Taxonomy of Anti-Computer Forensics Threats



Similar documents
Information Security Basic Concepts

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

EnCase Enterprise For Corporations

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Computer Forensics. Computer Forensics: History, Tools and Outlooks. By John Burns IT Research Paper

Legal view of digital evidence

Ten Deadly Sins of Computer Forensics

Open Source Digital Forensics Tools

Outbound Security and Content Compliance in Today s Enterprise, 2005

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Computer Forensics US-CERT

Digital Forensics at the National Institute of Standards and Technology

Computer Hacking Forensic Investigator v8

Framework for Live Digital Forensics using Data Mining

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

EXAMINATION OUTLINE FOR PRIVATE INVESTIGATORS

R345, Information Technology Resource Security 1

Computer Forensics Today

EC-Council Ethical Hacking and Countermeasures

Certified Digital Forensics Examiner

We believe successful global organisations can confront fraud, corruption and abuse PwC Finland Forensic Services

Certified Digital Forensics Examiner

Master of Science in Information Systems & Security Management. Courses Descriptions

Digital Forensics & e-discovery Services

Contact: Henry Torres, (870)

MSc Computer Security and Forensics. Examinations for / Semester 1

Immigration and Customs Enforcement Forensic Analysis of Electronic Media

Contra Costa Community College District Business Procedure SECURITY CAMERA OPERATING PROCEDURE

TUSKEGEE CYBER SECURITY PATH FORWARD

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

US-VISIT Program, Increment 1 Privacy Impact Assessment

Certified Digital Forensics Examiner

The Role of Digital Forensics within a Corporate Organization

University of Sunderland Business Assurance Information Security Policy

ISO Controls and Objectives

Computer Forensics for CEO s and Managers

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Legal Framework to Combat Cyber Crimes in the Region: Qatar as a Model. Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.

Cloud Computing Security Considerations

Scientific Working Group on Digital Evidence

Information Management Advice 39 Developing an Information Asset Register

Computer Forensics Preparation

The Governance of Corporate Forensics using COBIT, NIST and Increased Automated Forensic Approaches

Digital Forensic Techniques

Approved By: Agency Name Management

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Security Program Management Standard

Information Security Program

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Online Lead Generation: Data Security Best Practices

Risk Assessment Guide

EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS

Federal Bureau of Investigation s Integrity and Compliance Program

Snapchat Law Enforcement Guide

Getting Physical with the Digital Investigation Process

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

A Short Introduction to Digital and File System Forensics

Modalities for Forensic Review of Computer Related Frauds

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Organizational Impact of Big Data on Privacy & Security

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

S. ll IN THE SENATE OF THE UNITED STATES A BILL

Chap. 1: Introduction

The International MBA in Corporate Security Management (IMBASM) Distance Learning

Incident Response and Forensics

Future Proof Your ediscovery Practices

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

UF Risk IT Assessment Guidelines

Fostering Incident Response and Digital Forensics Research


Types of Fraud and Recent Cases. Developing an Effective Anti-fraud Program from the Top Down

INFORMATION TECHNOLOGY SECURITY STANDARDS

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Network & Information Security Policy

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

INFORMATION SECURITY PROCEDURES

e-discovery Forensics Incident Response

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

ACCEPTABLE USE AND TAKEDOWN POLICY

Honor Code Cox School of Business Graduate Programs

Transcription:

1 Taxonomy of Anti-Computer Forensics Threats Joseph C. Sremack & Alexandre V. Antonov 12 September 2007

2 Overview 1. Introduction 2. Problem Statement 3. High-Level Overview of Investigation Phases 4. Types of Investigations 5. Anti-Forensics 6. Taxonomy of Anti-Forensics Threats 7. Case Study Discussion

3 Introduction: Who? What? Where? Perform computer forensics and data analytics for large-scale corporate civil and criminal investigations. Cases typically involve tens to thousands of custodians that require imaging. Devices range from PDAs/Blackberries to full data warehouses. Most investigations take place within US, although some cases take place in EU and Caribbean.

4 US Jurisprudence Most law is based on case law. Evidence or expert testimony are typically deemed admissible when they satisfy the Daubert Standard: 1. Relevant: Evidence/expert fits the facts of the case. 2. Reliable: Evidence/expert s findings are based on sound scientific principles: 1 Empirical testing: the theory or technique must be falsifiable, refutable, and testable. Subjected to peer review and publication. Known or potential error rate and the existence and maintenance of standards concerning its operation. Whether the theory and technique is generally accepted by a relevant scientific community. 1. Wikipedia. Daubert Standard. http://en.wikipedia.org/wiki/daubert_standard. Last updated July 22, 2007.

5 Problem Statement Anti-forensics is a growing issue with potentially catastrophic consequences for investigators. If anti-forensics succeeds, evidence fails Daubert Standard. Significant for case law. Exploiting case law itself can be an anti-forensics technique. Anti-forensics threats should be classified, just as they are in other subject areas, e.g. digital security. Creating a taxonomy of threats needs to take into account all types of investigations and all types of threats.

6 Phases in Computer Forensic Investigations 1. Preparation Phase 2. Collection Phase 3. Analysis Phase 4. Presentation Phase 1. Preparation Phase Scoping Interviewing Logistics 2. Collection Phase Acquisition Verification 3. Analysis Phase Keyword searching Log file comparisons 4. Presentation Phase Expert report Court presentation

7 Requirements for Phases Preparation Phase Full scope understood Interviews conducted Determine data points Determine means for analysis Understand venue/audience for analysis findings Collection Phase All relevant data are collected Acquired data are verified Full documentation of process Maintain chain-of-custody Analysis Phase Performed completely and accurately Findings are verified Industry best practices are applied Court-accepted tools/methodologies employed over novel ones Full documentation Maintain chain-of-custody

8 Requirements for Phases Cont. Presentation Phase All relevant information presented clearly Analysis conforms to rules of admissibility Overall Follow rules of admissibility Findings are convincing and based on best practices Full process is documented Performed timely and accurately

9 Types of Computer Forensic Investigations All try to answer the Who, What, Where, When, and How? question. Internal Resolve an event outside of court of law. Less rigor usually required, except when public disclosure required. Civil Performed for court of law for some violation of civil liberties. Requires preponderance of evidence. Criminal Performed for court of law for breaking of societal law. Requires proof beyond a shadow of doubt. Often performed exclusively by law enforcement.

10 Anti-Forensics Defined Def.: The practice of thwarting a proper forensic investigation. Any activity that intentionally aims to deceive or impede the investigation is classified as anti-forensics. Two classes of threats posed by anti-forensics: 1. Threats to digital evidence 2. Threats to legal process/admissibility

11 Digital Evidence Anti-Forensics We have identified four main classes of threats to digital evidence: 1. Data Preservation: Preserving the potential evidence in its original state, including not creating new evidence. 2. Data Counterfeiting: Creating false and/or misleading evidence. 3. Data Hiding: Moving evidence to location undiscoverable by investigator. 4. Data Destruction: Destroying evidence, either completely or to unanalyzable state. Two subclasses exist for each 1. Physical 2. Technical

12 Digital Evidence Anti-Forensics Taxonomy Class Subclass Example Evidence Preservation Technical Prevention from writing to hard drive. Evidence Preservation Physical Installation of data gathering equipment that does not communicate with host network, such as a silent sniffer. Evidence Destruction Technical Deletion of log file entries. Evidence Destruction Physical Chemical, magnetic, mechanical destruction of media containing evidence. Evidence Hiding Technical Use of encryption or steganography. Evidence Hiding Physical Use of smart cards or hardware cryptographic modules. Evidence Counterfeiting Technical Creation of misleading log file entries. Evidence Counterfeiting Physical Physical replacement of system hard drive with a ghost image of the original hard drive with nonincriminating digital evidence.

13 Legal Process Anti-Forensics The idea is to use legal boundaries and restrictions against the investigator. Intentionally thwarting forensic investigation by exploiting legal process is becoming more prevalent. Several Classes Exist 1. Sufficient Doubt: Creating doubt regarding who and/or how of an investigation. 2. Crossing Jurisdictions: Limiting what evidence can be captured due to inability to access data in one or more jurisdictions. 3. Privacy: Limiting what evidence can be captured due to privacy laws. 4. Significant Changes in Scientific Foundation: Relying on recent scientific breakthroughs to undermine established forensic process.

14 Legal Process Anti-Forensics Taxonomy Class Sufficient Doubt Crossing Jurisdictions Privacy Significant Changes in Scientific Foundation Example Perform crime from publicly-accessible or virus-infected computer. Perform crime from a jurisdiction with no extradition and no working relationship with target jurisdiction. EU laws prevent certain EU citizen personal data from being sent to non-eu countries. Recent proofs in weakness in SHA-1 and MD5.

15 Taxonomy Considerations for Different Types of Cases Internal All digital evidence anti-forensics threats apply, but the legal process threats do not. Legal process may become important if internal investigation later leads to civil or criminal investigation. Civil All digital evidence anti-forensics threats apply, and the legal process threats apply. The legal process becomes important insofar as some data may be inaccessible, but sufficient doubt does not apply so long as a preponderance of evidence still exists. Criminal: All digital evidence anti-forensics threats apply, and the legal process threats apply. Legal process extremely important, since any doubt can make evidence inadmissible.

16 Case Study: International Intellectual Property Theft Medical manufacturer ( A ) whose former CEO left to form Competitor ( B ). Believed that IP being leaked through employees at previous company. B located outside of US in country with no extradition/poor data export laws (crossing jurisdictions). Installed traffic capturing devices for email and instant messages at three sites: US, EU, and Latin America. Traffic analysis showed missing data from Latin American site, which was due to IT staff stealing equipment before leaving company (physical evidence hiding). Later analysis established some suspects and allowed A to mitigate.

17 Future Work 1. Expand taxonomy to include unintentional threats. 2. Investigate social threats to forensics, such as collusion and other forms of social engineering. 3. Develop better controls for forensic process.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information