You are on page 1of 19


Learning Objectives
Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you will need in a typical corporate environment

a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).

The aim of forensic science is:

to demonstrate how digital evidence can be used to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.
Ref: Casey, Digital Evidence and Computer Crime, 2nd ed., section 1.6, p20.

The Goal of Forensics

Forensics seeks to provide an accurate representation of extracted data: find out the truth
How was it lost? What was lost? What are my obligations concerning the loss?

Legally Sound Data Collection

Security in Computing Goals
Build a solid case Find out what was lost Find out the truth

Data on the Computer

In files In log files Browser history Windows prefetch area Slack space Open network connections Virtual memory Physical memory Network traces
Lost when machine is powered off

Lost if you wait too long

Real-time only

Data on Other Computers

Infrastructure logs
Web servers, mail servers

Archival systems Network / Firewall logs Intrusion detection systems

Everything that logs

Data in Unexpected Places

Anti-virus alerts, real-time anti-virus scans License enforcement / application metering [anything]Management Software
Patch management Software management Configuration management Asset management

Case Study(3)
You receive a workstation anti-virus alert
Where do you expect to find log data?

Case Study(4)
Data on someone elses computer

Gathering Data from People

With others With the suspect

Interview Techniques
Never reveal what you do or do not know Did you ever ask a first grader what happened in school today?

Data Sources Summary

Defense in depth == forensics in depth Only you know all the potential data sources
It is always your responsibility to help identify and present the data

The Big Question

Can you ever imagine this event/incident leading to a court case?
Yes: legally sound collection No: more flexibility but fewer resources; often a good training execrcise Always consider the costs:
Prosecution Damage to reputation Loss of corporate secrets

Pre-planning Training Consider outsourcing
Managed cost Impartial results Add an addendum to your MSSP contract

Decisions, Decisions
CSo, CIO, CEO, CLO What decisions need to be made? When and how do you receive elevated authority?
Admin rights Right to monitor

How do you proceed when there is no decision?

Case Study(6)
What can we learn from:
Email logs Web server logs Interviews Human resources

Who would be involved in making decisions? What are some possible outcomes?

Law Enforcement
FBI FTC US Postal Inspectors US Secret Service Local law enforcement Task forces and other institutions

Law Enforcement
Build relationships beforehand Cooperation leads to resource sharing Law Enforcement does not know your network topology

Definition of Forensics
Tell the story: what was lost, how it was lost

Be able to understand process in building legally sound case

Complex issues

Identify forensic capabilities you will need in a typical corporate environment

Only you know your topology