Computer Forensics Host: Sharon Roth-DeFulvio Speaker: Dr. Rebecca T. Mercuri.

Computer ForensicsHost: Sharon Roth-DeFulvioSpeaker: Dr. Rebecca T. Mercuri

http://www.computerforensicsworld.com

What is Computer Forensics?

Computer forensics is the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded, usually to provide digital evidence of a specific or general activity.


When is a computer forensic investigation initiated?

A forensic investigation can be initiated usually with respect to criminal investigation, or civil litigation, but forensic techniques can be of value in a wide variety of situations, including simply re-tracking steps taken when data has been lost.


What are the common scenarios?

Employee internet abuse Unauthorized disclosure of corporate

information and data Industrial espionage Damage assessment Criminal fraud and deception cases General criminal cases and others.

www.TechPathways.com

Compliance and Computer Forensics Information security compliance

requires the precise enforcement of policies and controls.

Digital investigations utilizing computer forensics are an essential part of this enforcement.


Laws and Regulations

There are four laws and regulations that clearly indicate the need for computer forensic investigations:

Sarbanes Oxley California SB 1386 Gramm Leach Bliley HIPAA


Sarbanes Oxley

The Sarbanes Oxley Act was enacted to fight corporate fraud.

The SEC is responsible for enforcement of Sarbanes Oxley and all publicly traded companies must report yearly on the effectiveness of their financial controls.

The legislation has serious consequences for non-compliance - civil and criminal penalties.


Sarbanes Oxley Section 301 provides for the handling of

fraud complaints and investigations Section 302 specifies that CEOs and CFOs

are directly responsible for the accuracy of their company’s financial reports.

Section 404 requires management to specify their responsibility for financial controls and report on the adequacy and shortcoming of the controls.

Sections 806 and 1107 mandates that companies must support and protect whistleblowers.


Sarbanes Oxley

Section 802 is another important element in Sarbanes Oxley that forbids the intentional destruction, altering or falsification of financial or related operational records.

Section 301 and 802 compliance will require the use computer forensics as established by case law and by best practices. Organizations need to have computer forensics capability anywhere and anytime in their organizations to ensure compliance with Sarbanes Oxley.


California SB 1386

Enacted on July 1, 2003, California SB 1386 requires organizations doing business in California to report security breeches that result in the unauthorized disclosure of a resident’s private or financial information.

Disclosure is required if an individual’s name and either a driver license number, Social Security number or the combination of a financial account number and password is accessed.


NIST and ISACA

The National Institute of Standards and Technology (NIST) has provided clear guidance for government and commercial organizations to investigate security incidents. NIST published the “Computer Security Incident Handling

Guide”, which specifically outlines incident investigation and the role of computer forensics to properly acquire and analyze the incident.

The Information Systems Audit and Control

Association (ISACA) is an association of information technology auditors who utilize audit and control standards to improve their organizations’ information security, compliance and governance. ISACA has developed a checklist for incident response

planning and implementation.


NIST and ISACA

The NIST Guidelines provide practitioners with processes using computer forensics to investigate cyber crime.

The ISACA checklist provides the planning and implementation criteria for creating an enterprise computer forensics infrastructure.

With the potential liability of CA SB 1386 non-compliance, organizations must have immediate access to computer forensics capability.


Gramm-Leach Bliley (GLB) Gramm-Leach Bliley or The Financial

Modernization Act of 1999 applies to financial organizations or any organization that collects or transfers private financial information for the purpose of doing business or providing a service to its customers.


Gramm-Leach Bliley (GLB) Financial Privacy Rule:

Addresses the collection and dissemination of customers’ information while the Safeguard Rule governs the processes and controls in an organization to protect customers’ financial data.

Safeguards Rule: The Safeguard Rule of GLB requires financial

institutions to:1. Ensure the security and confidentiality of customer

information. 2. Protect against any anticipated threats or hazards to the

security or integrity of such information; and

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.


HIPAA (Health Insurance Portability and Accountability Act of

1996)

The goal of HIPAA is for healthcare providers to improve the privacy and security of their clients medical information.

HIPAA defines a security incident as “… the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

HIPAA specifies thorough analysis and reporting of security incidents, so organizations must consider their incident response policies carefully.

NIST and ISACA specify computer forensic software as part of any reasonable incident response policy to clearly understand the scope of the incident. Determining, with forensic precision, what information has been compromised, when it took place, what systems were affected, and if malware or backdoors that are invisible to non-forensic tools are still present, are examples of the types of investigations that are essential to having an effective incident response program.

In addition to security incidents, computer forensics plays a role in supporting overall information security by providing the investigation of any anomalies that could indicate policy or use violations that could jeopardize HIPAA privacy rules.

Landmark Cases Linnen v. A.H. Robins et. al., 1999 WL 46 2015 Mass. Sup. Court, Electronic

media is discoverable; Wyeth MUST bear the costs of retrieving emails, Failure to preserve and spoilation of evidence.

Adams v. Dan River Mills, Inc., 54 F.R.D. 220, 222 (W.D. Va. 1972)Discovery of computer tapes is proper

Armstrong v. Executive Office of the President, 1 F.3d 1274 (D.C. Cir. 1993)Government email is covered as a record under the Federal Records Act; electronic version of email must be maintained and produced

Ball v. State of New York, 101 Misc. 2d 554, 421 N.Y.S. 2d 328 (Ct.Cl. 1979)State had to produce information contained on computer tape

Easley, McCaleb & Associates, Inc. v. Perry, No. E-2663 (Ga. Super. Ct. July 13, 1994), Plaintiff's expert allowed to recover deleted files on defendant's hard drive

National Association of Radiation Survivors v. Turnage, 115 F.R.D. 543 (N.D. Cal. 1987) Sanctions imposed for allowing alteration and destruction of electronic evidence

National Union Electric Corp. v. Matsushita Electric industries Co., 494 F. Supp. 125, copying a computer disk is equivalent to photocopying a paper document

Parsons v. Jefferson Pilot Corp., 141 F.R.D. 408 (M.D.N.C. 1992)privilege lost when email shared via the Internet with a third party

Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. App. July 26, 1993)Employees had no reasonable expectation of privacy in their company email


How is a computer forensic investigation approached?

secure the subject system take a copy of hard drive identify and recovery all files access/copy hidden, protected and temporary files study “special” areas on the drive investigate data/settings from installed

applications/programs assess the system as a whole, including its structure consider general factors relating to the users activity;

create detailed report Throughout the investigation, it is important to stress

that a full audit log of your activities should be maintained.


Is there anything that should NOT be done during an investigation? Study don't change

avoid changing date/time stamps (of files for example)

or changing data itself this applies to the overwriting of

unallocated space

www.itsecurity.com

Forensic Examiner'sTools of the Trade

Operating system utilities; Data recovery software; File viewers and Hex editors; Commercial firewalls; There are also packages that provide turnkey

assistance for forensic examinations, complete with case management tracking for procedures, reports, and billing; and

Experts may build their own scripts and tools in order to provide specialized investigations, or to gain an edge over firms providing similar services.

www.rcfl.gov

Regional Computer Forensic Laboratories (RCFLs)

In a response to the need to analyze, preserve, protect and defend forensic evidence, the FBI, local and state law enforcements agencies have constructed and staffed RCFLs.

RCFLs is full service forensics laboratory and

training center devoted entirely to the examination of digital evidence in support of criminal investigations.

www.rcfl.gov

RCFL Structure & Duties

RCFLs consist of 15 people: 12 of the staff members are Examiners and 3 staff members support the RCFL.

Duties include: Seizing and collecting digital evidence at

a crime scene; Conducting an impartial examination of

submitted computer evidence; and Testifying as required.

www.rcfl.gov

RCFLs Examine Digital Evidence in Terrorism Child Pornography Crimes of Violence Trade secret theft Theft or destruction to intellectual

property Financial crime Property crime Internet crimes Fraud

www.rcfl.gov

Location of RCFLs

www.rcfl.gov

notablesoftware.com/Papers/ForensicComp.html

RCFL Priority of Requests:

1. immediate threats to property or people;2. potential threats to property or people; 3. general criminal investigations, such as

fraud and child endangerment/pornography;

4. administrative inquiries; and

5. digital forensic research and development.

www.cit.uws.edu.au/compsci/computerforensics

Computer Forensic Requirements The discipline requires a detailed technical

knowledge of the relationship between a computer's operating system and the supporting hardware (e.g. hard disks), and between the operating system and system/application programs and the network.

Knowledge of cryptographic and steganographic techniques is needed where data has been encrypted and/or obfuscated to make it inaccessible and/or hidden.

Finally and critically, all evidence gathering must proceed in a manner that ensures that the evidence is admissible in a court of law, and can be documented and presented in an intelligible manner.


Computer Forensics Certifications


Challenges in Forensic Computing If access to digital evidence is not forthcoming from

an impounding agency, court orders may be necessary to obtain the data and use of extraction tools, to determine whether protocols have been applied.

Computer Forensic examiners who are not law enforcement investigators and analysts are not aided by RCFL facilities.

Examiners must ascertain and provide for their own training on an ongoing basis.

Rapid changes in digital technology pose complex challenges for computer forensic examiners.

www.notablesoftware.com/Papers/MediaSec.html

The Many Colors of Multimedia Security

Benefits and risks of various aspects of digital rights management.

Media provider: protection of materials from unauthorized distribution or modification is primary concern;

Delivery end: recipients want to ensure downloads are virus-free and legitimately obtained.

Encryption and digital branding tools can be employed both for securing multimedia as well as for circumventing laws pertaining to content and use.



Steganography (the art and science of embedding secret messages within text, sound, or imagery) and

Watermarking (the addition of an unremovable identifier to tag the content, indicating ownership).

feature location (identification of subcomponents within a data set);

Captioning; time-stamping; and tamper-proofing (demonstration that original

contents have not been altered).



Characteristics involved with data embedding include: Visibility: embedded data may be intentionally detectable or

imperceptible, but either way it should not detract from or degrade the primary media content.

Robustness (or fragility): the ability of the data to withstand signal-processing attacks (such as compression, rescaling, and format conversions like digital-to-analog conversion).

Error correction and detection: recovery is possible from small losses or an indication is provided that coded information damage has occurred.

Header independence: data is encoded directly into the content of the file to allow survival between file format transfers.

Self-clocking (or blind) coding: extraction does not require reference to the masking information or signal. (Adaptive coding algorithms use content from the masking data to perform hiding, usually through a transform-based method.)

Asymmetrical coding: the process used to extract the information is not as time or resource consuming as the process used to insert it, to allow for quick access to the data.

www.gseis.ucla.edu/iclp/dmca1.htm

Makes it a crime to circumvent anti-piracy measures built into most commercial software.

Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software.

Does permit the cracking of copyright protection devices, however, to conduct encryption research, assess product interoperability, and test computer security systems.

Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances.

In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.

Service providers, however, are expected to remove material from users' web sites that appears to constitute copyright infringement.

Limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students.

Requires that "webcasters" pay licensing fees to record companies. Requires that the Register of Copyrights, after consultation with relevant

parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users."

States explicitly that “nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use..."

1998 Digital MillenniumCopyright Act (DMCA)


Even though there were over a billion downloads worldwide each week of music files alone, and despite the dip of recorded music CDs shipped in the U.S. by 15% between 2000 and 2002, causality was not able to be established.

5,000 downloads of a particular item were necessary in order to displace a single sale.

High-selling albums actually benefit from file sharing.

Therefore, other factors, such as changes in recording format and listening equipment, are probably contributing at a higher rate to the decline in sales.

Study by Oberholzer and Strumpf

Date post:	29-Mar-2015
Category:	Documents
Upload:	ashlee-stigger
View:	221 times
Download:	0 times

Computer Forensics Host: Sharon Roth-DeFulvio Speaker: Dr. Rebecca T. Mercuri.

Documents