Upload
anka
View
39
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Digital Investigations in Academic Environments. Presented by: Tony Martino Senior Forensic Examiner AMRIC Associates Ronald Longo Principal Member Keane & Beane P.C. About the Presenter – Anthony Martino. Senior Forensic Examiner – AMRIC Associates - PowerPoint PPT Presentation
Citation preview
Digital Investigations in Academic Environments
Presented by:
Tony MartinoSenior Forensic Examiner
AMRIC Associates
Ronald LongoPrincipal Member
Keane & Beane P.C.
About the Presenter – Anthony Martino
● Senior Forensic Examiner – AMRIC Associates
● Director of the Northeast Cyber Forensic Center at UC
● Adjunct faculty - cyber security and forensics
● Retired Sergeant from Utica Police Department
● Member of the U.S. Secret Service ECTF
● Over 10 years experience in the digital forensics field
● Expert witness qualifications in state and federal courts
About the Presenter – Ronald Longo
Principal - Keane & Beane, P.C.White Plains, NYFishkill, NY • Attorney specializing in Public Sector Labor Law and Education Law for
over 30 years
• Prior Experience as Assistant Town Attorney for Labor Matters, School Personnel Administrator and County Personnel Dept. Employee
• Past President of New York State Public Employer Labor Relations Association
Topics
● Digital evidence and forensics
● Forensics vs IT
● Data preservation & eDiscovery
● Conducting internal investigations with digital evidence
● Special considerations for academic environments
● Designing digital device usage policies
● Case studies
5
Digital Evidence
Digital Forensics
• The ability to conduct analysis of digital data in a manner that:
• Does not alter the original information
• Conforms to industry accepted practices
• Provides repeatable results
• Meets the standards necessary to support criminal, civil or internal litigation
Digital Forensics Capabilities
• Recovery of deleted information
• Analysis of user activity
• Timeline creation of data changes
• User attribution for activity on shared systems
• Preservation of data for future analysis or litigation
Digital Forensics Limitations
• Forensics is not magic
• Data that is not there can not be found
• Data that has been corrupted or destroyed can not be restored to its original form
• The recovery of deleted data is limited in scope and not guaranteed
• Forensic examinations involve the application of scientific processes. The result is not always a smoking gun.
Forensics vs IT
Data Preservation & eDiscovery
● Digital data is volatile and easily destroyed or corrupted
– Routine system processes
– User activity
– Intentional destruction
– Well meaning “investigations”
– Expired retention periods
Data Preservation & eDiscovery
● Early preservation is paramount
– Take systems offline
– Create forensically sound duplicates
– Locate external data
– Identify log files or other surveillance information
Example: Cellular Phone Evidence
VS
Where is the Evidence?
Handset Service Provider
Recent Call logs Account Information
Contacts Historical Call Logs *
Email Text Messages / Logs *
Text Messages Location History *
Images / Videos
Location History
Social Media
Internet History * Subject to legal process and service provider retention policies.
The amount, type and retention period for data can vary widely between carriers.
– Legal process required
– ECPA
– Preservation
Service Provider Data
Internal investigations are commonplace, but challenging
– Trust may be hard to define
– Most protections are outward facing
– Digital evidence is commonplace
– Policies may be inconsistent or silent on issues related to digital evidence
– Some evidence is likely to exist on private devices
– Privacy and confidentiality needs may conflict with investigative needs
Internal Investigations
Basic steps
– Get legal assistance ASAP
– Involve as few people as necessary
– Consider after hours or sneak & peek operations
– Preserve data and backups of potential evidence to protect against destruction due to long litigation waits
– Adhere to legal and contractual limitations on searches and interviews
– Get expert assistance
Internal Investigations
Interview Preparation
Internal Investigations
Interviews
– Create a comfortable atmosphere
– Be non-confrontational
– Seek the truth. Not a predetermined outcome
– Have and display empathy
– Ask open ended questions
– Shut up and listen
– Use recording devices if permitted
Internal Investigations
Special Considerations
– Privacy needs
– FERPA, local policies etc.
– Students are likely far more technologically advanced
– Educational goals and best practices for preventing improper faculty / students relationships are sometimes in conflict
Academic Environments
Educators have high public profiles
– Outside influences can interfere with investigations
– Fear of public exposure can reduce cooperation
– Even unsubstantiated claims of impropriety with children can have catastrophic consequences
• Investigation secrecy
• Support for suspected staff members
Academic Environments
Goals
– To allow the use of technology to further the goals of the institution
• Instructional needs
• Community involvement
– Parents– Media
– To create an information infrastructure that allows access to information in a safe environment that is appropriate for a wide range of ages
Designing Usage Policies
User attribution is a must– Unique user names and passwords
Shared devices are commonplace
– Mandate use of only personal credentials
Data exfiltration can be serious
– Removable media
– Dissemination of institutional data
Designing Usage Policies
Personal assignment of institution owned devices is common– Acceptable use
– Personal use allowable?
Social media is a double edged sword
– Excellent mechanism for reaching the public
– Can be a dangerous place for faculty & students to mix
Every faculty / staff member should have an official communication mechanism
– All communications with students/parents should be mandated to occur within this medium
Designing Usage Policies
User attribution is a must– Unique user names and passwords
Shared devices are commonplace
– Mandate use of only personal credentials
Data exfiltration can be serious
– Removable media
– Dissemination of institutional data
Designing Usage Policies
Bring Your Own Device (BYOD)
– Becoming more popular in corporate, government and academic environments
– Can reduce technology needs and costs for the institution
– Can increase employee productivity
– Can lead to serious data security issues
Designing Usage Policies
Strong BYOD policies are a must
– What specific devices are allowed
– What are the required security standards
– Prohibitions against data exfiltration
– Employee separation policy
• Cleansing of institution data from device
• Examination of device before separation
• Disconnection of device from connectivity to institution
Designing Usage Policies
Faculty member utilized social media and other non-official mechanisms to communicate with students
– In violation of district policy
Complaints from parents over the content of communications are filed with school district
– Ability to monitor or perform discovery on non-official media is difficult
– Much of the evidence has been deleted or otherwise destroyed
– The integrity of evidence collected from student's personal online accounts can be easily questioned
Case Study 1
Faculty member is found to have inappropriate content on a district owned laptop computer
– Faculty member admits that the content is his, but insists he did not place it on district computer
– Subsequent forensic examination of the computer found that the content was automatically place on the computer by a backup process that occurred when a cellular phone was plugged in to the laptop.
– District has no policy that prohibits the connection of personal devices to institution computers
Case Study 2
A review of log files by IT shows that an employee has been utilizing a faculty office computer to view pornographic material.
– A review of attendance logs shows that the employee in question was not actually present when the infractions occurred
– A forensic examination of the computer showed that the browsing activity could be attributed to a different employee
– Lax institutional policy on safeguarding user credentials allowed one employee to gain access to the passwords of his supervisor and co-workers and gain access to an unknown amount of sensitive data.
Case Study 3
About AMRIC Associates
Capabilities
– Digital Forensic Examinations
– Private Investigation Services
– Interviews & Interrogations
– Surveillance
– Expert Witness Testimony
Questions