantity “Personal” devices, Network traffic capture

16. IS policy & procedure should seek to maximise historical visibility Clock skew, Shared logins, Evidence handling issues, Quantity “Personal” devices, Network traffic capture File access logs, Network flow records

17. IS policy & procedure should seek to maximise historical visibility Clock skew, Shared logins, Evidence handling issues, Quantity “Personal” devices, Network traffic capture, Transient events File access logs, Network flow records Premature sanitization, inadvertent overwriting

18. Forensic readinessThe good

19. Forensic readiness working well Ex-worker said to steal Goldman code http://www.nytimes.com/2009/07/07/business/07goldman.html

20. Forensic readiness working well Detection “alerted by a surge of data leaving its servers”

21. Forensic readiness working well Detection “alerted by a surge of data leaving its servers” Claimed Actions “used his desktop computer … to upload a stream of code to website hosted by server in Germany” “later, downloaded the files again to his home computer, laptop computer and to a memory device”

22. Forensic readinessThe bad

23. Example 1: The “it’s my data too” syndrome SCENARIO: Key employee departs and sets up in competition. THREAT: Has she taken company secrets and is using them in her new business? INVESTIGATION: Identify high value information and seek evidence of information flow *http://pcworld.about.com/od/dataprotection/Nearly-Two-Thirds-of-Ex-Employ.htm

25. Laptop/Desktop storage

26. Laptop/Desktop network

27. Laptop/Desktop print

28. Laptop/Desktop Mobile device

29. Remote Terminal  Application

31. POTENTIAL EVIDENCE TRACES:

32. USB Device insertion event

33. Internet explorer history (document open)

34. File access audit logs

35. MS Word recently opened documents

36. Evidence eliminator

37. ROADBLOCK:

38. Evidence destruction

39. Inability to identify operator

40. Expectation of privacy

41. Legal Considerations (Privacy)

42. NSW Workplace Surveillance Act,

44. POTENTIAL EVIDENCE TRACES:

45. Sent Items box

46. Mail server logs

47. Archives

48. Web browser cache/history

49. Network flow trace

50. File access audit log

51. ROADBLOCK:

52. Inability to identify operator

53. Expectation of privacy

54. Cost of backup restoration

56. Corporate network  Personal laptop

57. POTENTIAL EVIDENCE TRACES:

58. Presence on the laptop

59. Deleted files

60. Prior examples

61. ROADBLOCKS:

62. Rightful access to laptop

64. Personal Laptop  Internet

65. POTENTIAL EVIDENCE TRACES:

66. Web browser history/cache

67. File access logs

68. Network trace

69. Network flow logs

70. ROADBLOCKS:

71. Rightful interception of telecommunications

72. Legal Considerations (Wiretap), (Cyber Crime)

73. Telecommunications (Interception & Access) Act

75. File Server  VPN Personal Laptop

76. POTENTIAL EVIDENCE TRACES:

77. File access logs

78. VPN Session Logs

79. Network trace

80. Network flow logs

82. Litigation disputing an agreement. A single email is in dispute.

83. THREAT

84. Is the email authentic?

85. POTENTIAL EVIDENCE SOURCES:

86. Native email from inbox

87. Native email from archived backup

88. Mail server logs

91. How and when did intruders gain access?

92. Where are they?EVIDENCE SOURCES: Workstation, Server, Network trace, Memory dump

93. Conclusion

94. Forensic readiness in a nutshell Produce and collect evidential data What systems can further produce logs? Ensure rightful access to evidential data Policy, procedure, user expectation & practice Plan ahead for incident response Routine data destruction Usability of evidence oriented systems Ensure provenance and authenticity of preserved evidential data Forensic training

95. Current and future challenges Behavioural logging and tracing Anomalous behaviour detection Real time enterprise visibility Document “DNA” Cloud computing

96. Thank you! Dr. Bradley Schatz email: bradley@schatzforensic.com.au mobile: 0422 949 039