0% found this document useful (0 votes)

306 views24 pages

Corporate Digital Forensics Guide

Digital forensics is the collection, preservation, analysis and presentation of digital evidence. There is a growing need for corporate digital forensics capabilities to assist with legal/regulatory requirements, investigations, and incident response. However, setting up a forensics team presents challenges in terms of resources, skills, organizational placement, and gaining internal support and awareness. Key factors include policies for investigative access, data retention and contact channels, as well as ensuring the team has proper training, tools, and lab facilities.

Uploaded by

Shams-ul Arifin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

306 views24 pages

Corporate Digital Forensics Guide

Uploaded by

Shams-ul Arifin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Title Page
Presentation Summary
An Overview of Digital Forensics
What is Digital Forensics?
Digital Evidence
Main Areas of Digital Forensics
Organizations Using Digital Forensics
Potential Sources of Digital Evidence
Difficulties of Digital Evidence
Digital Forensics within a Corporate Organization
Driver: Legal and Regulatory Requirements
Driver: Industry Best Practice
Driver: Internal Demand
Challenges in Creating a Forensics Capability
Organizational Challenges
Forensic Readiness
Support and Awareness
Establishing Formal Contact Channels
Forensic Team Skills and Tools
Recommended Resources
Questions or Comments

May 2006, IBSA Conference, Vienna

The Role of Digital Forensics

within a Corporate
Organization

Bruce J. Nikkel
IT Investigation & Forensics
Risk Control, UBS AG
Presentation Summary

• An overview of digital forensics

• The need for corporate forensics functionality
• Challenges in creating a forensics capability
• Questions, discussion, recommended
resources

2
An Overview of Digital Forensics

• What is digital forensics?

• What is digital evidence?
• Who is using it?

3
What is Digital Forensics?

• The collection, preservation, analysis, and

presentation of digital evidence

• Admissible in a court of law

• Usable for internal disciplinary hearings
• Supporting data for internal incident reports
• Assisting/furthering other investigations

4
Digital Evidence is Data Which:

• Helps reconstruct past events or activity

(timelines)

• Shows possession/handling of digital data

• Show use/abuse of IT infrastructure & services
• Shows evidence of policy violation or illegal
activity

5
The Main Areas of Digital Forensics

• Computer forensics (hard disk, removable

media acquisition and analysis)

• Network forensics (network intrusions,

abuse, .etc)

• Software forensics (examining malicious code,

malware, etc.)

• Live system forensics (compromised hosts,

system abuse, etc)

6
Organizations Using Digital Forensics
Technology

• Law enforcement
• Military, government agencies
• Law firms (legal discovery)
• Data recovery firms
• Corporate organizations (relatively new)

7
Potential Sources of Digital Evidence

• Hard disks, tapes, external/removable media

• Network infrastructure logs (Firewall, IDS,
proxy, etc.)

• Application, audit log files

• Email
• Other server content (Windows shares, web
servers, databases, etc.)

• Captured network traffic

8
Difficulties of Digital Evidence

• Easy to destroy
• starting a PC updates hundreds of timestamps and
modifies many files
• attaching a hard disk or USB stick will modify file
system timestamps
• volatile memory is lost when a machine is powered
off

• Hard to get
• network traffic only exists on the wire for
milliseconds
• intrusions and attacks may be cleverly devised
• anti-forensic activity may prevent collection

9
Digital Forensics within a Corporate
Organization

• What is driving the need for a digital forensics

role within organizations?

• Driven by internal demand

• Driven by external factors
• Leveraging tools & skills

10
Driver: Legal and Regulatory
Requirements

• Country/region specific laws

• different countries have different laws and
regulations
• may require some form of forensic capability or
readiness
• example: Sarbanes Oxley Act Requires a Process for
dealing with incidents requiring forensic analysis or
investigation (SOX 012-s13)

• Regulated Industries
• finance, Healthcare, Insurance, telecom, etc.
• may have industry specific requirements
• example: Swiss ISP log retention

11
Driver: Industry Best Practice

• ISO 17799 (2003)

• international standard for Information security
• recommends procedures for collecting evidence and
analyzing incidents

• Information Assurance Advisory Council

(IAAC)
• guidelines for ensuring corporate forensic readiness

• Published, peer reviewed papers

• Digital Investigation Journal, The International
Journal of Digital Forensics & Incident Response
(Elsevier)
• International Journal of Digital Evidence (IJDE)
12
Driver: Internal Demand

• Legal departments
• assisting corporate legal teams with discovery
• ensuring compliance with local laws and regulations

• Corporate policies and standards compliance

• company policies/standards may benefit from a
forensic capability
• audit requirements/recommendations

13
Driver: Internal Demand (cont.)

• HR
• firing/termination
• employee misconduct, disciplinary action
• exceptional/extreme cases (death, suicide,
kidnapping, etc.)

• Other corporate investigative bodies

• many investigative roles may exist (fraud, crime,
incident handling, disaster/emergency
response, .etc)
• need for assistance, central forensics competence
center
• risk management, risk control, crime risk control
14
Driver: Internal Demand (cont.)

• Intellectual Property (IP)

• intellectual property abuse/infringement
• brand/image reputation risk (investigating
fraudulent websites, phishing attacks, etc.)

• IT
• intrusion analysis
• investigating IT policy violation
• IT infrastructure abuse/misuse
• logic bomb, virus/malware analysis, etc.
• special services leveraging forensic team's tools and
skills

15
Driver: Internal Demand (cont.)

• "Non-forensic forensics": Using forensic tools

and skills for legitimate, but non-forensic
purposes
• verifying corporate disk wiping procedures
• verifying disk/network encryption implementation
• data recovery (crashed hard disks, old/obsolete
media, etc. )
• legitimate password recovery requests
• assist with obscure troubleshooting
• IT architecture and design (provide forensic
readiness input/feedback)

16
Challenges in Creating a Forensics
Capability

• What are some of the challenges in setting up

a corporate forensics functionality?

• Basic needs/requirements of a digital

forensics team

• Some key factors in implementing a digital

forensics role in an organization

17
Organizational Challenges

• Team placement within the organization:

• IT ?
• IT security risk management ? IT security risk
control ?
• legal/compliance departments ?
• part of CERT, CSIRT, SIRT, SOC ?
• centralized? regional?
• in-house or out-sourced ?

• Internal competition/diversity
• very large organizations may have multiple
investigation and/or forensic teams
• varying degrees of responsibility/involvement
(sometimes a lead role, sometimes an assisting role,
sometimes a consulting role) 18
Forensic Readiness

• Investigative access policy

• ensure authorized investigators are able to collect data
• protect sensitive data
• controlled/logged access (prevent abuse, reduce risk)

• IT data retention policy

• legal/regulatory requirements
• IT incident response requirements
• forensic & investigative recovery requirements

• Establishing Forensics resources

• a trained forensics team
• a properly equipped forensics lab
• outsourcing partners, external experts
19
Support and Awareness

• Management support
• convincing management that a forensic team is
needed/valuable to the organization
• emphasis on readiness ("Fire Department"
perspective)
• makes things easier/cheaper for a number of
internal groups
• preventing a single high-cost court case alone could
justify the expense of such a team

• Awareness in various areas of an organization

• inclusion in work-flows and processes
• having a point of escalation, additional support
• knowing a forensics competence center exists
20
Establishing Formal Contact Channels

• To facilitate:
• enabling others to efficiently contact the forensics team
• enabling the forensics team to efficiently contact others

• Internal
• contact to various IT areas for data collection and
expertise
• contact channel to the forensic team via shared
mailbox, hotline, other departments, etc.

• External
• peers in other organizations or in the digital forensics
community
• local/federal law enforcement
• contact channel to the forensic team via
abuse@company.com, hotlines, website contact forms 21
Forensic Team Skills and Tools

• Staff training and skills maintenance

• knowledge of proper methods and procedures
• allowing time to learn/understand new technologies
• certified examiners (CISSP, Encase EnCE, etc.)

• Setting up a forensics lab & tools

• forensics hardware (write blockers)
• forensics software (commercial, Linux & open-
source, custom in-house tools)
• systems for performing acquisition, analysis, and
testing
• old media drives and technologies

22
Recommended Resources

• Web resources
• www.e-evidence.info, a directory of digital forensics
documentation and papers
• www.forensicswiki.org, a Wikipedia style forensics
website
• www.forensicfocus.com, an online forensics
community

• Peer reviewed practitioner/research journals

• Elsevier's Digital Investigation Journal, The
International Journal of Digital Forensics & Incident
Response
• International Journal of Digital Evidence (IJDE)

• Software
• Commercial software: Encase, FTK, etc. 23
• Opensource software: Linux, Sleuthkit, etc.
Questions or Comments?

• Questions or comments?
• Contact me at bruce.nikkel@ubs.com
• Slides available at www.digitalforensics.ch

Introduction to Digital Forensics
100% (3)
Introduction to Digital Forensics
29 pages
Introduction To Digital Forensics
No ratings yet
Introduction To Digital Forensics
24 pages
Digital Forensics Lec2 Spring 2021
No ratings yet
Digital Forensics Lec2 Spring 2021
50 pages
Digital Forensics Course Logistics / Contents Preview
No ratings yet
Digital Forensics Course Logistics / Contents Preview
61 pages
Introduction to Computer Forensics
No ratings yet
Introduction to Computer Forensics
14 pages
Overview of Computer Forensics
No ratings yet
Overview of Computer Forensics
18 pages
Digital Forensics
No ratings yet
Digital Forensics
52 pages
Digital Forensics in Cyber Security-Recent Trends
No ratings yet
Digital Forensics in Cyber Security-Recent Trends
15 pages
Chapter 11 Report Writing For High Tech Investigation
No ratings yet
Chapter 11 Report Writing For High Tech Investigation
28 pages
Live Response in Computer Forensics
No ratings yet
Live Response in Computer Forensics
41 pages
Data Acquisition in Computer Forensics
No ratings yet
Data Acquisition in Computer Forensics
42 pages
Module 1 - Introduction To Digital Investigation and Forensics
No ratings yet
Module 1 - Introduction To Digital Investigation and Forensics
34 pages
Understanding Computer Forensics Basics
No ratings yet
Understanding Computer Forensics Basics
40 pages
Assignment of Digital Forensics
No ratings yet
Assignment of Digital Forensics
10 pages
Computer Forensics Fundamentals Explained
No ratings yet
Computer Forensics Fundamentals Explained
29 pages
Data Acquisition in Computer Forensics
No ratings yet
Data Acquisition in Computer Forensics
13 pages
Forensic Analysis Techniques Guide
80% (5)
Forensic Analysis Techniques Guide
97 pages
Digital Forensic Report on Money Laundering
No ratings yet
Digital Forensic Report on Money Laundering
8 pages
Validating Digital Evidence in Forensics
100% (1)
Validating Digital Evidence in Forensics
30 pages
1 Introduction To Cyber Forensics
100% (1)
1 Introduction To Cyber Forensics
6 pages
Chapter 1 Introduction To Computer Crime & Digital Forensic
No ratings yet
Chapter 1 Introduction To Computer Crime & Digital Forensic
24 pages
Digital Forensics Project - Proposal - Edited2
No ratings yet
Digital Forensics Project - Proposal - Edited2
11 pages
Cyber Check Manual Version 3.0
No ratings yet
Cyber Check Manual Version 3.0
316 pages
Cyber Forensics Course Overview and Guidelines
No ratings yet
Cyber Forensics Course Overview and Guidelines
14 pages
Forensics - Lab 6
No ratings yet
Forensics - Lab 6
4 pages
Data Recovery & Evidence Collection Guide
No ratings yet
Data Recovery & Evidence Collection Guide
16 pages
Evaluating Network Forensics Applying Advanced Tools
No ratings yet
Evaluating Network Forensics Applying Advanced Tools
9 pages
Computer Forensics Overview and Techniques
No ratings yet
Computer Forensics Overview and Techniques
72 pages
Court Testimony
No ratings yet
Court Testimony
45 pages
Final Digital Forensic Small Devices Report
No ratings yet
Final Digital Forensic Small Devices Report
21 pages
Computer Forensics Tools Guide
100% (1)
Computer Forensics Tools Guide
55 pages
Computer Forensics
No ratings yet
Computer Forensics
48 pages
Lab Manual For Digital Forensics
No ratings yet
Lab Manual For Digital Forensics
43 pages
Forensic Investigation Process Overview
No ratings yet
Forensic Investigation Process Overview
37 pages
Cybersecurity Basics for Students
No ratings yet
Cybersecurity Basics for Students
20 pages
Cybersecurity Forensic Tools Updated
No ratings yet
Cybersecurity Forensic Tools Updated
6 pages
Method of Digital Forensic
100% (2)
Method of Digital Forensic
6 pages
Cyber Forensics Course Overview
No ratings yet
Cyber Forensics Course Overview
2 pages
Cyber Security Lab Manual
No ratings yet
Cyber Security Lab Manual
10 pages
Windows Forensic Analysis Overview
No ratings yet
Windows Forensic Analysis Overview
17 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
67 pages
Forensics Exam
100% (2)
Forensics Exam
5 pages
Question Bank Cyber Forensics Unit I:: (Book: - Guide To Computer Forensic and Investigation)
No ratings yet
Question Bank Cyber Forensics Unit I:: (Book: - Guide To Computer Forensic and Investigation)
3 pages
Computer Forensics Tutorial Solutions
No ratings yet
Computer Forensics Tutorial Solutions
4 pages
Computer Security Goals
100% (2)
Computer Security Goals
72 pages
Cloud - Forensics
No ratings yet
Cloud - Forensics
37 pages
What Is Digital Forensics - History, Process, Types, Challenges
100% (2)
What Is Digital Forensics - History, Process, Types, Challenges
6 pages
Computer Forensics: Implications and Uses
100% (1)
Computer Forensics: Implications and Uses
13 pages
Digital Forensics Seminar Report
67% (3)
Digital Forensics Seminar Report
23 pages
Digital Evidence Acquisition Methods
No ratings yet
Digital Evidence Acquisition Methods
17 pages
CH 6
No ratings yet
CH 6
38 pages
Eforensics 08 2014-2
No ratings yet
Eforensics 08 2014-2
109 pages
Forensic Analysis of WannaCry Ransomware
No ratings yet
Forensic Analysis of WannaCry Ransomware
4 pages
Cyber Crime Investigation Methods Report File
No ratings yet
Cyber Crime Investigation Methods Report File
26 pages
Cse Computer Forensics PPT 38
No ratings yet
Cse Computer Forensics PPT 38
21 pages
Computer Forensics
No ratings yet
Computer Forensics
20 pages
FTK Imager: Disk Imaging Guide
No ratings yet
FTK Imager: Disk Imaging Guide
4 pages
Guide To Computer Forensics Investigation
No ratings yet
Guide To Computer Forensics Investigation
65 pages
Lecture 1 - APIC 1.2.3
No ratings yet
Lecture 1 - APIC 1.2.3
48 pages
Digital Forensics Guide for Ethical Hackers
No ratings yet
Digital Forensics Guide for Ethical Hackers
10 pages
European Exploration and Trade in India
No ratings yet
European Exploration and Trade in India
63 pages
Bishamber Dayal Chandra Mohan V UoI (1982 SC) SCC
No ratings yet
Bishamber Dayal Chandra Mohan V UoI (1982 SC) SCC
33 pages
Chapter 1: The Rule of Law Explained
No ratings yet
Chapter 1: The Rule of Law Explained
5 pages
Kocsis Palermo 2020 Clothes Don T Maketh The Man Nor A Criminal Profiler An Expert Witness
No ratings yet
Kocsis Palermo 2020 Clothes Don T Maketh The Man Nor A Criminal Profiler An Expert Witness
24 pages
Indian Standard - Code of Practice For Fire Safety of Buildings (General) - Exit Requirements and Personal Hazard
No ratings yet
Indian Standard - Code of Practice For Fire Safety of Buildings (General) - Exit Requirements and Personal Hazard
26 pages
The Partnership Act 1932
No ratings yet
The Partnership Act 1932
37 pages
Jagarukai Pvt Ltd Company Name Removal
No ratings yet
Jagarukai Pvt Ltd Company Name Removal
3 pages
OBC NCL Certificate Format
67% (3)
OBC NCL Certificate Format
1 page
Introduction To Agricultural Economics (AEB 212) : Group: Student Numbers: VENUE: Lecture Theatre 311/003
No ratings yet
Introduction To Agricultural Economics (AEB 212) : Group: Student Numbers: VENUE: Lecture Theatre 311/003
46 pages
SAMOY, I. LOOS, M. Information and Notification Duties. Cambridge, United Kingdom - Intersentia, 2015
No ratings yet
SAMOY, I. LOOS, M. Information and Notification Duties. Cambridge, United Kingdom - Intersentia, 2015
13 pages
‏بلا عنوان
No ratings yet
‏بلا عنوان
6 pages
Concierto para Violin Si M de Oscar Rieding
No ratings yet
Concierto para Violin Si M de Oscar Rieding
5 pages
The Economics of Money Banking and Finance A European Text 3rd Edition P. G. A. Howells
No ratings yet
The Economics of Money Banking and Finance A European Text 3rd Edition P. G. A. Howells
403 pages
At The Mambo Inn: Bm7 E7 A Maj7 F7alt
100% (1)
At The Mambo Inn: Bm7 E7 A Maj7 F7alt
3 pages
The Giver Oregon Childrens Theatre
No ratings yet
The Giver Oregon Childrens Theatre
6 pages
CAS Letter Request Form for Sunderland
No ratings yet
CAS Letter Request Form for Sunderland
3 pages
Est 25 06091
No ratings yet
Est 25 06091
2 pages
Residential Lot Sale Agreement Template
No ratings yet
Residential Lot Sale Agreement Template
3 pages
Ajay K - Offer Letter
No ratings yet
Ajay K - Offer Letter
14 pages
Somaliland National Mythmaking and Public Disillusionment - Docx Article
No ratings yet
Somaliland National Mythmaking and Public Disillusionment - Docx Article
3 pages
DAN KUWALI Malawianity3
No ratings yet
DAN KUWALI Malawianity3
30 pages
10-06-Electronic Employment Application Form
No ratings yet
10-06-Electronic Employment Application Form
5 pages
Test Contract Incomplete
No ratings yet
Test Contract Incomplete
3 pages
Patriarchy: Patriarchy Is A Social System in Which
No ratings yet
Patriarchy: Patriarchy Is A Social System in Which
115 pages
Faculty of Law: Jamia Millia Islamia
No ratings yet
Faculty of Law: Jamia Millia Islamia
21 pages
Bhai Jan
No ratings yet
Bhai Jan
29 pages
Weber's Views on Democracy and Bureaucracy
No ratings yet
Weber's Views on Democracy and Bureaucracy
2 pages
Global Atlas of Medical Devices: A1B2 C3D4
No ratings yet
Global Atlas of Medical Devices: A1B2 C3D4
608 pages
TerraPower Emergency Planning Meeting Summary
No ratings yet
TerraPower Emergency Planning Meeting Summary
4 pages
Japanese
No ratings yet
Japanese
4 pages