Embed Size (px)
DESCRIPTION
Citation preview
Investigating Computer System AbuseHelp for Human Resources
Dan Michaluk and Kathryn BirdHRPA 2011February 2, 2011
Investigating Computer System Abuse
Outline
• Investigation basics
• Sources of digital evidence
• Why digital evidence is different
• Preservation best practices
• Interview tips
• Managing the investigation record
Investigating Computer System Abuse
Investigating Computer System Abuse
Investigation Basics
• Your objectives
• To gather relevant evidence
• To weigh the reliability of the evidence
• To draw one or more reliable conclusions of fact
• To appear neutral throughout
Investigating Computer System Abuse
Investigation Basics
• Process flow
• Receive complaint or identify problem
• Define questions of fact
• Investigate covertly (identify, gather and preserve)
• Interview respondent employee
• Investigate response as necessary
• Draw conclusions
Investigating Computer System Abuse
Investigation Basics
• Employer access to employer systems
• Generally okay with a “no expectation of privacy”
policy, but personal use is changing expectations
• But a policy that sets out an audit right and an
investigation right is good practice
• Identify how investigations are authorized
• Treat information gathered with a view to scrutiny
Investigating Computer System Abuse
Sources of Digital Evidence
• Your pre-confrontation sources
• Your servers• E-mail• Voice mail• Mobile messaging
Investigating Computer System Abuse
Sources of Digital Evidence
• Your pre-confrontation sources
• Your network “clients”• Stored information• Specially captured information*
*Beware: highly intrusive
Investigating Computer System Abuse
Sources of Digital Evidence
• Your post-confrontation sources
• Thumb drives, cameras and other peripherals
• Media cards on mobile devices
• Peer to peer mobile communications• Messaging applications• Transfers through other applications
• Home computers
Investigating Computer System Abuse
Sources of Digital Evidence
• Third-party sources
• Internet service providers
• Telecommunications carriers
Investigating Computer System Abuse
Why Digital Evidence is Different
• Proving authenticity can be very difficult
• Can be readily altered
• Alternations may not be testable
Investigating Computer System Abuse
Why Digital Evidence is Different
• People think it’s private
• Conversations are now stored
• E-mail is bad, chat is worse
• Chat is becoming more prevalent
• E-mail and chat are producible
Investigating Computer System Abuse
Preservation of Digital Evidence
• Preservation through collection
• Decide who will collect• Is it a forensics case?• What’s at stake?• Is your IT staff qualified?• Will the person collecting be available?• Will the person collecting be a good witness?
• Preserve a copy before you review!
Investigating Computer System Abuse
Preservation of Digital Evidence
• Record the chain of custody
• Identify where the copy came from
• Identify the physical object by description
• Record the time and date
• Sign it
• Secure it
Investigating Computer System Abuse
Preservation of Digital Evidence
• Preserving web pages
• Difficult to do a true forensic capture
• There are services and software tools, but they need
to be applied with care
• If it is about words on the screen periodically printing
and signing or taking a screen capture may suffice
• But otherwise, get help
Investigating Computer System Abuse
Preservation of Digital Evidence
• Exit procedures are important
• Computers should be held for a cooling off period
• Mobile devices can be remotely wiped
• Routine preservation may often be warranted
Investigating Computer System Abuse
Interview tips
• Basic tips
• Build rapport and stress neutrality
• Sit face to face, not behind a desk
• Take notes, don’t tape
• Save the interrogation for interview #2
Investigating Computer System Abuse
Interview Tips
• Show the witness the records
Investigating Computer System Abuse
Interview Tips
• How to handle, “Someone must have accessed my computer!”
• Who knew your password?
• Who had access to your office?
• Where were you? Were you with someone else?
• Consider circumstantial evidence (e.g. content of
communication, timing of e-mails)
• Go through every event
Investigating Computer System Abuse
Interview Tips
• Turn logs into usable evidence
• Probe at…
• …time period
• …frequency
• …volume
• …and other contextual facts shown by logs
Investigating Computer System Abuse
Interview Tips
• Turn logs into usable evidence
• This shows sixty downloads in the month of May.
Does that accurately represent your activity over
that period?
• You mostly downloaded from a site called “BT
Junkie” correct?
Investigating Computer System Abuse
Managing the Investigation Record
• Records produced in the course of an investigation will not be privileged except in the most extraordinary circumstances
• So everything you create may be producible
Investigating Computer System Abuse
Managing the Investigation Record
• Tips for keeping a “tight” record
• Don’t conclude before you conclude
• Interview notes have factual observations only
• Don’t think over e-mail
• Don’t send draft reports by e-mail
Investigating Computer System Abuse
Managing the Investigation Record
• The logic of the written report
• Conclusions and recommendations
• Facts
• Evidence• What’s relevant• What’s reliable• What’s compelling
Investigating Computer System AbuseHelp for Human Resources
Dan Michaluk and Kathryn BirdHRPA 2011February 2, 2011
