2. About me Dr. Bradley Schatz | Forensic computer scientist Director, Schatz Forensic Adjunct Associate Professor, Information Security Institute (QUT) Ph.D. (Digital forensics), QUT, 2007 B.Sc. (Computer science), UQ, 1995
3. Agenda Characteristics of digital evidence Why prepare for digital evidence? Forensic readiness – the good, bad, & ugly Planning for forensic readiness Current and future challenges
7. Ex-computer consultant convicted in “Google Murder” trial http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=174403074
8. “Deleted” information is often retrievable Computer evidence is fragile Deleted: outlook/recycle bin Unallocated space Temporary files Backups Snapshots Synchronization
10. Digital evidence is required when businesses face a threat that requires substantiation Controls fail Controls work Risks outside sphere of IS Assuring controls are effective
11. Common realised risks requiring digital evidence Information theft Departing employees Data breach White collar crime/Workplace misconduct Fraud, Illicit content, Sexual harassment, Cause for termination General litigation Production of information Transaction records
21. Forensic readiness working well Detection “alerted by a surge of data leaving its servers” Claimed Actions “used his desktop computer … to upload a stream of code to website hosted by server in Germany” “later, downloaded the files again to his home computer, laptop computer and to a memory device”
23. Example 1: The “it’s my data too” syndrome SCENARIO: Key employee departs and sets up in competition. THREAT: Has she taken company secrets and is using them in her new business? INVESTIGATION: Identify high value information and seek evidence of information flow *http://pcworld.about.com/od/dataprotection/Nearly-Two-Thirds-of-Ex-Employ.htm
94. Forensic readiness in a nutshell Produce and collect evidential data What systems can further produce logs? Ensure rightful access to evidential data Policy, procedure, user expectation & practice Plan ahead for incident response Routine data destruction Usability of evidence oriented systems Ensure provenance and authenticity of preserved evidential data Forensic training
95. Current and future challenges Behavioural logging and tracing Anomalous behaviour detection Real time enterprise visibility Document “DNA” Cloud computing