Upload
benita
View
20
Download
0
Embed Size (px)
DESCRIPTION
You only get one chance. Computer Misuse in the Workplace You only get one chance..... David Horn. Or do you.......?. chance n. The unknown and unpredictable element in happenings that seems to have no assignable cause. of circumstances. - PowerPoint PPT Presentation
Citation preview
© Sapphire 2006
Computer Misuse in the Workplace
You only get one chance.....
David Horn
You only get one chance...
© Sapphire 2006
Or do you.......?
of circumstances.opportunity n. , pl. , -ties . A favourable or advantageous circumstance or combination of circumstances.
chance n. The unknown and unpredictable element in happenings that seems to have no assignable cause.
Test
© Sapphire 2006
Opportunity
A brief guide to:What, when, why and how.
You only get one opportunity!
© Sapphire 2006
Digital Forensics
• The process of deriving evidence from digital media• Requires that the data is shown to be reliably obtained
– Is not changed in any way
– Is complete
– Can be repeated
• And very importantly, that it can be understood.
Digital forensics – first steps
© Sapphire 2006
SOURCES OF COMPUTER EVIDENCE
• Personal Computers
• Server Computers
• Removable media
• Automatically-produced log files
Evidence Types
© Sapphire 2006
BASIC PRINCIPLES OF COMPUTER FORENSICS
The forensic examination of the contents of a computer is a skilled job and special procedures, techniques and tools are required to ensure that any information that is retrieved can be presented as evidence in a Court of Law.
Evidential IntegrityRequires that the material being examined is not changed in any way. What is examined must be an exact copy of the original.
Continuity of Evidence Refers to the means used to vouch for the actions that have taken place regarding the item under examination. This covers the seizure, handling and storage of equipment and copies of the data.
Never forget.............
© Sapphire 2006
Incident Response Teams
First steps
© Sapphire 2006
Key roles and responsibilities
What technical skills are required
What training is required
Management
© Sapphire 2006
Key roles and responsibilities
Officer In charge
Forensic Investigators and Auditors
Independence
Working within the law and your policies
Roles & Responsibiities
© Sapphire 2006
What training will be needed?
Product Training
Incident Response Techniques
Health and Safety
Computer Misuse Act and relevant law
Internal Policies
...more…more…more…
Training
© Sapphire 2006
Current Practice
ACPO Guidelines
© Sapphire 2006
THE PRINCIPLES OF COMPUTER-BASED EVIDENCE (ACPO)
Principle 1No action taken should change data held on a computer or other media which may subsequently be relied upon in Court.
Principle 2In exceptional circumstances where a person finds it necessary to access original data held on a target computer, that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.
ACPO Guidelines
© Sapphire 2006
THE PRINCIPLES OF COMPUTER-BASED EVIDENCE (ACPO)
Principle 3An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and obtain the same result.
Principle 4The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.
ACPO Guidelines
© Sapphire 2006
Search and Seizure
Secure the evidence
© Sapphire 2006
Pre-seizure planning
What you will need
Who should be on your response team
Step by step computer incident response procedure
Incident response
© Sapphire 2006
PRE-SEARCH PREPARATION
The forensic unit – i.e. the imaging / investigation hw and swAn adequate toolkit – screwdrivers, pliersPlenty of StationeryDigital camera Disk boxesMobile telephoneBlank floppy disks / CDsA torchData Cables of every varietyNetwork CardPower extensions
Pre search preparation
© Sapphire 2006
EVIDENCE PROCESS
IdentifyWhat sources are available?
Seize‘Bag and Tag’ Best Evidence
TransportSafely and responsibly take the best evidence to a secure
locationReceiveAccept responsibility for the evidence
StoreEnsure securely held free from risk of contamination
Evidence process
© Sapphire 2006
EVIDENCE PROCESS
Preserve
Take a reliable copy of the evidence
Reserve
Put the original Best Evidence source in a secure place
Analyse
Investigate the evidence on the preserved copy
Produce
Identify the exhibits that establish facts
Testify
Create a statement and go to court
Evidence process
© Sapphire 2006
On Site
Server room challenges
© Sapphire 2006
ON SITE
Machines switched on and operating
Clearly transferring data
receiving incriminating data
receiving exonerating data
receiving routine data
may be overwriting evidence on the disk
may be overwriting evidence in memory
On-site Seizure
© Sapphire 2006
MACHINES WHICH ARE SWITCHED ON
• Secure the area and log your actions
On-site Seizure
© Sapphire 2006
MACHINES WHICH ARE SWITCHED OFF
Be satisfied that the computer is actually switched off - not in hibernate mode - not running a blank screensaver.
On-site Seizure
© Sapphire 2006
ESSENTIAL KIT
Integrated (imaging) Solution:• EnCase – now up to version 6.8• FTK – Access Data
Third Party Plug-ins:• QuickView• ACDSee• WinRar• IrfanView• KaZAlyser• NetAnalysis• PDA Seizure• Email Examiner
Forensic Tools
© Sapphire 2006
Legal Issues
Points to consider
© Sapphire 2006
THE LAW AND COMPUTERS
• Computer Misuse Act 1990• Data Protection Act 1998• Laws of Pornography
– Obscene Publications Act 1959– Protection of Children Act 1978– Criminal Justice Act 1988– Sexual Offences Act 2003
• Laws of ‘Harm’– Theft Act 1968 / 1978– Offences Against the Person Act 1861
Your policies & the law
© Sapphire 2006
Advice to Beginners There are some very powerful tools available. But with great power comes great responsibility, and as a potential forensics investigator, it is your responsibility to learn how to use the tools properly.Simple mistakes and good intentions can completely destroy digital evidence. It is strongly recommended that aspiring investigators learn about digital forensics, and practice on controlled systems before attempting to collect evidence from a real system.
Summary
© Sapphire 2006
Questions?
Questions
© Sapphire 2006
Offices in the:North, Scotland & London,
David [email protected]
0845 58 27001
Contact Details