forecast 2014: ediscovery and forensics
Post on 19-Jun-2015
217 Views
Preview:
DESCRIPTION
TRANSCRIPT
eDISCOVERY AND FORENSICS
Intel CorporationSteve Watson
DISCLAIMER
The opinions expressed and materials shared in this presentationare my own and may not reflect the opinions, policies, norprocedures of my employer.
2
BACKGROUND
Current industry practitioner with 7 years of experience related to these topics.
PhD research student of Digital Forensics focused on new and emerging technologies.
3
ODCA WHITEPAPER
Session will review some key concepts of the whitepaper.
Explore some specific challenges with an industry practitioner.
Q/A of how we might address the challenges.
4
WHY ARE WE TALKING ABOUT THIS?
eDiscovery and forensics affects all of our companies –subscribers and providers.
Industry, academia and regulators are struggling with these challenges.
New ideas in this space will be needed to solve the challenges.
5
DEFINITION OF TERMS
eDiscovery • aka electronic discovery,
e-disclosure, and electronic disclosure• ESI – electronically stored
information (data)
6
Forensics• forensic science
• digital forensics• investigations
• digital evidence (data)
It’s all about the
data!
EDISCOVERY
What is “Discovery”?
When does “eDiscovery” occur?
What do I need to know as a cloud provider or subscriber?
7
SUBPROCESSES TO HIGHLIGHT
Preservation and Collection sub-process
• Keep the data from going away (preservation).• Collect a copy of the data to provide for the matter (collection).
Search and Review sub-process
• Narrowing the data down to the data relevant to the legal matter.• Legal directed activity.• Even if completed by technical individuals (subscriber or provider), this
is directed by legal teams.
8
EDBP MODEL
9
Electronic Discovery Best Practice work flow model
10
WHAT ABOUT FORENSICS?
There may be data about the incident unavailable to the cloud subscriber.
The cloud provider may need to assist in accessing and collecting the data relevant to user or administrative activity.
11
INVESTIGATIONS REQUIRING FORENSICS
12
Subscriber:Accessible data limited to what provider has granted access to.
1. Subset of full data related to subscriber account.
2. User created data.3. User activity data
(limited).4. User social media data.5. Limited access to
preserve or collect.
Provider:All of the subscriber accessible data.Plus…
1. Subscriber account information.
2. Full user created data.
3. Administrative data.4. Provider access
data.5. Malware activity.
BIGGEST CHALLENGE
The gap between data accessible to the subscriber and data accessible to the provider is the biggest challenge for investigations.
How do we close the gap without revealing provider’s intellectual property, other subscribers or compromising their security and
networks?
13
TAKEAWAYS
It’s not if, it’s when.
Remember the preservation piece of eDiscovery.
Contractual agreement between provider and subscriber.
How do we close the gap for forensic investigations?
14
15
16
© 2 0 1 4 O p e n D a t a C e n t e r A l l i a n c e , I n c . A L L R I G H T S R E S E R V E D .
ADDITIONAL RESOURCESDraft NIST IR 8006, “NIST Cloud Computing Forensic Science Challenges” The Sedona Conference, Commentary on Cloud Computing (DRAFT)
17
ATTRIBUTION:
Slide 9. EDBP model image courtesy Ralph Losey, www.edbp.com.Slide 10. EDRM model image provided by EDRM.net.
18
top related