DIGITAL FORENSICS
BLOCK SESSION 1
1
2
MODULE 1 - CYBER CRIME
MODULE 2 - Information Security
MODULE 3 - Introduction to Digital Forensic
MODULE 4 - SA Law & Regulation
MODULE 5 - Integrating Digital Forensic Capabilities
WHAT IS CYBERCRIME?
WHAT DOES IT CONSTITUENT?
3
CYBERCRIME
• Definition
• The use of computers, internet and connected technologies that are used in the
commissioning of a crime (Maras, 2015).
• Cybercrime has involved from the traditional crime has there is no physical
boundaries and online activities are now conducted in an online environment.
• The internet and technology have further increased the speed and easiness in
which cybercriminals and threat actors can use this mediums to conduct
criminal activities.
4
CYBERCRIME
• Cyber crime tactics
• Hacking
• Unlawful interference into a computer (Maras, 2015)
• Malware
• Malicious software that causes destruction to a computer, and
• Cyberterrorism
• Cyber warfare
5
CYBERCRIME
• Old crimes re-engineered
• Cyber extortion
• Online demand
• Cyber vandalism
• Damage of organization’s website which can include alterating the information reflected on
the website.
• Cyber prostitution
6
CYBERCRIME
• Target of the cybercrime
• The computer can be used a target of criminality. The cybercriminal targets the computer
for the following crime:
• Making an attempt to break into a organisation or personal computer
• Steals information from the computer
• Launches an cyber attack from inside or outside the organisation or country
• Causes destruction to the organisation or personal computer (Maras, 2015)
7
CYBERCRIME
• Example of the targets include:
• Hacking
• Using illegal means to gain entry to computer system
• Cracking
• Is when the cybercriminal uses the authorized means to gain access to a computer system in order to commit
another crime for delete software applications (Maras, 2015).
• Denial of service (DoS)
• A network server is attacked with authentication requests which overpowers the resources of the targeted
computer thereby causing it to deny server access to users of legitimate requests.
• Distributed denial of service (DDoS)
• The cybercriminal gains control of multiple computers and uses the computers to launch a cyber attack against a
specified target or targets.
8
CYBERCRIME
• Example of the targets include:
• Computer virus
• is when malicious software is spread between other users activities to other computers with the intention of
disrupting a computer by piggybacking on files or programs.
• Trojan horse
• the malware tricks the user into thinking that it is a legitimate software whereas the malware contains hidden
functions. The hidden functions are executed when the user downloads and installs the program (Maras, 2015).
• Logic bomb
• this malware is triggered by an event which is has a predetermined date and time of a particular program. A
previous inactive program is activated which for example can delete the hard drive of a computer.
9
CYBERCRIME
• Example of the targets cont.…
• Spyware
• Keylogger – records the user’s
keystroke activity and reports the
information back to its source.
10
CYBERCRIME
• Botnet
• A network of bot-effected computers.
The computers are remotely controlled
without the user’s knowledge.
11
CYBERCRIME
• The computer used as a tool to commit a cybercrime. These can include (Van Rooyen,
2012):
• Copyright infringement
• Illegal copying and storing of software, movies and music
• Embezzlement
• Catergorised as theft. Which can include a employee who transfers the employers money into his or
her own account and uses the company to commission the theft.
• Phishing
• When cybercriminals intentionally deceive a user to believing that a request or notification is from
a legitimate organisation in order to steal information (includes bank account numbers, ID numbers
and credit card details).
12
CYBERCRIME
• The computer used as a tool to commit a cybercrime cont.…
• Cyber harassment
• Cyberbullying
13
• What is your understanding of the Dark Web?
• Why and how do cybercriminals use this platform?
14
15
https://www.welivesecurity.com/2019/01/31/cybercrime-black-markets-dark-web-services-and-prices
WHAT ARE SOME OF THE INTERVENTIONS OR INITIATIVES THAT CAN BE CONSIDERED TO COMBAT CYBERCRIME?
16
CYBERCRIME
• Combatting cybercrime
• New or amended laws
• Better enforcement processes
• Awareness
• Training
17
INTRODUCTION TO INFORMATION SECURITY
MODULE 2
18
Learning Outcomes
• Definition
• CIA
• Importance
19
INFORMATION SECURITY
• Defining
• Is the measures or tasks executed for securing information in its digital form ( Ciampa, 2012).
• Needed to protect the people, organisation and devices (systems)
• InfoSec achieved by:
• CIA
• Confidentially – only authorized users have access to information
• Integrity - the information is correct and no unuauthorised persons or malicious software can alter the data
• Availability – authorized users have access to the availability of information and when needed.
20
INFORMATION SECURITY
(Source Purcell, 2018)
21
INFORMATION SECURITY
• Importance of InfoSec
• Preventing data theft
• Preventing identity theft
• Avoiding legal penalties
• Stopping cyberterrorism
22
INFORMATION SECURITY
• Security Incidents and Threats
• Live demo: https://cybermap.kaspersky.com/
23
• Summary • Definition
• CIA
• Importance
24
INTRODUCTION TO DIGITAL FORENISC
MODULE 3
25
Learning Outcomes
• Development of Digital Forensic
• Principles of Digital Forensic
• Digital Forensic Methodology
• Forensic imaging
• Forensic tools
• Investigative use of Technology
• Ethics
• Ant-Forensics
• Digital Evidence
• Sources of Evidence
• Preservation Strategies
• Email Forensics
• Network Forensics 26
INTRODUCTION TO DIGITAL FORENSIC
• What is digital forensic?
• What are some of the constituents of digital forensic?
27
DIGITAL FORENSICS
• Computer forensic advancement to digital forensic
• Computer forensic
• Began in 1970’s
• Branch of forensic science
• It is the process of obtaining, processing, analyzing and storing the digital information as
evidence to be used in criminal cases or civil cases etc.., (Maras, 2015)
• Focused on computers, printers, scanners, flash drives, cameras and mobile phones, networks.
28
DIGITAL FORENSICS
• Digital forensic
• In 2000, digital forensic recognised as a science
• With the advancement of technology and interconnectedness digital evidence is now
distributed across multiple interconnected technologies (Sachowski, 2018).
• Digital investigations contrasted with digital forensics
• New specialization created network forensic and mobile forensics
29
DIGITAL FORENSIC
• Principles of Digital Forensic
• Potential digital evidence must be handled in a manner that follows certain principles,
methodologies and techniques with the view of ensuring admissibility for a court of law.
• Evidence exchange
• Establish factual conclusions
• Digital evidence is intangible
• Forensic soundness
• Ensures the evidence is handled in a proper manner, remains complete and unaltered as a result of
the technology used or methodology used.
• Forensic techniques need to be consistent.
30
DIGITAL FORENSIC
• Digital Forensic Methodology
• The advancement of digital forensic is changing therefore can raise a few questions
whether bypassing or not following processes could result in incomplete or inadmissible
evidence.
• A generalised approach is chosen to describe the activities and tasks performed during
the digital forensic investigation.
31
DIGITAL FORENSIC PROCESS MODEL CONT.…
(Sachowski, 2018)
32
DIGITAL FORENSIC PROCESS MODELCONT.…
Phase 1 Preparation
This phase is essential for the successful
execution of the activities. If sufficiently
completed or not adequately detailed
there is higher risk that the activities
performed will impact on the admissibility
of evidence.
• Processes and procedures
• Education, training and awareness
• Technology and toolsets
33
DIGITAL FORENSIC PROCESS MODELCONT.…
Phase 2 Gathering
• This involves the identification, collection and
preservation of digital evidence.
• This phase is important to establish significance and
relevant and admissibility of evidence for the
remaining part of the investigation.
• Identification
• Securing the scene
• Documenting the scene
• Search and seizure
• Collection and preservation
• Order of volatility
34
DIGITAL FORENSIC PROCESS MODELCONT.…
Phase 3 Processing
• This phase involves the examination
and analysis of evidence to
determine its relevancy to reduce
data volumes.
35
DIGITAL FORENSIC PROCESS MODELCONT.…
Phase 4 Presentation
• Documentation is critical
documenting the start to the
completion of the case.
• The tools, procedures and techniques
are to be document to ensure the
authencity and trustworthiness of the
digital evidence.
36
DIGITAL FORENSIC IMAGING
• Digital forensic imaging
• The process and tools used in copying a physical storage device for forensic investigation and evidence gathering
• Methods of digital forensic imaging
• Copy and paste method
• Coping is done from one hard drive to another
• Only visible files are copied and the hidden files are not copied (for e.g.. file allocation table and master records
• Disk cloning
• Creates a copy of the original drive. The duplicate copy will allow the operating system to reboot. Creates a “one-to-one” copy.
• Disk imaging method
• This method is for coping the hard drive as backup copy or archive.
37
DIGITAL FORENSIC IMAGING
• Hard Disk Drives
• What is hard disk drive?
• Traditional HDD
Solid State Drive (SDD)
(EY, 2015)
38
DIGITAL FORENSIC IMAGING
39
• Hard Disk Diagram
(EY, 2015)
STORAGE OF DATA
• Storage of Data
• Files are indexed in a file allocation table
(EY, 2015)
40
FORENSIC TOOLS
• Evaluation of forensic tools
• Available computer forensic software tools
• Computer forensic hardware tools
41
FORENSIC TOOLS
• Evaluation of forensic tools
• Considerations:
• On which OS does the forensic tool run?
• Is the tool adaptable? For example does it work in Windows 98, XP and Vista and
produce the same results in all three OS
• Can the tool analyse more than more file system (FAT, NTFS and Ext2fs)
• Does the tool have any automated features that can reduce the time to analyse data?
• What is the vendors after sales support?
42
FORENSIC TOOLS
• Available computer forensic software tools
• Hardware Forensic tools (Nelson et al. 2010)
• Range from simple to single-purpose components to complete computer systems and servers
• Single purpose components such ACARD AEC – 7720 WP Ultra Wide SCSI-to-IDE Bridge
• Complete systems such as Digital Intelligence F.R.E.D. systems, DIBS Advanced Forensic
Workstations and Forensic Computers Forensic Examination
• Software Forensic tools
• ProDiscover, Encase and AccessData FTK.
43
FORENSIC TOOLS
• Computer forensic tools can perform the following tasks:
• Acquisition
• Validation and discrimination (hashing, filtering or analyzing headers)
• Extraction (recovery task) e.g.. Keyword searches
• Reconstruction ( recreate the suspect drive)
• Reporting
44
FORENSIC TOOLS
• Computer Forensic Software Tools
• Command Line Forensic
• First tool that analysed and extracted data from floppy disks MS-DOS for IBM PC’s
• Advantage – require few system resources
• UNIX/Linux Forensic Tools
• SMART
• Helix
• BackTrack
• Autopsy & Sleuth
45
FORENSIC TOOLS
• Computer Forensic Hardware
• Forensic Workstation
• Stationary workstation
• Portable workstation
• Lightweight workstation
• Write Blocker
• First item to be considered
• Protects evidence disks by preventing data from being written to them.
46
INVESTIGATIVE USE OF TECHNOLOGYDevice Value of device Forensic considerations
Cellphone Obtain the following Logs callsTelephone number of the deviceElectronic serial numberText messagesE-mail messagesImages & videosGPSCellphone trackingSubscriber info
Stored data
Web browserSend and receive emailsTrack real time
Data can be lost if the battery diesKeypad lockingCellphones that are switched on keep away from radio frequency . Put in a container that blocks the signal.
Computers Obtain the followingReveal data that is useful during the investigationEmailsCommunicate with other persons
Store records, photosUse it for a crime As targets of theftTargets of the crime
Data stored internally or remote storage mediaWhen seizing computer, if switched off, leave off.A computer that is switched on, photograph and document the screenData stored on a computer conntected to a network, can be remotely accessed
47
ETHICS IN DIGITAL FORENSICS
• Would you consider ethics important?
48
ETHICS IN DIGITAL FORENSICS
• Importance
• Irrespective of the illegal or unethical behavior, the digital forensic practitioner needs to
be objective, truthful and show due diligence when executing the investigation.
• Digital forensic practitioners have specialized and distinctive knowledge if not overseen
properly can have the potential for misuse.
• Maintain confidentiality and trust
• Avoid potential conflicts
• Informed decisions should be made in accordance with due diligence
49
ANTIFORENSICS
• What is antiforensic?
• What is the significance to a forensic practitioner?
50
ANTIFORENSICS
• So what is antiforensics?
• It is the grouping of specific procedures and techniques that are instituted to render
digital evidence challenging or impossible to obtain.
• Antiforensics traditionally used on Information systems and its now more about
technology.
51
ANTIFORENSICS
• Data hiding
• Is the most common type to hide from basic sight (Sachowski, 2018).
• File manipulation
• Making changes to the data characteristics
52
ANTIFORENSICS
• Data hiding: Making changes to the data characteristics cont.…
• Storing files in nonstandard directory paths (for example storing word processing
document in file system directory locations know to be used by the hosting operating
system such as C:\Windows\system32 in Microsoft Windows.
• Modifying file and directory characteristics is that it is not visibly displayed in the file
system.
53
ANTIFORENSICS
• Data hiding continued…
• Encryption
• Initiated to render the information inaccessible (Sachowski, 2015).
• File system encryption
• Application encryption
• Disk encryption
• Network encryption
54
ANTIFORENSICS
• Counter measures
• Security approach or risk based methodology that a organisation adopts can reduce
their frequency of attack surface by executing solutions that deploy deny by default
security controls.
• Defense-in-depth approach in which organisation can initiate layered security controls to
be more data centric to ensure the protection of CIA information assets and systems.
55
DIGITAL EVIDENCE
• Defining digital evidence:
• Is the information stored or transmitted in binary form (i.e. ones and zeros) that can be
used to prove a action, entry or device used (Fraud Examiner Manual, 2017)
• New technologies creates new opportunities for technology (skills, devices) to be used in
practically every type of fraud.
• Devices can be:
• Target of a cyber criminal act
• Tool of cyber crime
• Repository of evidence linked with the cyber crime
56
DIGITAL EVIDENCE
• Unpredictability of digital evidence:
• Data can be altered
• Can be destroyed
• Fragile and short lived
• Can be manipulated
57
DIGITAL EVIDENCE
• Potential Actions that can modify data during the investigation (Fraud
Examiner Manual, 2017):
• Interacting with the computer system
• Clicking on files or folders which can result being written to the system’s hard drive
• Turning the system on or off
• Browsing websites
• Using software applications
• Downloading or transferring files
58
SOURCES OF DIGITAL EVIDENCE
• Digital evidence would have be considered from different sources considering
the widespread use of technologies.
• Log files
• Generated from the different system and application
• Access logs
• Audit logs
59
SOURCES OF DIGITAL EVIDENCE
• Log files cont…
• Error logs
• Transactional logs
• Security logs
60
SOURCES OF DIGITAL EVIDENCE
• Correlation and Association
• This is done to achieve fact based conclusions.
• Establishing a relationship between multiple evidence sources is necessary to build
credibility.
61
ASSESSMENT QUESTION
• Turning on a computer has little effect on the files contained on the computer
system.
• A. True
• B. False
62
ASSESSMENT QUESTION
• Which of the following is TRUE regarding the types of information that
computer forensic experts typically can recover from computer systems?
• A. Computer forensics specialists can recover information about websites visited
• B. Computer forensics specialists can recover time and date information about files
• C. Computer forensics specialists can recover deleted emails, link files, and documents D.
All of the above
63
ASSESSMENT QUESTION
• What are some of the considerations that the forensic practitioner / examiner
should be mindful off when seizing the device to presenting the image hard
drive to the client.
64
PRESERVATION STRATEGIES
• Evidence is across different organisations and authorities. The strategies
implemented is crucial to maintaining the digital evidence.
• A holistic approach is needed that would include administrative, physical and
technical solutions.
• Enterprise Governance Framework – Administrative
65
PRESERVATION STRATEGIES
• Enterprise Governance Framework cont.…
• Assurance controls
• Evidence storage
• Evidence handling
66
PRESERVATION STRATEGIES
• Physical Security Controls
• Implemented to control and protect information assets and reduce risk or
damage of loss
• Is needed to maintain authencity and integrity of the digital evidence.
• Deter
• To convince intruders that likehood of their success is low due to strong security defense
67
PRESERVATION STRATEGIES
• Maintain authencity and integrity of the digital evidence cont.…
• Detect
• These controls discover potential intruders and interrupt them before the incident
• Deny
• Controls deny potential intruders from accessing controlled or restricted areas
• Delay
• Last line of defense when the other controls are unable to mitigate physical security risks.
68
PRESERVATION STRATEGIES
• Least Privilege Access
• The threat landscape is evolving and sophisticated and complex attacks continue to propel on weak
controls in physical, technical or personnel security.
• These deficiencies can become catalyst for rendering digital evidence inadmissible.
• Integrity Monitoring
• Are technologies that monitor and detect changes made to a file system and thereafter generates alerts.
• Cryptographic Verification
• Cryptographic algorithms are used to establish the authenticity and integrity of the digital evidence to
that was originally seized.
69
PRESERVATION STRATEGIES
• Enterprise Log Management
• Business needs and requirements should be first designed and then log management to meet these needs
• Data Retention
• Organisations need to keep business records for a given period
• Formal documentation required
• Storage solution to house the data to carefully decided
• Adaptive Infrastructure
• As technology continues to advance so too storage capacities grow also the volume of potential evidence
needs to be gathered, processed and preserved.
70
PRESERVATION STRATEGIES
• Log Management Solutions
• The solutions implemented must at all times ensure best practice and maintain
authenticity and integrity of digital evidence.
• Enterprise Data Warehouse
• Evidence Storage Network
71
EMAIL FORENSICS
• Discussion Questions
• Email headers contain what information that is useful or not to forensic
practitioner?
• What is the main peace of information you as a forensic practitioner look for
in the email message?
• Does a forensic practitioner need to be knowledgeable about the email
server’s internal processes?
72
EMAIL FORENSICS
• Importance
• Most cybercrime are committed with the use of emails.
• Email basics
• Client/server email – server emails. The organization’s server sends or receives emails,
which is stored or downloaded to the user’s computer.
• Web-based email – email accounts accessed through web browser’s for e.g.. Gmail,
Hotmail or Yahoo.
73
EMAIL FORENSICS
• Email systems – protocols used to communicate:
• Simple mail transfer protocol (SMTP) – protocol used to send email across the internet
across the a network
• Post office protocol (POP3) – used to read emails and store emails in a single mailbox
until downloaded by the user.
• Internet message access protocol (IMAP) – also used to retrieve and read emails. More
powerful than POP3, the users can manage multiple folders to store emails on the server
(Maras, 2015).
74
EMAIL FORENSICS
• Conducting the investigation
• Obtain the email
• Should include the header information any attachments
• Searching the email for the IP address
• PING command can be used to validate the IP address
• Verify the owner of the IP address (use WHOIS) website find the contact details.
75
EMAIL FORENSICS
• Problems encountered:
• Proxy servers
• Hiding or masking their IP address
• Using internet café , send emails
• Using the web service e.g. Gmail account.
76
NETWORK FORENSICS
• What is your understanding of network forensics?
77
NETWORK FORENSICS
• Key concepts
• Stand-alone computer
• A computer that is not connected to another computer or network
• Networked computer
• A computer that is connected to one or more computers that allows sharing of data,
software and hardware
78
NETWORK FORENSICS
• Key concepts cont.…
• Computer networks
• Local area network (LAN) simplest type of network which connects computers within a small
area and shares the resources
• Metropolitan area network
• A network that is restricted to a particular city
• Campus area network
• A network that connects computer systems in a particular area
79
NETWORK FORENSICS
• Key concepts cont.…
• Network configuration D
• Depends on the size of the organisation
• Peer-to-peer networking configuration
• Each computer manages authentication and access to its own resources. Therefore each computer
must be individually configured to attached devices for e.g. printers.
• Server-based network configuration
• Is designed for larger group of users. A network administrator manages the server-based network
configuration.
80
NETWORK FORENSICS
• Defined
• It is the use of methodically proven procedures to investigate computer networks (Maras,
2015).
• Includes capturing, analyzing and preserving the network traffic which is the data in the
network.
• Traffic consists of packets, which is the units of data transmitted over the network.
81
NETWORK FORENSICS
• Network forensics seeks to reconstruct the events that have occurred and retrieve potential
evidence for us in court or organisation processes
• Network forensics is conducted when attacks, intrusions or network misuse is observed.
• The investigations must seek the following (Maras, 2015):
• What incident was observed
• When was it observed
• Where did it take place
• Why did the incident happen
• How did the incident occur
• Who was responsible for incident?
82
NETWORK FORENSICS
• Network related evidence:
• The types of evidence can be retrieved from networks includes content data and
session data
• File server:
• Is the computer that handles requests from other computers on the network for data that are
stored on one or more server’s hard drives.
• Server holds old data that all computers on the network can use. Contain logs for emails,
instant messages and internet activities. These logs can be examined for potential evidence
83
NETWORK FORENSICS
• Network related evidence contend…
• Dynamic host configuration protocol (DHCP)
• A protocol that allows a server to dynamically assign IP addresses to a networked
computers.
• Routers
• Often targets of attackers or other cyber criminals
• Access to the router would lead to the access and control of the network.
• Configure the routers to block certain IP addresses
84
NETWORK FORENSICS
• Network related evidence cont.…
• Backdoors
• Honeypots
85
NETWORK FORENSICS
• Assessment Questions
• Why are live forensic acquisitions becoming more common?
• Does live acquisitions violate standard forensic procedures?
86
SA Law & Regulation
Module 5
87
SA LAW & REGULATION
• Electronic Communication and Transactions Act no. 25 of 2002
• Electronic representation of information in any form (Section 15)
• Admissibility of a data
• Information in the form of a data message evidential weight
• Assessing evidential weight
• The reliability of the manner in which the data message was generated, stored or communicated
• The reliability of the manner in which the integrity of the data message was maintained
• The manner in which the originator was identified
• Was the data message made in the course of business, a copy or printout of an extract from
such a data message certified to be correct by an official (Van Rooyen, 2012)
88
SA LAW & REGULATION Contd…
• Statutory criminal offences relating to Information systems includes:
• Unauathorised access to data
• Interception of or interference with data
• Computer related extortion
• Fraud, and
• forgery
89
SA LAW & REGULATION Contd…
• Protection of Personal Information Act 4 of 2013
• Condition 7 –Security Safeguards
• KING IV
• Principle 11
• Cybercrime Bill
• November 2018 passed by national assembly.
• Formalising the process and imposing of penalties on cybercrimes
• Collaboration and mutual assistance between organisations and Law Enforcement.
• Organisation would need to preserve data that would assist during the investigation
• Financial institution and Electronic Service providers will be compelled to report cyber incidents
90
SUMMARY
• ECT Act
• Protection of Personal Information
• KING IV
• Cybercrime Bill
91
INTEGRATING DIGITAL FORENSIC CAPABILITIES
CYBER-SECURITY RESILIENCE &
CSIRT
MODULE 6
92
• Learning Outcomes • Cyber Resilience
• Cyber Security Incident Management
• CSIRT
• Forensic Capabilities
• 4th IR
• Challenges
93
INTEGRATING DIGITAL FORENSIC CAPABILITIES
• Cyber-security resilience
• The ability of the organisation to prepare, withstand and recover from a cyber-security
incident, threat and attack
• Importance of Cyber-security resilience
94
CYBER-SECURITY RESILIENCE CONT..
• Components for cyber-security
resilience
• Cyber-security strategy
• Governance
• Cyber-security incident management
• Cyber-security awareness
• Cyber-security infrastructure and
technology
95
CYBER-SECURITY INCIDENT MANAGEMENT
Cyber-security incident
management
Cyber incident response
plan
Cyber-security incident reporting mechanis
m
CSIRT
96
CSIRT CONT..
• CSIRT Roles
• Preparation
• Analysis
• Containment & recovery
• Post incident activity
97
CSIRT CONT.…
• Digital forensic capabilities in a CSIRT
• Investigate data breach – access and dissemination of information (data) to unauthorized users or
entities
• Email abuse
• Inappropriate activity – contraband content (pornography and pirated media)
• Internet misuse – transmission of content that outside the organization’s acceptable scope of usage
• Intrusion attempts – unauthorized access to information assets or system
• Malware infections – installation and execution of malicious code
• Unauthorised access – access to information assets or system without approval or delegated privilege
(Sachowski, 2018).
98
4TH INDUSTRIAL REVOLUTION
• Benefits
• Rise of digitization and the fast pace of technology
• Connecting different organisations
• Issues
• New threats and unknown attacks
• Organisations need to ensure efficiency, sustainability and better IT governance to
overcome the challenges in the 4th Industrial revolution
• Organisation need to take action and build resilience and adapt.
99
CHALLENGES
• Challenges for organisations:
• More connectivity and different devices, organisations and different countries
• New generation threats
• Lack of Skill level and technology
100
CHALLENGES
• New technology advancement and the era of the 4th industrial revolution will introduce new
challenges that would need to be addressed particularly cloud computing and quantum computing
(Sachowski, 2018)
• Cloud Computing
• Cloud computing has made significant progress and further transformed and propelled business operations into efficient
and cost saving processes.
• The NIST has identified the challenges as:
• Recovery of deleted data in a shared environments
• Evidence correlation across multiple cloud service providers
• Segregation of electronically stored information in multitenant systems
• Competence and trustworthiness of a cloud service provider as a first responder
• Jurisdiction over interconnected devices (Sachowski, 2018)
101
CHALLENGES
• Quantum computing
• Quantum forensic capabilities of conducting live forensic analysis on a
quantum system, as a result analysis can only be conducted post mortem.
• More resources to be invested in establishing how the maximum extent of
evidence can be recoverable
• Machine learning
102
CHALLENGES
• Cyber-security resiliency is needed
• A CSIRT can respond to the cyber-security incidents
• CSIRT can provide an snapshot of the cyber processes, threats and attack.
• 4th Industrial Revolution
• Forensic Professionals
103
• Summary • Cyber Resilience
• Incident Management
• CSIRT
• Digital Forensic Capabilities
• 4th IR
• Challenges
104
105
THANK YOU
106
ADDITIONAL RESOURCES
• Forensic software
• www.guidancesoftware.com
• www.accessdata.com
• www.arcgroupny.com
• www.cellebrite.com
• Network forensic analysis tools
• NetWitness – http://www.niksun.com/sandstorm.php
• OmniPeek – http://www.wildpackets.com/
• SilentRunner – http://www.accessdata.com
107