legal, regulations, compliance and investigations szabist – spring 2012
TRANSCRIPT
LEGAL, REGULATIONS, COMPLIANCE AND
INVESTIGATIONS
SZABIST – Spring 2012
Legal, Regulations, Compliance and Investigations
This chapter presents the following: Computer crimes and computer laws / acts Computer crime investigation process and
evidence collection Incident-handling procedures
The May Facets of Cyber Laws
Importance of Legal issues for an organization A violation can damage a company’s credibility / reputation.
Challenges faced by law enforcement agencies: how to capture a cybercriminal, properly seize and control evidence, and hand over the evidence to the prosecutorial and defense teams.
Different countries can interpret the same law differently or they have their own set of laws. If a hacker from another country steals a bunch of credit card numbers
from a U.S. financial institution and he is caught, a U.S. court would want to prosecute him where as his homeland may not see this issue as illegal at all or have laws restricting such activities.
Companies have clear policies pertaining to computer security issues (i.e. how to prevent, detect, and report crimes).
Complexities in Cybercrime
Difficult to identify the attacker? they spoof their addresses and identities and use methods to cover
their footsteps. break into networks, take whatever resources they were after, and
clean the logs that tracked their movements and activities. attackers commonly hop through several systems before attacking their
victim so that tracking them down will be more difficult. How ??? Bots / Zombies / Botnet
In most cases, law enforcement agencies does not have expertise to that level comparable with the attackers.
Even if an attacker’s activities trigger an IDS alert, it does not usually find the true identity of the individual, though it does alert the company that a specific vulnerability was exploited.
Visit www.cybercrime.gov to have a look at the crimes and prosecution.
Complexities in Cybercrime – contd.
Limited laws and regulations related to cybercrime. Companies that are victims just want to ensure that the
exploited vulnerability is fixed, instead of spending the time and money to prosecute the attacker.
Organizations do not report breaches or computer crimes. customer base will lose confidence, as will the shareholders and
investors.
Although regulations, laws, and attacks help make senior management more aware of security issues, when their company ends up in the headlines and it’s told how they lost control of over 100,000 credit card numbers, security suddenly becomes very important to them.
Electronic Assets
Complexity that the digital world has brought upon society is defining what has to be protected and to what extent.
Fifteen years ago, the most concerned assets were tangible ones (equipment, building, manufacturing tools, inventory).
Now, companies have added DATA at the top of the assets list: product blueprints, Social Security numbers, medical information, credit card numbers, personal information, trade secrets, military deployment and strategies, and so on.
Companies have realized, protecting intangible assets (that is, data, reputation) is more difficult than protecting tangible assets.
The Evolution of Attacks
About ten years ago, hacking was just for fun Hackers used to take down web sites (Yahoo!, MSN) to be
in headlines Viruses were created that simply replicated or carried out
some destructive activity Unfortunately, today, these trends have taken on
more evil objectives. organized criminals are after specific targets for specific
reasons, usually profit-oriented. capture credit card numbers, Social Security numbers, and personal information to carry out fraud and identity theft.
Computer Forensics & Proper Collection of Evidence
What is Computer Forensics?
What is Computer Forensics? Computer Forensics is a science that requires specialized
techniques for the recovery, authentication, and analysis of electronic data for the purposes of a criminal act.
It is a set of specific processes relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data, and computer usage that must be followed in order for evidence to be admissible in a court of law.
This is not something the ordinary network administrator should be carrying out, forensics investigators must be properly skilled and know what to look for.
Computer Forensics & Proper Collection of Evidence
What is so specialized in this that specific skills are required??
Computer Forensics & Proper Collection of Evidence
What is so specialized in this that specific skills are required?? If someone reboots the attacked system or inspects
various files, this could corrupt viable evidence, change timestamps on key files, and erase footprints the criminal may have left.
Most digital evidence has a short lifespan and must be collected quickly in order of volatility?? Dumping the memory contents to a file before doing any work on
the system or powering it down.
Whatever method the forensic investigator chooses to collect digital evidence must be documented. This is the most important aspect of evidence handling.
Computer Forensics & Proper Collection of Evidence
Incident Investigation – Where to look for!!
Suspicious activities, such as port scans, attempted SQL injections can be evidence in a system log that describes an abnormal activity that took place.
increased network traffic,
employee staying late every night,
Unusual requests to specific ports on a network server; etc
On top of being observant, the investigator must understand forensics procedures, evidence collection issues, and how to analyze a situation to determine what is going on, and know how to pick out the clues in system logs.
Incident Investigation – Where to look for!!
Different Types of Assessments an Investigator Can Perform Network analysis
Communication analysis Log analysis Path tracing
Media analysis Disk imaging MAC time analysis (Modify, Access, Create) Content analysis Slack space analysis
Software analysis Reverse engineering Malicious code review Exploit review
The Forensics Investigation Process
The following steps are generally followed in a computer forensics investigation: Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision
The Forensics Investigation Process
Identification At initial stage incident is identified and confirmed.
Preservation The original media should have two copies created:
a primary image (a control copy)
a working image (used for analysis and evidence collection).
Use of a specialized tool such as FTK Imager, EnCase, Safeback; etc.
These should be time-stamped to show when the evidence was collected.
Procedures should be performed on duplicate image to preserves the original evidence from inadvertent alteration during examination.
To ensure that the original image is not modified, message digests for files and directories before and after the analysis are created.
The Forensics Investigation Process
Collection Proper Chain of Custody should be maintained
Follow evidence through its entire life cycle,
Identification to destruction, permanent archiving, or return to owner.
Copies must be reliable, independently verified and tamperproof.
Evidence should be marked with the date, time, initials of the collector.
Media should be write-protected and secured physically and environmentally.
All storage media should be contained, even if it has been erased, because data still may be obtainable.
Computer forensics is the art of retrieving this evidence and preserving it in the proper ways to make it admissible in court.
The Forensics Investigation Process
Examination and Analysis Investigator should work from an image that contains all of the data
from the original disk.
It must be a bit-level copy, sector by sector, to capture deleted files, slack spaces, and unallocated clusters.
Analysis For the analysis of evidence, forensic investigators use a scientific
method that involves:
Determining the characteristics of the evidence, such as whether it’s admissible as primary or secondary evidence as well as its source, reliability, and permanence.
Comparing evidence from different sources to determine a chronology of events.
Event reconstruction, including the recovery of deleted files and other activity on the system
The Forensics Investigation Process Presentation
Finally, the interpretation of the analysis should be presented to the appropriate party.
This could be a judge, lawyer, CEO, or board of directors.
Findings should be presented in a format that will be understood by a nontechnical audience.
Findings which are top secret or company confidential, should only be disclosed to authorized parties.
Decision Based on the procedures performed conclude the
investigations.
End of Chapter 5
Thank You!