ISC(2)’s SecureChicago most recent topic was on forensics. Though the day long session was focused on bag-and-tag, physically securing/preserving the data and the surrounding environment, vendors participating stretched there product/service offering to match the same. Of course, some of the more renown vendors such as Encase was not present, others did cover related forensics topics including application security. Yes, application ties to data breach seems to be synonymous these days and represented in any security forum.
A clear theme in the morning discussion was the delineation of investigation work (i.e. Incident Response) and forensics. Clearly two similar topics, yet very different/disparate practices when done appropriately and recognition of the two should be understood in the real world (particularly in the legal sense). Standard of proof, evidentiary concerns, and admissibility comes to mind in a forensic lifecycle of acquiring, authentication and analyzing methodology. Computer forensics has only been around for about 25 years compared to original forensics of author attribution. But the principle is the same as Locard Exchange Principle states the contact of two things will result in an exchange and therefore a trace of evidence.
And in the eyes of the legal system “chain of custody” not checklist is also a terminology worth noting. Chain of custody is the documentation of the what, where, who, and how evidence is processed in a repeated manner (by which can be redone with effectively the same results), preserving integrity. Checklist on the other hand can be more detrimental to a case since each investigation vary and purposefully skipping a step (regardless of applicability) may pose questions are integrity and ultimately toward a reasonable doubt.
The use of technology can be the silver bullet in a case; however, the lack of it’s understand and more importantly the inability to properly present the evidence has also proven to be it’s gotta. Judges and even a jury of peers are mostly like not going to have technical background or is an ISC(2) member, therefore, presentation is another key factor (being conscience of technical jargon and industry acronyms).
I digress. To wrap up when doing cyber forensics, consider the following: knowledge of your company policy (don’t operate in a vacuum), document is everything; ensure repeatable and verifiable examination process, don’t exceed your knowledge (e.g. there are about 85 different operating systems and who’s an expert at more than one); and understand the purpose/scope (criminal, civil, regulatory or administrative investigations). Also, on the technical note consider having more than one tool, use write blockers when conducting (image) analysis, have more than one copy using MD5 or SHA256 hash, Windows registry for data source including (SID, swap space, slack file/RAM space, ADS (alternate data stream), printer EMFs, and index.dat. Finally from a global prospectus, remember that laws varies in addition to extradition laws, if they even exist.
In the end, “work for the truth” no matter which side you find yourself in forensics or anti-forensics. To help out in legal jargon and other things, here’s some useful links:
Federal Rules of Evidence
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
Federal Wiretap Act
Computer Records and the Federal Rules of Evidence
Electronic Communications Privacy Act of 1986
Forensic Boot Disk
Netwitness
No comments:
Post a Comment