Ten Deadly Sins of Computer Forensics



Similar documents
e-discovery Forensics Incident Response

Spoliation of Evidence. Prepared for:

Network & Information Security Policy

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Computer Forensics Today

Legal Framework to Combat Cyber Crimes in the Region: Qatar as a Model. Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.

Protecting against cyber threats and security breaches

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

ISO Controls and Objectives

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY

ISO27001 Controls and Objectives

Journal of Digital Forensic Practice

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

EXAMINATION OUTLINE FOR PRIVATE INVESTIGATORS

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

STATE OF WYOMING Electronic Mail Policy

Introduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014

MSc Computer Security and Forensics. Examinations for / Semester 1

DATA AND PAYMENT SECURITY PART 1

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Brainloop Cloud Security

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Feature. How to Maximize Evidential Weight of Electronically Stored Information Recommendations of BS 10008

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Standard: Information Security Incident Management

Information Security Services

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

Cyber Threats: Exposures and Breach Costs

Computer Forensics. Computer Forensics: History, Tools and Outlooks. By John Burns IT Research Paper

Miami University. Payment Card Data Security Policy

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

California State University, Sacramento INFORMATION SECURITY PROGRAM

Contact: Henry Torres, (870)

Fostering Incident Response and Digital Forensics Research

Computer Forensics Preparation

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

FRAMEWORK. Continuous Process Improvement Risk, Information Security, and Compliance

Digital Evidence Search Kit

Digital Forensics. Larry Daniel

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

Information Incident Management Policy

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Overview of Computer Forensics

Computer Forensics as an Integral Component of the Information Security Enterprise

UNIVERSITY OF ST ANDREWS. POLICY November 2005

Guideline on Auditing and Log Management

Digital Forensics & e-discovery Services

External Supplier Control Requirements

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Terms of Service. This online privacy policy applies only to information collected through our website and not to information collected offline.

Information Security Incident Management Guidelines

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Investigation Techniques

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Enterprise K12 Network Security Policy

We believe successful global organisations can confront fraud, corruption and abuse PwC Finland Forensic Services

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Regulation on Credit Reporting Industry

Metadata, Electronic File Management and File Destruction

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

plantemoran.com What School Personnel Administrators Need to know

GREATER TEXAS FEDERAL CREDIT UNION RECORDS PRESERVATION PROGRAM

Hong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014

National Cyber Security Month 2015: Daily Security Awareness Tips

Digital Forensics, ediscovery and Electronic Evidence

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Federal Bureau of Investigation s Integrity and Compliance Program

Terms of Service. 1. Acceptance Of Terms. 2. Use Of Customer Information And Privacy Policy. 3. Ownership Of Site Content

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Research Topics in the National Cyber Security Research Agenda

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Internet Safety and Security: Strategies for Building an Internet Safety Wall

UF IT Risk Assessment Standard

Transcription:

Ten Deadly Sins of Computer Forensics Cyber criminals take advantage of the anonymity of the Internet to escape punishment. Computer Forensics has emerged as a new discipline to counter cyber crime. This paper focuses on the ten deadly sins of Computer Forensics. 1. Introduction: The last decade has seen tremendous growth of information and communication technology (ICT), Internet and e-commerce. The ease and convenience associated with electronic channels has led to the proliferation of social networking sites, e-banking, e-retailing and numerous other e-services. This newfound ease has also led to the popularity and acceptance of e-payments through payment gateways, which have helped to make the Internet a repository of personal, financial and business information. The ICT revolution has also coincided with the emergence of transnational corporations, and growth of off shoring. This new grow industry has created a whole stream of intra-business and inter-business communications, functions, and data storage which depend largely on the use of computers, networks and all forms of ICT. Consequently, organizations hold a wide variety of customer and business data in electronic form. The flipside of this revolution has been the simultaneous growth of cyber crime. Cyber criminals are always on the lookout to steal different types of information through phishing, spamming and a host of other techniques. This has given rise to threats like identity theft, money laundering, credit card fraud, and infringement of copyrights among many others. The anonymity of the Internet sometimes, makes it difficult to trace the cyber criminals. This has resulted in the development of a new science known as computer forensics. 1.1 Computer Forensics Protection of customer, financial and business data is one of the prime concerns of organizations. Loss of data has both financial and legal implications. Organizations are vulnerable to cyber threats from both external and internal agents. Computer forensics is a science, which deals with collection, evaluation and analysis of data and information from networks, computers and storage devices with the purpose of presenting evidence of crime in a court of law. The data in computers may be either persistent or volatile. Page 1

Persistent data is in the form of files, databases, graphics, e-mails and spreadsheets on the hard disk. Volatile data could be found in memory and registries. Investigators use techniques like imaging to collect data and cryptographic hash verification to identify modification of documents. It s obvious for perpetrators of crime to delete traces or files used by them. Computer forensics makes it possible to trace user activity and recover deleted mails, passwords, files, databases along with existing files and documents. 2. Ten Deadly Sins of Computer Forensics i. Investigators with inadequate experience: Computer Forensics is a specialized profession Evidence gathered during the course of a computer forensic investigation ought to be admissible in a court of law. The fate of a litigation of cyber crime depends on the credible evidence. Any negative outcome of litigation may have huge repercussions for the business. For example, banks need to protect confidential customer data regarding different financial products. Compromised data may damage the reputation of a bank. In such cases, it becomes crucial to identify the culprit whether internal or external, with credible evidence as quickly as possible. To protect the integrity of the information available on the crime scene or the affected device, investigators usually create a digital image of the hard disk. However, an inexperienced investigator may inadvertently tamper with the evidence through direct contact with the affected device. Any alteration to the evidence may make it inadmissible in a court. It is reasons like this that it is important for an organization to engage only skilled and certified computer forensics professionals. While engaging a forensics expert, organizations may consider factors such as requisite qualifications, experience and clientele. The organization may need to conduct background checks and cross check certifications, and they may also need to look for deliverables in the form of value for money, recommendations and speed of investigations. ii. Limited Scope of Investigations: Forensic experts may limit the scope of computer forensics investigations by prejudging that evidence would be available in a particular set of computers. The reasons may include judgment bias, to limit cost and lack of adequate expertise. Such prejudgments may backfire as evidence from certain systems, files, servers, and applications would remain uncollected. This would result in delays and adversely impact the result of litigation. Limited scope may also alter the nature of crime from criminal to civil case. Page 2

iii. Improper Planning The preparation phase is of immense importance for computer forensics experts. Computer forensics investigation may also be time sensitive depending upon the contract and court hearing date. Improper planning may result in inadequate incident response leading to loss of volatile evidence, delay in investigation and may alter the nature of the case. For instance, loss or alteration of volatile evidence may convert a criminal case to civil case or vice versa. Delays may also escalate cost of the investigation. A planned approach would involve formulating objectives of the investigation, evolving incident response system and using standard techniques. Sometimes, the evidence collection phase may take longer due to a large amount of data in the hard disk. This may not leave enough time for the subsequent phases of documentation, analysis and interpretation. The processing of evidence may take the computer forensics experts a lot of time of. The preparation phase may be used to make appropriate division of time for each of the phases. It would also help in identifying the requisite tools for faster collection of evidence. iv. Alteration caused by First responder After an incident, the first responders are usually the information security professionals of the organization such as system and network administrators. Information security professionals must be aware of the proper incident response procedures after a breach of their company s computer systems. The procedures in which an incident response is facilitated can also have an adverse implication on the evidence found on the affected systems. Some of the usual responses of a novice first responder in the event of system failure may include running an anti-virus program, restarting, shutting down, copying files, or formatting the drive and installing new software. However, these responses may wipe out crucial evidence such as volatile data. Ideally, an organization may designate a first response team consisting of professionals aware of the forensic collection policies. A first response team should document all requisite details of the incident (scenario, date and time, profile of affected computer devices, personnel involved and impact of device on normal functions of business). The team should get requisite approvals to monitor the affected device. The team should also formulate a data collection strategy and document all their actions such as the timeline of the collection process, forensic tools used and output received. A proper first response would be to verify the extent of crime and isolate affected devices and users from the network. v. Delay in Evidence collection Application of computer forensic tools helps in generating usage log and recovering lost files. However, evidence available on the computers may be time bound. Delays in evidence collection may be caused by lack of awareness, cost considerations, possibility of out of court settlements, and non-availability of desired experts on time. Page 3

Continuous usage of the affected computer system after the event may also result in overwriting of data and evidence degradation. Delays and interruptions may obstruct the creation of chain of evidence necessary for better analysis. Before proceeding with the evidence collection process, the First Response team should obtain to all requisite consent and authorization letters from the organization. The next step involves selection of appropriate methods of data collection, which is determined by the case scenario. It is important to initiate evidence collection as soon as possible, as evidence needs to be admissible in a court of law. For example, computer forensics helps in recovering deleted emails, which may have crucial evidence regarding the crime. Timely collection of this evidence may be crucial for the success of the litigation. Imaging is one of the methods of collection and has proven crucial in data collection as this process creates an exact image of the hard drive including all drives, free spaces, disk partition, existing and deleted files. vi. Use of Outdated/Unlicensed Software: Collection, preservation and analysis of data for presenting admissible evidence are the major objectives of a computer forensic investigation, which is why it is crucial that forensic experts use the latest, standard and licensed software in their operations. Use of outdated, unlicensed or pirated software may not only lead to delays, failure of purpose, damage to computers, but may also lead to copyright infringement disputes. The evidence collected through unlicensed software may not be admissible in the court of law. vii. Insecure Location The computer systems and network systems under investigation should be free from tampering or manipulation. The systems should even be secure from internal agents because if an internal agent facilitated the crime, they may try to tamper with the evidence by modifying, destroying or overwriting the evidence. Be aware that unintentional operation of computers by unaware users may also lead to destruction of evidence. If possible, such systems may be shifted to a secure location; all computers, parts of dismantled computers and cable wires should be labeled. viii. Inadequate documentation All collected and preserved evidence needs to be properly documented. The documentation may incorporate information regarding the damage to the systems, consent letters, correspondence, date and time of evidence collection, detailed description of collected evidence, details of recovered data-file names, file creation and modification dates, images, and photographs, techniques used to gather evidence, details of licensed software used for forensics investigation, findings, Page 4

analysis and interpretation. Since the final document may be presented in court, it needs to be crosschecked for errors and mistakes. Proper documentation can play a key role in the outcome of the litigation. ix. Lack of adequate knowledge of legal requirements The evidence collected and analyzed by the forensic experts can be presented in a court of law therefore the experts need to be aware of the legal requirements as they pertain to evidence management and documentation. In addition, the computer forensics report must be drafted in a manner that it is easily understandable to the attorneys. If the presentation is not convincing enough, the benefit of processing the evidence and analysis may never come to fruition. The forensic expert should also anticipate legal hurdles and counter arguments by defendants. x. Inadvertent Disclosure of Privileged or sensitive information There always remains a risk of inadvertent disclosure of privileged corporate information. At times, it may be necessary to present collected evidence in court. In such cases, the expert needs to show caution in handling privileged corporate information. A computer forensic expert may come cross private communication between employees of the organization during the course of his investigation. When this happens, the computer forensic expert must follow an ethical code of conduct and judge whether revealing such information is required to substantiate a crime. 3. Conclusion: Computer forensics is a major breakthrough in the crusade against cyber crime. Nevertheless, challenges exist. Further awareness among information security professionals in handling evidence may aid in better results from computer forensics. The laws related to Cyber forensics are heterogeneous across the world and are still in the evolving stage. Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information