Computer Forensics - Villanova University
Download
Report
Transcript Computer Forensics - Villanova University
Computer Forensics
Host: Sharon Roth-DeFulvio
Speaker: Dr. Rebecca T. Mercuri
What is Computer Forensics?
Computer forensics is the use of analytical
and investigative techniques to identify,
collect, examine and preserve
evidence/information which is magnetically
stored or encoded, usually to provide digital
evidence of a specific or general activity.
http://www.computerforensicsworld.com
When is a computer forensic
investigation initiated?
A forensic investigation can be initiated
usually with respect to criminal
investigation, or civil litigation, but forensic
techniques can be of value in a wide variety
of situations, including simply re-tracking
steps taken when data has been lost.
http://www.computerforensicsworld.com
What are the common scenarios?
Employee internet abuse
Unauthorized disclosure of corporate
information and data
Industrial espionage
Damage assessment
Criminal fraud and deception cases
General criminal cases
and others.
http://www.computerforensicsworld.com
Compliance and Computer Forensics
Information security compliance requires
the precise enforcement of policies and
controls.
Digital investigations utilizing computer
forensics are an essential part of this
enforcement.
www.TechPathways.com
Laws and Regulations
There are four laws and regulations that
clearly indicate the need for computer
forensic investigations:
Sarbanes Oxley
California SB 1386
Gramm Leach Bliley
HIPAA
www.TechPathways.com
Sarbanes Oxley
The Sarbanes Oxley Act was enacted to fight
corporate fraud.
The SEC is responsible for enforcement of
Sarbanes Oxley and all publicly traded
companies must report yearly on the
effectiveness of their financial controls.
The legislation has serious consequences for
non-compliance - civil and criminal penalties.
www.TechPathways.com
Sarbanes Oxley
Section 301 provides for the handling of fraud
complaints and investigations
Section 302 specifies that CEOs and CFOs are
directly responsible for the accuracy of their
company’s financial reports.
Section 404 requires management to specify their
responsibility for financial controls and report on
the adequacy and shortcoming of the controls.
Sections 806 and 1107 mandates that companies
must support and protect whistleblowers.
www.TechPathways.com
Sarbanes Oxley
Section 802 is another important element in
Sarbanes Oxley that forbids the intentional
destruction, altering or falsification of financial or
related operational records.
Section 301 and 802 compliance will require the
use computer forensics as established by case law
and by best practices. Organizations need to have
computer forensics capability anywhere and
anytime in their organizations to ensure
compliance with Sarbanes Oxley.
www.TechPathways.com
California SB 1386
Enacted on July 1, 2003, California SB 1386
requires organizations doing business in California
to report security breeches that result in the
unauthorized disclosure of a resident’s private or
financial information.
Disclosure is required if an individual’s name and
either a driver license number, Social Security
number or the combination of a financial account
number and password is accessed.
www.TechPathways.com
NIST and ISACA
The National Institute of Standards and Technology (NIST)
has provided clear guidance for government and
commercial organizations to investigate security incidents.
NIST published the “Computer Security Incident Handling Guide”,
which specifically outlines incident investigation and the role of
computer forensics to properly acquire and analyze the incident.
The Information Systems Audit and Control Association
(ISACA) is an association of information technology
auditors who utilize audit and control standards to improve
their organizations’ information security, compliance and
governance.
ISACA has developed a checklist for incident response planning and
implementation.
www.TechPathways.com
NIST and ISACA
The NIST Guidelines provide practitioners
with processes using computer forensics to
investigate cyber crime.
The ISACA checklist provides the planning
and implementation criteria for creating an
enterprise computer forensics infrastructure.
With the potential liability of CA SB 1386 non-compliance,
organizations must have immediate access to computer
forensics capability.
www.TechPathways.com
Gramm-Leach Bliley (GLB)
Gramm-Leach Bliley or The Financial
Modernization Act of 1999 applies to financial
organizations or any organization that collects or
transfers private financial information for the
purpose of doing business or providing a service
to its customers.
www.TechPathways.com
Gramm-Leach Bliley (GLB)
Financial Privacy Rule:
Addresses the collection and dissemination of
customers’ information while the Safeguard Rule
governs the processes and controls in an organization
to protect customers’ financial data.
Safeguards Rule:
The Safeguard Rule of GLB requires financial
institutions to:
1. Ensure the security and confidentiality of customer information.
2. Protect against any anticipated threats or hazards to the
security or integrity of such information; and
3. Protect against unauthorized access to or use of such information
that could result in substantial harm or inconvenience to any
customer.
www.TechPathways.com
HIPAA
(Health Insurance Portability and Accountability Act of 1996)
The goal of HIPAA is for healthcare providers to improve the privacy and
security of their clients medical information.
HIPAA defines a security incident as “… the attempted or successful
unauthorized access, use, disclosure, modification, or destruction of
information or interference with system operations in an information system.”
HIPAA specifies thorough analysis and reporting of security incidents, so
organizations must consider their incident response policies carefully.
NIST and ISACA specify computer forensic software as part of any reasonable
incident response policy to clearly understand the scope of the incident.
Determining, with forensic precision, what information has been compromised,
when it took place, what systems were affected, and if malware or backdoors
that are invisible to non-forensic tools are still present, are examples of the
types of investigations that are essential to having an effective incident
response program.
In addition to security incidents, computer forensics plays a role in supporting
overall information security by providing the investigation of any anomalies
that could indicate policy or use violations that could jeopardize HIPAA privacy
rules.
www.TechPathways.com
Landmark Cases
Linnen v. A.H. Robins et. al., 1999 WL 46 2015 Mass. Sup. Court, Electronic
media is discoverable; Wyeth MUST bear the costs of retrieving emails,
Failure to preserve and spoilation of evidence.
Adams v. Dan River Mills, Inc., 54 F.R.D. 220, 222 (W.D. Va. 1972)
Discovery of computer tapes is proper
Armstrong v. Executive Office of the President, 1 F.3d 1274 (D.C. Cir. 1993)
Government email is covered as a record under the Federal Records Act;
electronic version of email must be maintained and produced
Ball v. State of New York, 101 Misc. 2d 554, 421 N.Y.S. 2d 328 (Ct.Cl. 1979)
State had to produce information contained on computer tape
Easley, McCaleb & Associates, Inc. v. Perry, No. E-2663 (Ga. Super. Ct. July 13,
1994), Plaintiff's expert allowed to recover deleted files on defendant's
hard drive
National Association of Radiation Survivors v. Turnage, 115 F.R.D. 543 (N.D. Cal.
1987) Sanctions imposed for allowing alteration and destruction of
electronic evidence
National Union Electric Corp. v. Matsushita Electric industries Co., 494 F. Supp. 125,
copying a computer disk is equivalent to photocopying a paper document
Parsons v. Jefferson Pilot Corp., 141 F.R.D. 408 (M.D.N.C. 1992)
privilege lost when email shared via the Internet with a third party
Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. App. July 26, 1993)
Employees had no reasonable expectation of privacy in their company
email
How is a computer forensic
investigation approached?
secure the subject system
take a copy of hard drive
identify and recovery all files
access/copy hidden, protected and temporary files
study “special” areas on the drive
investigate data/settings from installed
applications/programs
assess the system as a whole, including its structure
consider general factors relating to the users activity;
create detailed report
Throughout the investigation, it is important to stress that
a full audit log of your activities should be maintained.
http://www.computerforensicsworld.com
Is there anything that should NOT
be done during an investigation?
Study don't change
avoid changing date/time stamps (of files for
example)
or changing data itself
this applies to the overwriting of unallocated
space
http://www.computerforensicsworld.com
Forensic Examiner's
Tools of the Trade
Operating system utilities;
Data recovery software;
File viewers and Hex editors;
Commercial firewalls;
There are also packages that provide turnkey assistance
for forensic examinations, complete with case management
tracking for procedures, reports, and billing; and
Experts may build their own scripts and tools in order to
provide specialized investigations, or to gain an edge over
firms providing similar services.
www.itsecurity.com
Regional Computer Forensic
Laboratories (RCFLs)
In a response to the need to analyze, preserve, protect
and defend forensic evidence, the FBI, local and state law
enforcements agencies have constructed and staffed
RCFLs.
RCFLs is full service forensics laboratory and training
center devoted entirely to the examination of digital
evidence in support of criminal investigations.
www.rcfl.gov
RCFL Structure & Duties
RCFLs consist of 15 people: 12 of the staff
members are Examiners and 3 staff
members support the RCFL.
Duties include:
Seizing and collecting digital evidence at a crime
scene;
Conducting an impartial examination of
submitted computer evidence; and
Testifying as required.
www.rcfl.gov
RCFLs Examine Digital Evidence in
Terrorism
Child Pornography
Crimes of Violence
Trade secret theft
Theft or destruction to intellectual property
Financial crime
Property crime
Internet crimes
Fraud
www.rcfl.gov
Location of RCFLs
www.rcfl.gov
www.rcfl.gov
RCFL Priority of Requests:
1. immediate threats to property or people;
2. potential threats to property or people;
3. general criminal investigations, such as fraud
and child endangerment/pornography;
4. administrative inquiries; and
5. digital forensic research and development.
notablesoftware.com/Papers/ForensicComp.html
Computer Forensic Requirements
The discipline requires a detailed technical knowledge of
the relationship between a computer's operating system
and the supporting hardware (e.g. hard disks), and
between the operating system and system/application
programs and the network.
Knowledge of cryptographic and steganographic
techniques is needed where data has been encrypted
and/or obfuscated to make it inaccessible and/or hidden.
Finally and critically, all evidence gathering must proceed in
a manner that ensures that the evidence is admissible in a
court of law, and can be documented and presented in an
intelligible manner.
www.cit.uws.edu.au/compsci/computerforensics
Computer Forensics Certifications
notablesoftware.com/Papers/ForensicComp.html
Challenges in Forensic Computing
If access to digital evidence is not forthcoming from an
impounding agency, court orders may be necessary to
obtain the data and use of extraction tools, to determine
whether protocols have been applied.
Computer Forensic examiners who are not law
enforcement investigators and analysts are not aided by
RCFL facilities.
Examiners must ascertain and provide for their own
training on an ongoing basis.
Rapid changes in digital technology pose complex
challenges for computer forensic examiners.
notablesoftware.com/Papers/ForensicComp.html
The Many Colors
of Multimedia Security
Benefits and risks of various aspects of digital
rights management.
Media provider: protection of materials from
unauthorized distribution or modification is
primary concern;
Delivery end: recipients want to ensure downloads
are virus-free and legitimately obtained.
Encryption and digital branding tools can be
employed both for securing multimedia as well as
for circumventing laws pertaining to content and
use.
www.notablesoftware.com/Papers/MediaSec.htm
l
The Many Colors
of Multimedia Security
Steganography (the art and science of embedding
secret messages within text, sound, or imagery)
and
Watermarking (the addition of an unremovable
identifier to tag the content, indicating ownership).
feature
location (identification of subcomponents
within a data set);
Captioning;
time-stamping; and
tamper-proofing (demonstration that original
contents have not been altered).
www.notablesoftware.com/Papers/MediaSec.htm
l
The Many Colors
of Multimedia Security
Characteristics involved with data embedding include:
Visibility: embedded data may be intentionally detectable or imperceptible, but
either way it should not detract from or degrade the primary media content.
Robustness (or fragility): the ability of the data to withstand signal-processing
attacks (such as compression, rescaling, and format conversions like digital-toanalog conversion).
Error correction and detection: recovery is possible from small losses or an
indication is provided that coded information damage has occurred.
Header independence: data is encoded directly into the content of the file to
allow survival between file format transfers.
Self-clocking (or blind) coding: extraction does not require reference to the
masking information or signal. (Adaptive coding algorithms use content from
the masking data to perform hiding, usually through a transform-based
method.)
Asymmetrical coding: the process used to extract the information is not as
time or resource consuming as the process used to insert it, to allow for quick
access to the data.
www.notablesoftware.com/Papers/MediaSec.htm
l
1998 Digital Millennium
Copyright Act (DMCA)
Makes it a crime to circumvent anti-piracy measures built into most commercial software.
Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally
copy software.
Does permit the cracking of copyright protection devices, however, to conduct encryption
research, assess product interoperability, and test computer security systems.
Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives,
and educational institutions under certain circumstances.
In general, limits Internet service providers from copyright infringement liability for
simply transmitting information over the Internet.
Service providers, however, are expected to remove material from users' web sites that
appears to constitute copyright infringement.
Limits liability of nonprofit institutions of higher education -- when they serve as online
service providers and under certain circumstances -- for copyright infringement by
faculty members or graduate students.
Requires that "webcasters" pay licensing fees to record companies.
Requires that the Register of Copyrights, after consultation with relevant parties, submit
to Congress recommendations regarding how to promote distance education through
digital technologies while "maintaining an appropriate balance between the rights of
copyright owners and the needs of users."
States explicitly that “nothing in this section shall affect rights, remedies, limitations, or
defenses to copyright infringement, including fair use..."
www.gseis.ucla.edu/iclp/dmca1.htm
Study by Oberholzer and Strumpf
Even though there were over a billion downloads
worldwide each week of music files alone, and despite the
dip of recorded music CDs shipped in the U.S. by 15%
between 2000 and 2002, causality was not able to be
established.
5,000 downloads of a particular item were necessary in
order to displace a single sale.
High-selling albums actually benefit from file sharing.
Therefore, other factors, such as changes in recording
format and listening equipment, are probably contributing
at a higher rate to the decline in sales.
www.notablesoftware.com/Papers/MediaSec.htm
l