Forensics 5 Readiness PDF

Legal Informatics and Multimedia Forensic Analysis for Computer Systems Plan of the course: 1. Introduction 2. Evolution of Computer Forensics 3. Computer Forensics Process 4. Types of Computer Forensics 5. Forensics Readiness 1 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 5: Forensics Readiness 5.1 Introduction 5.2 Goals of Forensic Readiness 5.3 Forensic Readiness Steps 5.4 Benefits of Forensic Readiness 5.5 Forensic Readiness features 2 Course 5: Forensics Readiness 5.1 Introduction Modern digital technologies not only present new opportunities to business organizations but also a different set of issues and challenges that need to be resolved. With the rising threats of cybercrimes, many organizations, as well as law enforcement agencies globally, are now establishing proactive measures as a way to increase their ability to respond to security incidents as well as create a digital forensic ready environment. 3 Course 5: Forensics Readiness 5.1 Introduction 4 Course 5: Forensics Readiness 5.1 Introduction (cont) Forensic readiness is the ability of an organization to maximize its potential to use digital evidence* whereas minimizing the costs of an investigation. Forensic readiness as: “The achievement of an appropriate level of capability by an organization in order for it to be able to collect, preserve, protect and analyse digital evidence so that this evidence can be effectively used in any legal matters, in disciplinary matters, in an employment tribunal or court of law”. Forensic readiness as defined by Mohay as the extent to which computer systems or computer networks record activities and data in such a manner that the records are sufficient in their extent for subsequent forensic purposes, and the records are acceptable in terms of their perceived authenticity as evidence in subsequent forensic investigations. *Digital evidence can be in the form of log files, emails, back-up disks, portable computers, network traffic records, and phone records etc. 5 Course 5: Forensics Readiness 5.1 Introduction (cont) Mr. ABC returned to office after 25 days on 28th, June 2017 and found HDD missing from his Desktop computer System. Mr. ABC occupies cabin 3, in 5th floor of 7 storied building. Which scenario is better? 6 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 5: Forensics Readiness 5.2 Goals of Forensic Readiness Some of the important goals of forensics readiness are: To gather admissible evidence legally and without interfering with business processes; To gather evidence targeting the potential crimes and disputes that may adversely impact an organization; To allow an investigation to proceed at a cost in proportion to the incident; To minimize interruption to the business from any investigation; and To ensure that evidence makes a positive impact on the outcome of any legal action. 7 Course 5: Forensics Readiness 5.3 Forensic Readiness Steps The following ten steps describe the key activities in forensic readiness planning: 1. Define the business scenarios that require digital evidence: The first step in forensic readiness is to define the purpose of an evidence collection capability. The rationale is to look at the risk and potential impact on the business from the various types of crimes and disputes. What is the threat to the business and what parts are vulnerable? 2. Identify available sources and different types of potential evidence: The second step in forensic readiness is for an organization to know what sources of potential evidence are present on, or could be generated by, their systems and to determine what currently happens to the potential evidence data. Computer logs can originate from many sources. 8 Course 5: Forensics Readiness 5.3 Forensic Readiness Steps (Cont.) 3. Determine the evidence collection requirement: The purpose of this step is to produce an evidence requirement statement so that those responsible for managing the business risk can communicate with those running and monitoring information systems through an agreed requirement for evidence. One of the key benefits of this step is the bringing together of IT with the needs of corporate security. 4. Establish a capability for securely gathering legally admissible evidence to meet the requirement: At this point the organization knows the totality of evidence available and has decided which of it can be collected to address the company risks and within a planned budget. With the evidence requirement understood, the next step is to ensure that it is collected from the relevant sources and that it is preserved as an authentic record. 9 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 5: Forensics Readiness 5.3 Forensic Readiness Steps (Cont.) 5. Establish a policy for secure storage and handling of potential evidence: The objective of this step is to secure the evidence for the longer term once it has been collected and to facilitate its retrieval if required. It concerns the long-term or off-line storage of information that might be required for evidence at a later date. 6. Ensure monitoring is targeted to detect and deter major incidents: In addition to gathering evidence for later use in court, evidence sources can be monitored to detect threatened incidents in a timely manner (suspicious events detection). This is directly analogous to Intrusion Detection Systems (IDS), extended beyond network attack to a wide range of behaviors that may have implications for the organization. 10 Course 5: Forensics Readiness 5.3 Forensic Readiness Steps (Cont.) 7. Specify circumstances when escalation to a full formal investigation: Some suspicious events can be system generated, such as the rule-base of an IDS, or the keywords of a content checker, and some will be triggered by human watchfulness. Each suspicious event found in step 6 needs to be reviewed. Either an event will require escalation if it is clearly serious enough, or it will require enhanced monitoring or other precautionary measures, or it is a false positive. The purpose of this step is to decide how to react to the suspicious event. 8. Train staff in incident awareness: So that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence, The aim of this step is to ensure that appropriate training is developed to prepare staff for the various roles they may play before, during and after an incident. It is also necessary to ensure that staff is competent to perform any roles related to the handling and preservation of evidence. 11 Course 5: Forensics Readiness 5.3 Forensic Readiness Steps (Cont.) 9. Document an evidence-based case describing the incident and its impact: The aim of an investigation is not just to find a culprit or repair any damage. An investigation has to provide answers to questions and demonstrate why those answers are credible. The questions go along the lines of who, what, why, when, where and how. Credibility is provided by evidence and a logical argument. The purpose of this step is to produce a policy that describes how an evidence-based case should be assembled. 10. Ensure legal review to facilitate action in response to the incident: At certain points during the gathering of the cyber-crime case file it will be necessary to review the case from a legal standpoint and get legal advice on any follow-up actions. Legal advisers like attorney should be able to advise on the strength of the case and suggest whether additional measures should be taken; for example, if the evidence is weak is it necessary to catch an internal suspect red handed by monitoring their activity and seizing their PC ?. 12 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 5: Forensics Readiness 5.4 Benefits of Forensic Readiness Forensic readiness can offer an organization the following benefits: evidence can be gathered to act in an organization's defense if subject to a lawsuit; comprehensive evidence gathering can be used as a preventive to the insider threat. in the event of a major incident, an efficient and rapid investigation can be conducted and actions taken with minimal perturbation to the business; a systematic approach to evidence storage can significantly reduce the costs and time of an internal investigation; a structured approach to evidence storage can reduce the costs of any court-ordered disclosure or regulatory or legal need to disclose data (e.g. in response to a request under data protection legislation); 13 Course 5: Forensics Readiness 5.4 Benefits of Forensic Readiness (Cont.) forensic readiness can extend the scope of information security to the wider threat from cybercrime, such as intellectual property protection, fraud detection, extortion etc; it demonstrates due diligence and good corporate governance of the company's information assets; it can support employee sanctions based on digital evidence (for example to prove a violation of acceptable use policy) 14 Course 5: Forensics Readiness 5.5 Digital Forensic Readiness features: it is required for: 15 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 5: Forensics Readiness 5.5 Digital Forensic Readiness features: 16 Course 5: Forensics Readiness 5.5 Digital Forensic Readiness features (Cont.) The checklist Identify the business scenarios and various threats both external and internals. Identify potential sources and types of data – devices, applications, data bases Map the sources of data with threat. Identify the collection and retention requirement – Legal, Regulatory compliance Test and improve the forensic preservation, collection and chain of custody capability Awareness of SoC and IR team forensic capability Document evidence-based cases, describing the incident and its impact. Ensure legal review to facilitate appropriate action in response to an incident Test the sufficiency at regular intervals. 17 Course 5: Forensics Readiness 5.5 Digital Forensic Readiness features (Cont.) Effectiveness of log collection & retention in tracing & tracking the security incident; Assessment -Approach Effectiveness of log monitoring & analysis Existing network Effectiveness of existing controls in architecture, applications, detection, prevention of attacks; process owners, Effectiveness of incident response such Governance; as handling, coordination & resolution; Type of threats external & Effectiveness of evidence preservation, internal for each collection application etc., Existing log collection & Gap analysis for existing vs Standards retention policies of such as ISO 27037, critical business 27041,27042,27043 , 27001, RBI cyber applications, security framework, Gopal Krishnan Firewall, IPS, router, load committee. balancer, SIEM tools etc. Recommend framework, policy, Cyber Security Incident procedures for digital Forensic Response policy & readiness framework Recommend enhancements to Legal & regulatory existing process & technology to compliance requirements support forensic readiness 18 Course 5: Forensics Readiness 5.5 Digital Forensic Readiness features (Cont.) Guidelines Digital Forensics – No longer Reactive - Proactive, Predictive Foot Printing of every activity – Log collection, retention, preservation at every ingress & egress point of device & application. Input for SIEM - for threat Detection, Prediction & Modelling Ability to recreate the incident in order to zero- in the root cause Reduce business downtime, cost of investigation and cost of cleaning. Meets Regulatory and Legal requirement Meets mandatory requirement Reporting to CERT-In & 19 RBI.

Forensics 5 Readiness PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue