computer misuse in the workplace you only get one chance..... david horn

© Sapphire 2006

Computer Misuse in the Workplace

You only get one chance.....

David Horn

You only get one chance...

© Sapphire 2006

Or do you.......?

of circumstances.opportunity n. , pl. , -ties . A favourable or advantageous circumstance or combination of circumstances.

chance n. The unknown and unpredictable element in happenings that seems to have no assignable cause.

Test

© Sapphire 2006

Opportunity

A brief guide to:What, when, why and how.

You only get one opportunity!

© Sapphire 2006

Digital Forensics

• The process of deriving evidence from digital media• Requires that the data is shown to be reliably obtained

– Is not changed in any way

– Is complete

– Can be repeated

• And very importantly, that it can be understood.

Digital forensics – first steps

© Sapphire 2006

SOURCES OF COMPUTER EVIDENCE

• Personal Computers

• Server Computers

• Removable media

• Automatically-produced log files

Evidence Types

© Sapphire 2006

BASIC PRINCIPLES OF COMPUTER FORENSICS

The forensic examination of the contents of a computer is a skilled job and special procedures, techniques and tools are required to ensure that any information that is retrieved can be presented as evidence in a Court of Law.

Evidential IntegrityRequires that the material being examined is not changed in any way. What is examined must be an exact copy of the original.

Continuity of Evidence Refers to the means used to vouch for the actions that have taken place regarding the item under examination. This covers the seizure, handling and storage of equipment and copies of the data.

Never forget.............

© Sapphire 2006

Incident Response Teams

First steps

© Sapphire 2006

Key roles and responsibilities

What technical skills are required

What training is required

Management

© Sapphire 2006

Key roles and responsibilities

Officer In charge

Forensic Investigators and Auditors

Independence

Working within the law and your policies

Roles & Responsibiities

© Sapphire 2006

What training will be needed?

Product Training

Incident Response Techniques

Health and Safety

Computer Misuse Act and relevant law

Internal Policies

...more…more…more…

Training

© Sapphire 2006

Current Practice

ACPO Guidelines

© Sapphire 2006

THE PRINCIPLES OF COMPUTER-BASED EVIDENCE (ACPO)

Principle 1No action taken should change data held on a computer or other media which may subsequently be relied upon in Court.

Principle 2In exceptional circumstances where a person finds it necessary to access original data held on a target computer, that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.

ACPO Guidelines

© Sapphire 2006

THE PRINCIPLES OF COMPUTER-BASED EVIDENCE (ACPO)

Principle 3An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and obtain the same result.

Principle 4The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.

ACPO Guidelines

© Sapphire 2006

Search and Seizure

Secure the evidence

© Sapphire 2006

Pre-seizure planning

What you will need

Who should be on your response team

Step by step computer incident response procedure

Incident response

© Sapphire 2006

PRE-SEARCH PREPARATION

The forensic unit – i.e. the imaging / investigation hw and swAn adequate toolkit – screwdrivers, pliersPlenty of StationeryDigital camera Disk boxesMobile telephoneBlank floppy disks / CDsA torchData Cables of every varietyNetwork CardPower extensions

Pre search preparation

© Sapphire 2006

EVIDENCE PROCESS

IdentifyWhat sources are available?

Seize‘Bag and Tag’ Best Evidence

TransportSafely and responsibly take the best evidence to a secure

locationReceiveAccept responsibility for the evidence

StoreEnsure securely held free from risk of contamination

Evidence process

© Sapphire 2006

EVIDENCE PROCESS

Preserve

Take a reliable copy of the evidence

Reserve

Put the original Best Evidence source in a secure place

Analyse

Investigate the evidence on the preserved copy

Produce

Identify the exhibits that establish facts

Testify

Create a statement and go to court

Evidence process

© Sapphire 2006

On Site

Server room challenges

© Sapphire 2006

ON SITE

Machines switched on and operating

Clearly transferring data

receiving incriminating data

receiving exonerating data

receiving routine data

may be overwriting evidence on the disk

may be overwriting evidence in memory

On-site Seizure

© Sapphire 2006

MACHINES WHICH ARE SWITCHED ON

• Secure the area and log your actions

On-site Seizure

© Sapphire 2006

MACHINES WHICH ARE SWITCHED OFF

Be satisfied that the computer is actually switched off - not in hibernate mode - not running a blank screensaver.

On-site Seizure

© Sapphire 2006

ESSENTIAL KIT

Integrated (imaging) Solution:• EnCase – now up to version 6.8• FTK – Access Data

Third Party Plug-ins:• QuickView• ACDSee• WinRar• IrfanView• KaZAlyser• NetAnalysis• PDA Seizure• Email Examiner

Forensic Tools

© Sapphire 2006

Legal Issues

Points to consider

© Sapphire 2006

THE LAW AND COMPUTERS

• Computer Misuse Act 1990• Data Protection Act 1998• Laws of Pornography

– Obscene Publications Act 1959– Protection of Children Act 1978– Criminal Justice Act 1988– Sexual Offences Act 2003

• Laws of ‘Harm’– Theft Act 1968 / 1978– Offences Against the Person Act 1861

Your policies & the law

© Sapphire 2006

Advice to Beginners There are some very powerful tools available. But with great power comes great responsibility, and as a potential forensics investigator, it is your responsibility to learn how to use the tools properly.Simple mistakes and good intentions can completely destroy digital evidence. It is strongly recommended that aspiring investigators learn about digital forensics, and practice on controlled systems before attempting to collect evidence from a real system.

Summary

© Sapphire 2006

Questions?

Questions

© Sapphire 2006

Offices in the:North, Scotland & London,

David Horndavid.horn@sapphire.net

0845 58 27001

Contact Details