Forensics & E-Discovery Presented by the ASIS Information Technology Security Council 1
The Information Technology Security Council and its partners deliver a forum to enhance effectiveness and productivity of security practitioners through the development and delivery of educational material that addresses Information Technology security and risk topics. Outreach Research Education Page 2
Monday 11am (Session 2110): Cloud Computing for the Security Practitioner Monday 1:45PM (Session 2206): Current Trends in Identity & Access Management Monday 4:30pm (Session 2306): Forensics and e-discovery Tuesday 11am (Session 3112): Cyber Security Tuesday 1:45 (Session 3208): Utility & Smart Grid Security Tuesday 4:30pm (Session 3306): Federal Information Security Wednesday 11am (Session 4111/4184): Legal & Compliance Aspects of IT Page 3
Forensics & E-Discovery Research Team Andrew Neal, CISM,CRISC, CIFI, LPI Southwest Digital Laboratory Eric Sifford, CISSP United States Army KJ Kuchta, CPP, CFE Forensic Consulting Solutions Ben Greer, CISSP Cyber Security SME David Melnick, CIPP, CISSP, CISA Deloitte & Touche, LLP Jim Emerson Internet Crimes Group, Inc. Page 4
What is an ESD/ESI Incident? The differences between recovery, forensics and discovery. Basic steps & best practices for incident response. How organizations prepare for ESD/ESI incidents. What security practitioners need to know about ESD/ESI incident response. Ways incident response efforts can be countered or attacked. Future trends and problems for incident response. Page 5
Three Basic Flavors Data Recovery Digital Forensics E-Discovery (and composites) Page 6
Forensics & e-discovery Agenda Digital forensics considerations Jim Emerson for the private sector Internet Crimes Group, Inc Electronic Discovery Reference KJ Kuchta, CPP, CFE Model (edrm) Primer Forensic Consulting Solutions Organizational readiness David Melnick, CIPP,CISSP,CISA for e-discovery activity. Deloitte & Touche, LLP Evolution from the past: Andrew Neal, CISM, CRISC, LPI Future trends and problems. Southwest Digital Laboratory Page 7
for Private Sector Practitioners Jim Emerson Internet Crimes Group, Inc. Page 8
Maintaining Competent Digital Forensic Resources Maintaining Practical Digital Forensic Capabilities Digital Forensic Considerations for Emerging Technologies Page 9
Variety of Certification Standards? State Licensing Requirements? Accreditation of Diverse Tools and Infrastructure? Accreditation of Facility and Process? Examiner Experience with Diverse and Changing Technology? Page 10
Business, Legal, and Investigative Focused Process? Host, Appliance, and Network based Forensic Capabilities? Triage, Mass Storage, and Automated Examination Support? Remote Enterprise Solutions? Integration of Investigation and simple Data Recovery with ediscovery? Page 11
Cloud Computing and Virtualization SaaS, Social Networks and Business Integration of Public 3 rd Party Systems Increasingly Capable Wireless Devices and Appliances Smart Digital Systems and Vehicles Page 12
Is more or less Technical Competence required? Is more or less Investigative Competence required? Is more or less Ethical Integrity required? Page 13
KJ Kuchta, CPP, CFE Forensic Consulting Solutions Page 14
New and improved edrm FCS view of the edrm. IntraPrise & Extraprise Considerations for ediscovery & Informaton Governance. It costs about 20 cents to buy 1GB of storage; however, it costs around $3500 to review 1 GB of storage. AIIM International Email Management ROI Calculator Page 15
Data Data Data Data Data Data Data Data Custodian Source 1 2 3 Page 16
Information Governance Search & Retrieval Production Identification Preservation & Collection Presentation Preprocessing & Analysis Processing Review Post Review Analysis
Identify a specific list of custodians that may have relevant information. Start with the most important and conduct sampling if there are many custodians. Preserve broadly, process and review narrowly. Just because you preserve does not mean you need to process. Determine whether you need bit-by-bit or logical acquisitions. Page 18
Must be tailored to the facts of the case. Should include at minimum: Name of the matter or individual involved; Warning of the importance of the hold and the consequences for not complying with it; Direction not to alter or destroy information/documents; Reason for the hold e.g., legal action; Reason the recipient is getting the hold notice; Types of information included in the hold and the applicable time period. Instructions for preserving information/documents; Suspension of any routine document retention/destruction policy The notice should be issued to any employees likely to have relevant information and copied to the employer IT department for them to implement on the backend. Page 19
Employers have a duty to preserve electronically stored information and paper documents that they know or should know would be relevant to a current or threatened legal action. Events which might trigger this duty could include: Any notice that the employer is a party to an administrative or a legal proceeding. An email or letter threatening a claim on behalf of an applicant or current or former employee or client. A verbal threat or demand from an applicant or current or former employee or client relating to a legal claim. Anything that might realistically indicate an employee or client intends to pursue legal action. Page 20
Improper application of legal holds or simply not implementing legal holds can result in costly financial sanctions or the loss of a lawsuit for employers(millions of dollars). Smaller employers are not exempt due to size of company. Loss of data due to improper legal hold could lose the pertinent data that would have protected the employer in the lawsuit. Page 21
David Melnick, CIPP, CISSP, CISA Deloitte & Touche, LLP Page 22
Information Overload Security and Privacy Concerns Regulatory Trends Legal and Compliance Information Management Challenges High Operational Costs Risks of Noncompliance Page 23
Page 24
Developing an enterprise Information Management Program can help maximize the amount of value you achieve from different initiatives Each one of these areas reinforces the other, for example: Improved data classification can make ediscovery collection and processing processes faster Improved data protection can reinforce records management policies and processes Appropriate retention policies can reduce the volume of documents that can be presented for ediscovery A programmatic approach is required to ensure policies and processes in each area are mutually reinforcing to provide the greatest integration value to the company. Page 25
Page 26
Data Management addresses how an organization manages its data. It is a comprehensive set of capabilities that properly manages the data lifecycle requirements of an enterprise via the development and execution of policies, procedures, architectures, and use of technologies. Page 27
A disconnect between corporate policies, actual operational practices, and technology infrastructure reduces ability to implement changes into the business environment. Examples of activities related to privacy and data protection that led to enforcement actions, law suits, or monetary fines are as follows: Misrepresenting the purpose for collecting PII Failure to disclose the means used to collect PII (i.e., the use and/or duration of cookies, Web bugs, spyware, tracking technologies) Failure to adequately train personnel on privacy representations Disclosing, sharing, or selling PII to third parties contrary to the organization s privacy policy Exporting PII contrary to the privacy laws of the originating country Misrepresenting the security protection of PII Page 28
INFORMATION MANAGEMENT PROGRAM TOP DOWN BOTTOM UP PLANNING AND SCOPING INFORMATION GOVERNANCE STRUCTURE INFORMATION MANAGEMENT POLICY FRAMEWORK Data WAREHOUSING AND ELECTRONIC INFORMATION MANAGEMENT PRIVACY, SECURITY, IMPLEMENTATION AND TRAINING AND COMMUNICATION DISCOVERY/LITIGATION READINESS RECORD RETENTION SCHEDULES APPLICATION OF RECORD RETENTION SCHEDULES PROCESSES AND PROCEDURES RIM Department Headquarters Offices APPROACH FOR THE DISPOSITION OF HISTORICAL INFORMATION Hard Copy/Electronic Organizations must leverage a robust Information Management framework to organize its priorities and approaches around the components of the Information Life Cycle. Approaches may vary (either topdown or bottom-up) based upon the maturity of the component and the strategic value it represents to the organization. Page 29
Andrew Neal CISM, CRISC, CIFI, LPI Southwest Digital Laboratory Page 30
Watergate Enron Katrina BTK War on drugs Osama s myspace Page 31
Increase in areal density. New storage devices and media. Tools independent of data structure. Cloud integration into storage architecture. Issues created when physically recovering a drive from a large multi-tenant array. Regulatory and certification issues. Page 32
More & different target devices. Evolving licensing and regulation. Development of standards and frameworks. Reduced disruption during acquisition. Counter-Forensics and Anti-Forensics. Tool validation. Risk management for the forensic process. Page 33
More discoverable sources: Social media Portable devices Exponential growth in data storage. Evolving rules of evidence. Education of the judiciary. Development of smart tools for collection and processing. Professional training and standards. Page 34
Not a settled science or profession. Rapidly increasing crossover between technical and operational areas. Best results achieved with Established policy Prior planning Education of incident responders Established vendor relationships Page 35
Forensics & e-discovery Questions? KJ Kuchta, CPP, CFE Forensic Consulting Solutions kkuchta@forensicsconsulting.com David Melnick, CIPP,CISSP,CISA Deloitte & Touche, LLP dmelnick@deloitte.com Jim Emerson Internet Crimes Group, Inc jje@icginc.com Andrew Neal, CISM, CRISC, LPI Southwest Digital Laboratory aneal@southwestdigitallab.com Page 36