Computer Forensics for CEO s and Managers



Similar documents
Standard: Information Security Incident Management

Overview of Computer Forensics

Information Security Awareness: How to Get Users Asking for More

Computer Forensics US-CERT

DATA BREACH COVERAGE

Cyber and data Policy wording

The potential legal consequences of a personal data breach

Mitigating and managing cyber risk: ten issues to consider

e-discovery Forensics Incident Response

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Computer Forensics Preparation

ITAR Compliance Best Practices Guide

Information Security Program

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

TECHNOLOGY ACCEPTABLE USE POLICY

HIPAA Security COMPLIANCE Checklist For Employers

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Computer Forensics as an Integral Component of the Information Security Enterprise

WILLIAM OETTINGER PHONE (702)

Data Security Incident Response Plan. [Insert Organization Name]

Unit 3 Cyber security

Procedure for Managing a Privacy Breach

Legislative Language

Considerations for Outsourcing Records Storage to the Cloud

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

White Paper on Financial Institution Vendor Management

The Role of Digital Forensics within a Corporate Organization

Information Security Incident Management Guidelines

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

ISO Controls and Objectives

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Security Incident Management Policy

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Incident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Notice of Privacy Practices

HIPAA Security Training Manual

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

PHYSICAL SECURITY. A Primer and a Story of Why it s Necessary

R345, Information Technology Resource Security 1

Service Children s Education

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics

Information Security

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

Legal Framework to Combat Cyber Crimes in the Region: Qatar as a Model. Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Taxonomy of Anti-Computer Forensics Threats

INFORMATION TECHNOLOGY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

Cyber security Building confidence in your digital future

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

Draft Information Technology Policy

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

BERKELEY COLLEGE DATA SECURITY POLICY

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

COMPUTER AND NETWORK USAGE POLICY

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

ANTI-FRAUD POLICY Adopted August 13, 2015

The Facts About Forensic DNA Analysis and DNA Databases. dnasaves.org

Working with the FBI

CISM (Certified Information Security Manager) Document version:

Contact: Henry Torres, (870)

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

A practical guide to IT security

Cloud Computing: Legal Risks and Best Practices

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

HIPAA Security Alert

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

Information Security Incident Management Policy and Procedure

In an age where so many businesses and systems are reliant on computer systems,

Lockton Financial Advisors, LLC/ Lockton Investment Advisors, LLC

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Cyber Liability Insurance: It May Surprise You

AB 1149 Compliance: Data Security Best Practices

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

Information Security Policy. Chapter 10. Information Security Incident Management Policy

Data Breach and Senior Living Communities May 29, 2015

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Future of Digital Forensics: A Survey of Available Training

Federal Bureau of Investigation. Los Angeles Field Office Computer Crime Squad

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

Transcription:

Computer Forensics for CEO s and Managers Robert Reed, MSCIS Forensics Investigator, Tucson Police Department Synopsis Computer forensics can serve a vital role in any organizations incident response planning. The ability to quickly capture volatile data and evaluate its means increased agility of organizational response. Once volatile data is collected it can be evaluated to determine if a more thorough examination is required identifying potential offenders and their locations. Forensically trained personnel can also assist in developing and auditing policies to assist the organizations in identifying and mitigating violations prior to them resulting in costly legal action.

Introduction Modern corporate, industrial and governmental organizations face an increasing complex maze of legal and competitive challenges. To address these challenges they have turned to computer and information systems. These systems help organizations control a multitude of business objectives. Computers control access to data, track adherence to statutory requirements, represent the organization on the World Wide Web, and perform a host or other business functions. The increased reliance of organizations on computers and information systems in many ways has been a renaissance. The increased integration of computers has allowed organizations to re-task personnel to more productive areas of the organization. In the past large numbers of personnel were targeted at maintaining rows and rows of file cabinets. Inside these cabinets the life-blood of the organization resided. Contracts, contacts, plans, blueprints, employee data, banking information, as well and other information were all housed inside these containers. Considerable investment went into housing all this information. Today rather than spending the resources required on paper, personnel and structures, we can hold this information in computer systems for a fraction of the cost in perpetuity. Personnel that were formerly used to create and control this information can now be used in areas of the organization that produce revenue rather than consume it. Not only have computers allowed us to reduce the capital costs to house data, they allow virtually instantaneous access to current and historical data. This ability to store and access virtually unlimited data has not come without hazards. In the past persons wanting unauthorized access to this data would have needed to cart off reams of paper. Undoubtedly a person or persons carting off boxes of files on a hand truck or dolly would not go unnoticed. Today an intruder can carry off millions of records on a single USB flash drive or quickly move them across the internet to offsite locations. Organizations and their data may be targeted by: Competitors State sponsored actors Current or former employees Criminals and criminal syndicates Social or political movements In addition to the threats posed by directed action, organizational data may be compromised by threats that are not directly targeting it. Computer viruses, malware, accidental deletion and hardware failures can all contribute to a potential loss of data representing a significant investment for the organization.

What is computer forensics? Computer forensics is the application of scientific and legally accepted techniques on computer systems and digital media in order to extract preserve and report on information contained on those devices or systems. Computer forensics differs from simple data recovery in that computer forensics seeks not only to recover lost data, but also explain how, why and from where, data has been lost, altered or accessed. In addition computer forensics and forensics practitioners do this with the ultimate aim of preserving the integrity of the evidence so that it may be used in potential administrative, civil or criminal legal action. Computer forensic life cycle Like most processes computer forensics examinations can be viewed as a cycle. The cycle consists of four distinct steps. 1 : Identification: During the identification phase a situation requiring actions is recognized. Resources likely to contain information of evidentiary value are identified and targeted for collection. Examples include computer intrusions, criminal conduct by employees, policy violation or legal notices requiring retention and potential disclosure of organizational data. These resources may include copies of computer memory, computers, computer hard drives, electronic data, log files, historical backups, personal statements, and a multitude of other possibilities. 2 Collection: During the collection phase resources identified as potentially holding evidentiary information are collected. Computer forensic practitioners will insure that the data recovered adheres to the rules of evidence governing the jurisdiction that any legal action could ultimately be heard. This means that the collector will insure that where practical the original media will be taken into evidence. Where not practical an exact, verifiable copy of the original data will be made and stored as the original evidence. Exact verified copies should include all areas of the physical media, active files, and unallocated (unused) portions of the media. By capturing the unallocated areas of the drive the examiner may recover deleted and hidden data as well as historical information on the device. The collector/examiner utilizes these exact copies of the original for subsequent forensic analysis. Some of the systems identified may be outside the organizations dominion and control and may require legal processes to obtain access. 3 Analysis: During the analysis phase the items collected are examined for information of evidentiary value related to the incident/action in question. This information generally falls into two categories, exculpatory or inculpatory. Exculpatory information is information that tends to show that something or someone is not responsible for the action in question. Inculpatory information tends to show that

someone or something is responsible for the action in question. The examiner may find information related to the incident in live files on the hard drive, memory captures, network traffic captures, unused area of a computer drive, or in artifacts that are created as a function of the software or operating system utilized. Some of this information may identify additional resources that were not originally known and need to be collected. 4 : Reporting: During the reporting phase the information gleaned from analysis is presented to decision makers for action. These decision makers could be anyone from a manager reviewing findings for disciplinary action, to jurors in a legal proceeding. This phase also includes a lessons learned/post mortem analysis identifying actions that may be taken to mitigate, or improve response to future incidents. Why computer forensics? Computer forensics allows executives and managers of any organization an additional resource in responding to computer incidents. Forensic response can facilitate a quick return to normal operation, audit policy compliance, mitigate risk and insure the ability to recoup costs in criminal or civil proceedings. Business continuity: Computer forensics is an often over looked element of incident response and continuity of business planning. In the event of a computer incident the primary objective is a quick return to normal business. If computer forensics practices are not an integral part of the Computer Security Incident Response Team/s (CSIRT) procedures critical information and evidence may be lost. Incident responders may only get one shot at collecting this data. If Incident responders immediately start processes for business continuity ignoring forensic principles, critical evidence tying suspects to the incident will be destroyed. In fact the changes made to the systems by well-intentioned responders may so significantly change the evidence as to make its introduction into legal proceeding impossible. When this occurs the ability for an organization to seek restitution or recoup damages may be forever lost. Policy compliance: Because the ultimate goal of computer forensics is the identification and production of evidence in a legal environment, having forensically trained personnel on staff can assist in generation or review of organizational policy. Computer forensic personnel can liaison with legal counsel, executives and managers drafting policies that best fit the organizations goals and objectives. These new policies can better address the legal environment in which it operates. The practice of random auditing of computers and systems can help identify policy violations. When these policy violations rise to the level of discipline or termination there may be potential legal consequences. In many organizations contractual agreements with collective bargaining organizations may govern disciplinary actions. In such organizations disciplinary action may be appealed to administrative boards and ultimately to a court of competent jurisdiction. By utilizing computer forensic

trained personnel the organization can insure that the policy violation is correctly identified and the evidence against the violator will be admissible in potential administrative or legal proceedings. Computer forensics not only helps organizations identify violations, it insures the organization pursues the correct violator. Simple actions on the part of a violator, such as spoofing an email address, may obfuscate the true identity of the violator. In some instances the violator may seek to implicate an otherwise innocent party in the action. These techniques may go unnoticed by the untrained eye, but should be easily identified by the computer forensic practitioner. Risk Mitigation: In the prior section we discussed how computer forensics could help organizations develop, audit and enforce policy. How can computer forensics help mitigate risk? Most organizations have, or should have, acceptable use policies that employees read and sign as a condition of employment. When an employee violates these polices it may expose the organization to some form of liability. This liability may be criminal or civil and may be direct or vicarious. In organizations that develop and enforce strong policies regarding network systems and resources computer forensics can help audit and enforce those policies. To some degree this action can help mitigate risks associated with employee misuse of organizational resources. Organizations that have strong auditing policies and enforcement mechanisms likely identify and address wrong doing early allowing prompt action. Organizational boundaries: In organizations of the past boundaries were clearly defined. The old data warehouse consisted of a building with clearly defined walls within a single geographic region. Modern organizational boundaries are not so clear. Many organizations today have a physical presence in multiple countries with increasing presence in the cloud that is cyberspace. They often have intranets and extranets with business partners, and contractors all of which may have similar alliances and boundaries. This interaction effectively increases the surface area of the organization and its potential threat vectors. Many of these threat vectors may fall in geographic regions with different laws. With increased globalization in many sectors it is not uncommon for information systems to interoperate with systems in different regions or even countries. In fact doing so is a method to mitigate risk. An organization with offices in Miami may mitigate data loss due to hurricane damage by storing vital information in a data center housed in Cleveland, Ohio. Likewise organizations may interact with offices in other countries. The file that you access on your computer desktop in Miami could be on a computer in Brussels, Belgium.

From an organizational policing perspective this presents some additional challenges. In the United States data on organizational computers is generally viewed as the property of the organization. This means that auditing and compliance of data in these systems generally does not generally violate a user s (employee s) reasonable expectation to privacy. In some countries end users retain a much greater expectation to privacy in their personal data, even when stored on organizational computers. Since the data that you may be accessing from a computer may be housed in another country with different privacy laws, organizations must be cognizant of this in auditing compliance and collection during incident response. Simple implementation of acceptable use policies, banners and other warnings displayed to users while accessing systems can assist in reduction or elimination of a users expectation to privacy. Cost/benefit: Computer forensics can be a costly exercise for any organization. The organization must decide if it is financially viable to conduct a computer forensic examination to begin with? What are the potential costs associated with the incident? The costs associated may not only be directly associated with damaged property or theft. There are many other indirect costs that the organization could incur. How many man hours were used in responding to the incident? Does the organization have a statutory obligation to investigate or report the incident? What is the potential loss in goodwill or other intangible costs? Lastly what is the possibility of recovering costs, damages or, restitution via legal proceedings? Should the organization decide to pursue a forensic investigation, will it be conducted in house or outsourced. Proper implementation of a computer forensic program requires investment in personnel, training and equipment. There is also a continued investment required for continued education as technology and techniques evolve. Organizations must consider if the cost incurred to develop in-house programs will be offset by the amount of work and return on their investment. In those organizations were incidents will largely be outsourced, there is still good reason to provide some degree or forensic incident response training to personnel. Computer forensic training can assist organizations in identifying and preserving evidence for later analysis by contract examiners. With critical evidence identified and collected the business can concentrate a quick return to service. Summary: In closing we can see that computer forensics can serve a vital role in any organizations incident response planning. The ability to quickly capture volatile data and evaluate its means increased agility of organizational response. Once volatile data is collected it can be evaluated to determine if a more thorough examination is required identifying potential offenders and their locations. Forensically trained personnel can also assist in developing and auditing policies to assist the organizations in identifying and mitigating violations prior to them resulting in costly legal action.

About the Author: Robert Reed is a seasoned investigator with twenty years of law enforcement experience. He has investigated incidents ranging from simple traffic investigation to criminal homicides. With a Masters in Science in computer information systems he has leveraged this knowledge into the computer forensics field developing and operating the first ASCLD (American Society of Crime Lab Directors) Lab accredited computer forensic program in the State of Arizona. In the course of his career, Reed has investigated numerous crimes involving computers, computer systems or digital evidence. He has been the affiant on countless search warrant applications, and participated in the service and execution of many warrants including those involving digital evidence. He has testified in hundreds of Criminal, Civil and Administrative hearings. He has obtained multiple certifications including the EC Council Computer Hacking Forensic Investigator (CHFI) and is a Certified EC Council Instructor (CEI). Reed has taught computer forensics and cyber crime programs to clients from the US and foreign governments. Students include military personnel, law enforcement officials from national, state and local governments, educational institutions, corporate clients and Individuals. In addition to the computer forensic curricula, Reed has given guest lecturers to groups including the NSA accredited information assurance program at the University of Arizona, and the 2009 PISA (Policia Internacional Sonora Arizona) conference. About the MIS Department: Since pioneering one of the nation s first (MIS) curriculums in 1974, the MIS Department at, has become a leader in IT education and research. U.S. News & World Report has ranked us a top-ten program for over 23 consecutive years since the inception of the rankings in 1989 - making us one of only three programs nationwide to maintain this status. With over $80 million in research grants, state and industry support, our program has initiated and participated in cutting edge research in information security and assurance, group systems, artificial intelligence, and data management projects while educating over 3500 undergraduate, 1200 graduate and 150 doctoral students. We are a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) as designated by the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA.) Visit us online at www.mis.eller.arizona.edu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information